<html dir="ltr"><head></head><body style="text-align:left; direction:ltr;" bgcolor="#ffffff" text="#2e3436" link="#2a76c6" vlink="#2e3436"><div><font color="#000000" size="4">Hi Paul</font></div><div><font color="#000000" size="4"> Thank you for your quick reply. I've set the values as suggested by you and here are the results. </font></div><div><font color="#000000" size="4"><br></font></div><div><font color="#000000" size="4"><br></font></div><div><font color="#000000" size="4"># /etc/ipsec.d/EURO-FORT.conf - Europa-Fortigate Centos 8 Libreswan IPsec configuration file</font></div><div><font color="#000000" size="4">#</font></div><div><font color="#000000" size="4">conn SUBNETS</font></div><div><font color="#000000" size="4"> also=EURO-FORT</font></div><div><font color="#000000" size="4"> leftsubnet=10.10.128.0/20</font></div><div><font color="#000000" size="4"> leftsourceip=10.10.128.1</font></div><div><font color="#000000" size="4"> rightsubnet=192.168.2.0/24</font></div><div><font color="#000000" size="4"> rightsourceip=192.168.2.1</font></div><div><font color="#000000" size="4"> auto=start</font></div><div><font color="#000000" size="4">conn EURO-FORT</font></div><div><font color="#000000" size="4"> type=tunnel</font></div><div><font color="#000000" size="4"> left=<b>1.2.3.4</b></font></div><div><font color="#000000" size="4"> right=<b>6.7.8.9</b></font></div><div><font color="#000000" size="4"> authby=secret</font></div><div><font color="#000000" size="4"> ikev2=yes</font></div><div><font color="#000000" size="4"> <b>pfs=no</b></font></div><div><font color="#000000" size="4"> ike=<b>aes256-sha2_512+sha2_256-dh21</b></font></div><div><font color="#000000" size="4"> esp=<b>aes256-sha2_512+sha1+sha2_256;dh21</b></font></div><div><font color="#000000" size="4"> dpddelay=5</font></div><div><font color="#000000" size="4"> dpdtimeout=120</font></div><div><font color="#000000" size="4"> dpdaction=restart</font></div><div><font color="#000000" size="4"> encapsulation=yes</font></div><div></div><div><font color="#000000" size="4"><br></font></div><div><font color="#000000" size="4">When "<b>systemctl restart ipsec</b>" is issued</font></div><div><font color="#000000" size="4"><br></font></div><div><font color="#000000" size="4">Jan 3 12:57:17.407404: loading secrets from "/etc/ipsec.secrets"</font></div><div><font color="#000000" size="4">Jan 3 12:57:17.407603: "SUBNETS" #1: initiating IKEv2 connection</font></div><div><font color="#000000" size="4">Jan 3 12:57:17.407616: "SUBNETS": local IKE proposals (IKE SA initiator selecting KE): </font></div><div><font color="#000000" size="4">Jan 3 12:57:17.407635: "SUBNETS": 1:IKE=AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-ECP_521</font></div><div><font color="#000000" size="4">Jan 3 12:57:17.419500: "SUBNETS" #1: sent IKE_SA_INIT request</font></div><div><font color="#000000" size="4">Jan 3 12:57:17.476885: "SUBNETS": local ESP/AH proposals (IKE SA initiator emitting ESP/AH proposals): </font></div><div><font color="#000000" size="4">Jan 3 12:57:17.476908: "SUBNETS": 1:ESP=AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA1_96+HMAC_SHA2_256_128-NONE-DISABLED</font></div><div><font color="#000000" size="4">Jan 3 12:57:17.476947: "SUBNETS" #1: sent IKE_AUTH request {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_512_256 prf=HMAC_SHA2_512 group=DH21}</font></div><div><font color="#000000" size="4">Jan 3 12:57:17.520722: "SUBNETS" #2: IKEv2 mode peer ID is ID_IPV4_ADDR: '6.7.8.9'</font></div><div><font color="#000000" size="4">Jan 3 12:57:17.520800: "SUBNETS" #1: authenticated using authby=secret</font></div><div><font color="#000000" size="4">Jan 3 12:57:17.555688: "SUBNETS" #2: negotiated connection [10.10.128.0-10.10.143.255:0-65535 0] -> [192.168.2.0-192.168.2.255:0-65535 0]</font></div><div><font color="#000000" size="4">Jan 3 12:57:17.555712: "SUBNETS" #2: <b>IPsec SA established tunnel mode {ESPinUDP=>0x32560773 <0x959c9061 xfrm=AES_CBC_256-HMAC_SHA2_512_256 NATOA=none NATD=6.7.8.9:4500 DPD=active}</b></font></div><div><font color="#000000" size="4"><br></font></div><div><font color="#000000" size="4"><br></font></div><div><font color="#000000" size="4"><br></font></div><div><font color="#000000" size="4">When "<b>ipsec whack --rekey-ipsec --name SUBNETS</b>" is issued</font></div><div><font color="#000000" size="4"><br></font></div><div><font color="#000000" size="4">193 "SUBNETS" #3: sent CREATE_CHILD_SA request to rekey IPsec SA</font></div><div><font color="#000000" size="4">010 "SUBNETS" #3: STATE_V2_REKEY_CHILD_I1: retransmission; will wait 0.5 seconds for response</font></div><div><font color="#000000" size="4">002 "SUBNETS" #3: rekeyed #2 STATE_V2_REKEY_CHILD_I1 and expire it remaining life 28494.626646s</font></div><div><font color="#000000" size="4">002 "SUBNETS" #3: negotiated connection [10.10.128.0-10.10.143.255:0-65535 0] -> [192.168.2.0-192.168.2.255:0-65535 0]</font></div><div><font color="#000000" size="4">004 "SUBNETS" #3:<b> IPsec SA established tunnel mode {ESPinUDP=>0x32560774 <0xdae31207 xfrm=AES_CBC_256-HMAC_SHA2_512_256 NATOA=none NATD=6.7.8.9:4500 DPD=active}</b></font></div><div><font color="#000000" size="4">002 "SUBNETS" #2: deleting state (STATE_V2_ESTABLISHED_CHILD_SA) aged 306.453605s and sending notification</font></div><div><font color="#000000" size="4">005 "SUBNETS" #2: ESP traffic information: in=0B out=0B</font></div><div><font color="#000000" size="4"><br></font></div><div><font color="#000000" size="4"><br></font></div><div><font color="#000000" size="4"><br></font></div><div><font color="#000000" size="4">It looks alright at the moment, will wait another day and let you know the final results.</font></div><div><font color="#000000" size="4"><br></font></div><div><font color="#000000" size="4"><br></font></div><div><font color="#000000" size="4">Thanks, Best</font></div><div><font color="#000000" size="4">BA</font></div><div><br></div><div></div><div><br></div><div><br></div><div><br></div><div>On Thu, 2020-12-31 at 12:24 -0500, Paul Wouters wrote:</div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><pre>On Thu, 31 Dec 2020, Blue Aquan wrote:</pre><pre><br></pre><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><pre>With a slight modification of IP and authentication method(Pre-Shared key) , I tried adapting it to the Fortigate firewall.</pre><pre>The tunnel gets established perfectly fine, I am able to reach machines behind the Fortigate as well, but since these are</pre><pre>testbed machine there's no traffic flowing between them continuously and the tunnel gets disconnected sometime during long</pre><pre>hours of inactivity. Every morning, I find the tunnel down, but it's restored with a simple restart of "systemctl restart</pre><pre>ipsec". This stays on a the entire day mostly and the next day it's down again... I am attaching the config on the Linux</pre><pre>machine; if you need the configuration on the Fortigate, I can post it here, but it's running just the same things I've</pre><pre>configured on CentOS.</pre></blockquote><pre><br></pre><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><pre>conn SUBNETS</pre></blockquote><pre><br></pre><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><pre>auto=start</pre></blockquote><pre><br></pre><pre>With auto=start and libreswan 4.1, that should keep the tunnel up. I</pre><pre>would be interested in seeing the logs to understand what is happening.</pre><pre><br></pre><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><pre>Dec 31 14:25:20.576958: "SUBNETS" #1: Received unauthenticated INVALID_KE_PAYLOAD response to DH DH19; resending with</pre><pre>suggested DH DH21</pre></blockquote><pre><br></pre><pre>Maybe this is affecting rekey on the fortigate? Can you try setting an</pre><pre>IKE line that only contains dh21 ? eg</pre><pre><br></pre><pre> ike=aes256-sha2_512+sha2_256-dh21</pre><pre><br></pre><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><pre>Dec 31 06:19:31.846499: "SUBNETS" #10641: sent CREATE_CHILD_SA request to rekey IPsec SA</pre><pre>Dec 31 06:19:31.891736: "SUBNETS" #10641: dropping unexpected CREATE_CHILD_SA message containing NO_PROPOSAL_CHOSEN</pre><pre>notification; message payloads: SK; encrypted payloads: N; missing payloads: SA,Ni,TSi,TSr</pre></blockquote><pre><br></pre><pre>So this is strange. We are rekeying the same proposal, so it should</pre><pre>never refuse the proposal we agreed on the first go. This looks like</pre><pre>a fortigate bug.</pre><pre><br></pre><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><pre>Dec 31 06:36:49.918252: "SUBNETS" #10643: no local proposal matches remote proposals</pre><pre>1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;ESN=DISABLED</pre></blockquote><pre><br></pre><pre>this is what you negotiated on the initial exchanges. So why refuse now?</pre><pre><br></pre><pre>Perhaps it is an issue of pfs? Try adding pfs=no ?</pre><pre><br></pre><pre>You can trigger a rekey without waiting an hour by:</pre><pre><br></pre><pre> ipsec whack --rekey-ipsec --name SUBNETS</pre><pre><br></pre><pre>you can also try adding the DH group to esp for PFS, eg:</pre><pre><br></pre><pre> esp=aes256-sha2_512+sha1+sha2_256;dh21</pre><pre><br></pre><pre>Paul</pre></blockquote></body></html>