[Swan] Trying to connect using libreswan to a Fortigate IPsec VPN

Dan Stromberg dstromberg at keepersecurity.com
Tue Jul 13 03:48:09 UTC 2021

On Thu, Jul 8, 2021 at 2:49 PM Paul Wouters <paul at nohats.ca> wrote:

> On Thu, 8 Jul 2021, Dan Stromberg wrote:
> I saw both your IKEv1 and IKEv2 attempts hitting the server. Note:
> Jul  8 15:03:53.259967: "vpn.nohats.ca"[312] x.x.x.x #854: no local
> proposal matches remote proposals
> I would drop the DES, 3DES, DH2 and MD5 from your proposals. Still, like
> my server they _should_ send you an error back.
How would I do that with ike-scan?  Sorry, l'm a real newb at this.  I know
some shell and some basic TCP/IP and UDP/IP, but IKE and IPsec are pretty
new to me.

> > My IT guy said that the Fortigate server is "in stealth mode", and he
> seems to be avoiding telling me what that means more specifically.  If I
> had to
> > guess, I'd say maybe he's turned off ICMP, since the server is not
> ping'able.
> Ask the fortigate people for a log from your IP address? It seems likely
> you _are_ hitting their server, so they should have a log entry.
He said he wasn't seeing authentication attempts at all.

And double check your IKE parameters with them - likely there is a
> mismatch between what you have configured and what they have configured.
What are some example IKE parameters that should be compared?  I'm thinking
once I have those, I can google up a list?

I'm really wanting this to work, in a big way.  Without it, I'll probably
have to turn in my Linux Dell for a macOS box, and I just love Linux.  :)

Is there any way I can set up a small bounty for it?  Seriously, I'm to the
point where I'd be willing to pay a bit of money to get it working - and it
needs to be documented anyway, given the number of people out there trying
to connect to Fortigate  IPsec servers from Linux.



Dan Stromberg | Senior Software Developer

Mobile +1.949-342-6502


** This email is confidential and is intended for the recipient(s)
addressed herein **
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20210712/0163cee0/attachment.html>

More information about the Swan mailing list