[Swan] Trying to connect using libreswan to a Fortigate IPsec VPN

Paul Wouters paul at nohats.ca
Thu Jul 8 21:49:33 UTC 2021

On Thu, 8 Jul 2021, Dan Stromberg wrote:

> $ ike-scan --ikev2 vpn.nohats.ca
> Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
> Notify message 14 (NO_PROPOSAL_CHOSEN) HDR=(CKY-R=ac594eee123b34c5, IKEv2)
> Ending ike-scan 1.9.4: 1 hosts scanned in 0.469 seconds (2.13 hosts/sec).  0 returned handshake; 1 returned notify
> Does this mean there's no firewall on my system?  I don't see any occurrences of "firewall" in ps -ef, and iptables --list gives me:
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination        
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination        
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination         


I saw both your IKEv1 and IKEv2 attempts hitting the server. Note:

Jul  8 15:03:53.259967: "vpn.nohats.ca"[312] x.x.x.x #854: no local proposal matches remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;ENCR=3DES;ENCR=DES(UNUSED);PRF=HMAC_SHA1;PRF=HMAC_MD5;INTEG=HMAC_SHA1_96;INTEG=HMAC_MD5_96;DH=MODP1024;DH=MODP1536;DH=MODP2048

I would drop the DES, 3DES, DH2 and MD5 from your proposals. Still, like
my server they _should_ send you an error back.

> I'm not 100% sure how to interpret this.  If it's a firewall blocking my traffic, I don't think it's on my Debian system, nor do I think it's on my home
> router, but please help me interpret these results.  It seems like if there's a firewall, it would have to be on my corporate network or the Fortigate
> system itself.

It's not a firewall, unless it is a firewall in front of the machine you
are trying to reach. If that machine has other clients, then it seems it
would not have a firewall there either.

> My IT guy said that the Fortigate server is "in stealth mode", and he seems to be avoiding telling me what that means more specifically.  If I had to
> guess, I'd say maybe he's turned off ICMP, since the server is not ping'able.

Ask the fortigate people for a log from your IP address? It seems likely
you _are_ hitting their server, so they should have a log entry.

And double check your IKE parameters with them - likely there is a
mismatch between what you have configured and what they have configured.


More information about the Swan mailing list