[Swan] Trying to connect using libreswan to a Fortigate IPsec VPN

Dan Stromberg dstromberg at keepersecurity.com
Thu Jul 8 19:34:10 UTC 2021 

On Thu, Jul 8, 2021 at 11:04 AM Paul Wouters <paul at nohats.ca> wrote:

> On Thu, 8 Jul 2021, Dan Stromberg wrote:
>
> > $ ike-scan vpn.nohats.ca
> > Starting ike-scan 1.9.4 with 1 hosts (
> http://www.nta-monitor.com/tools/ike-scan/)
> >
> > Ending ike-scan 1.9.4: 1 hosts scanned in 2.529 seconds (0.40
> hosts/sec).  0 returned handshake; 0 returned notify
> >
> > Could someone not firewalled please run "ike-scan vpn.nohats.ca" and
> send output to the list, for the sake of comparison?
>
> paul at bofh:~$ sudo ike-scan vpn.nohats.ca
> Starting ike-scan 1.9.4 with 1 hosts (
> http://www.nta-monitor.com/tools/ike-scan/)
>
> Ending ike-scan 1.9.4: 1 hosts scanned in 2.616 seconds (0.38 hosts/sec).
> 0 returned handshake; 0 returned notify
>
> I guess we increased our security :)
>
Thanks for checking it!


> Jul  8 13:58:50.834070: packet from 193.110.157.194:500: initial Main
> Mode message received but no connection has been authorized with policy PSK
>
>
> I added a bogus IKEv1 connection to it. So now scanning it shows:
>
> paul at bofh:~$ sudo ike-scan vpn.nohats.ca
> Starting ike-scan 1.9.4 with 1 hosts (
> http://www.nta-monitor.com/tools/ike-scan/)
> 193.110.157.148 Notify message 14 (NO-PROPOSAL-CHOSEN)
> HDR=(CKY-R=d87781dc8be5eff1)
>
> Ending ike-scan 1.9.4: 1 hosts scanned in 0.274 seconds (3.65 hosts/sec).
> 0 returned handshake; 1 returned notify
>
> Note the "1 returned notify"
>
> > PS: I'm not sure if I'm happy or daunted by the possibility of this
> being because of a firewall, as I haven't set one up and fear it may be out
> of my
> > control.
>
> if you have firewalld running, you might just want to either remove it,
> or run:
>
> sudo firewall-cmd --zone=trusted --add-port=500/udp --permanent
> sudo firewall-cmd --zone=trusted --add-port=4500/udp --permanent
> sudo firewall-cmd --zone=trusted --add-protocol=50 --permanent
> sudo systemctl restart firewalld
>

Now ike-scan of vpn.nohats.ca is giving me:

$ ike-scan --ikev2 vpn.nohats.ca
Starting ike-scan 1.9.4 with 1 hosts (
http://www.nta-monitor.com/tools/ike-scan/)
193.110.157.148 Notify message 14 (NO_PROPOSAL_CHOSEN)
HDR=(CKY-R=ac594eee123b34c5, IKEv2)

Ending ike-scan 1.9.4: 1 hosts scanned in 0.469 seconds (2.13 hosts/sec).
 0 returned handshake; 1 returned notify


Does this mean there's no firewall on my system?  I don't see any
occurrences of "firewall" in ps -ef, and iptables --list gives me:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

I'm not 100% sure how to interpret this.  If it's a firewall blocking my
traffic, I don't think it's on my Debian system, nor do I think it's on my
home router, but please help me interpret these results.  It seems like if
there's a firewall, it would have to be on my corporate network or the
Fortigate system itself.

I'm still getting:
$ ike-scan --ikev2 1.1.1.1
below cmd output started 2021 Thu Jul 08 12:08:58 PM PDT
Starting ike-scan 1.9.4 with 1 hosts (
http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9.4: 1 hosts scanned in 2.438 seconds (0.41 hosts/sec).
 0 returned handshake; 0 returned notify


I haven't found mtr tremendously accurate in the past, but maybe here it's
worth looking at to form a guess about where udp/500 is getting blocked, if
anywhere:
mtr --report --udp -4 --port 500 1.1.1.1
Start: 2021-07-08T12:18:56-0700
HOST: KS190924A                   Loss%   Snt   Last   Avg  Best  Wrst StDev
  1.|-- dsldevice.attlocal.net     0.0%    10    0.8   0.8   0.8   0.9   0.0
  2.|-- 107-214-104-1.lightspeed.  0.0%    10   20.6  21.6  17.3  30.4   5.3
  3.|-- 64.148.105.178             0.0%    10   17.4  67.1  17.3 457.0 138.2
  4.|-- cr83.la2ca.ip.att.net      0.0%    10   20.5  23.8  20.3  27.7   2.7
  5.|-- ggr2.la2ca.ip.att.net      0.0%    10   21.1  21.2  19.2  22.3   1.1
  6.|-- 192.205.37.26              0.0%    10   20.6  20.6  19.7  21.2   0.4
  7.|-- be-3402-cs04.losangeles.c  0.0%    10   20.3  21.4  20.3  22.2   0.6
  8.|-- 96.110.45.230              0.0%    10   28.5  28.2  26.3  35.0   2.5
  9.|-- ae-2-rur01.placerville.ca  0.0%    10   32.2  32.0  31.6  32.5   0.3
 10.|-- ae-11-sur02.placerville.c  0.0%    10   31.0  31.5  31.0  32.2   0.4
 11.|-- 50.231.18.194              0.0%    10   32.1  32.3  32.0  33.5   0.5
 12.|-- ???                       100.0    10    0.0   0.0   0.0   0.0   0.0

This too seems to say that I'm not firewalling on my Debian system or home
router.

Hop 11 appears to be a comcast host according to ipwhois.

My IT guy said that the Fortigate server is "in stealth mode", and he seems
to be avoiding telling me what that means more specifically.  If I had to
guess, I'd say maybe he's turned off ICMP, since the server is not
ping'able.

Any further thoughts folks?

Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20210708/696f14e9/attachment-0001.html>

More information about the Swan mailing list