[Swan] Trying to connect using libreswan to a Fortigate IPsec VPN
dstromberg at keepersecurity.com
Tue Jul 13 03:48:09 UTC 2021
On Thu, Jul 8, 2021 at 2:49 PM Paul Wouters <paul at nohats.ca> wrote:
> On Thu, 8 Jul 2021, Dan Stromberg wrote:
> I saw both your IKEv1 and IKEv2 attempts hitting the server. Note:
> Jul 8 15:03:53.259967: "vpn.nohats.ca" x.x.x.x #854: no local
> proposal matches remote proposals
> I would drop the DES, 3DES, DH2 and MD5 from your proposals. Still, like
> my server they _should_ send you an error back.
How would I do that with ike-scan? Sorry, l'm a real newb at this. I know
some shell and some basic TCP/IP and UDP/IP, but IKE and IPsec are pretty
new to me.
> > My IT guy said that the Fortigate server is "in stealth mode", and he
> seems to be avoiding telling me what that means more specifically. If I
> had to
> > guess, I'd say maybe he's turned off ICMP, since the server is not
> Ask the fortigate people for a log from your IP address? It seems likely
> you _are_ hitting their server, so they should have a log entry.
He said he wasn't seeing authentication attempts at all.
And double check your IKE parameters with them - likely there is a
> mismatch between what you have configured and what they have configured.
What are some example IKE parameters that should be compared? I'm thinking
once I have those, I can google up a list?
I'm really wanting this to work, in a big way. Without it, I'll probably
have to turn in my Linux Dell for a macOS box, and I just love Linux. :)
Is there any way I can set up a small bounty for it? Seriously, I'm to the
point where I'd be willing to pay a bit of money to get it working - and it
needs to be documented anyway, given the number of people out there trying
to connect to Fortigate IPsec servers from Linux.
Dan Stromberg | Senior Software Developer
** This email is confidential and is intended for the recipient(s)
addressed herein **
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Swan