[Swan] Trying to connect using libreswan to a Fortigate IPsec VPN
Dan Stromberg
dstromberg at keepersecurity.com
Tue Jul 13 03:48:09 UTC 2021
On Thu, Jul 8, 2021 at 2:49 PM Paul Wouters <paul at nohats.ca> wrote:
> On Thu, 8 Jul 2021, Dan Stromberg wrote:
> I saw both your IKEv1 and IKEv2 attempts hitting the server. Note:
>
> Jul 8 15:03:53.259967: "vpn.nohats.ca"[312] x.x.x.x #854: no local
> proposal matches remote proposals
> 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;ENCR=3DES;ENCR=DES(UNUSED);PRF=HMAC_SHA1;PRF=HMAC_MD5;INTEG=HMAC_SHA1_96;INTEG=HMAC_MD5_96;DH=MODP1024;DH=MODP1536;DH=MODP2048
>
> I would drop the DES, 3DES, DH2 and MD5 from your proposals. Still, like
> my server they _should_ send you an error back.
>
How would I do that with ike-scan? Sorry, l'm a real newb at this. I know
some shell and some basic TCP/IP and UDP/IP, but IKE and IPsec are pretty
new to me.
> > My IT guy said that the Fortigate server is "in stealth mode", and he
> seems to be avoiding telling me what that means more specifically. If I
> had to
> > guess, I'd say maybe he's turned off ICMP, since the server is not
> ping'able.
>
> Ask the fortigate people for a log from your IP address? It seems likely
> you _are_ hitting their server, so they should have a log entry.
>
He said he wasn't seeing authentication attempts at all.
And double check your IKE parameters with them - likely there is a
> mismatch between what you have configured and what they have configured.
>
What are some example IKE parameters that should be compared? I'm thinking
once I have those, I can google up a list?
I'm really wanting this to work, in a big way. Without it, I'll probably
have to turn in my Linux Dell for a macOS box, and I just love Linux. :)
Is there any way I can set up a small bounty for it? Seriously, I'm to the
point where I'd be willing to pay a bit of money to get it working - and it
needs to be documented anyway, given the number of people out there trying
to connect to Fortigate IPsec servers from Linux.
Thanks!
--
Dan Stromberg | Senior Software Developer
Mobile +1.949-342-6502
<https://keepersecurity.com/>
** This email is confidential and is intended for the recipient(s)
addressed herein **
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20210712/0163cee0/attachment.html>
More information about the Swan
mailing list