<html dir="ltr"><head></head><body bgcolor="#ffffff" text="#2e3436" link="#2a76c6" vlink="#2e3436" style="text-align:left; direction:ltr;"><div><font size="4"><br></font></div><div><font size="4">Hi Paul</font></div><div><font size="4"> The tunnel remains connected now, the logs has nothing in particular except this message. The last line however, still says information message from Fortigate, "message response has no corresponding IKE SA". But otherwise the VPN is working as expected with all services.</font></div><div><font size="4"><br></font></div><div><font size="4"><br></font></div><div><font size="4">Jan 4 17:32:17.120117: "SUBNETS" #42: initiate rekey of IKEv2 CREATE_CHILD_SA IKE Rekey</font></div><div><font size="4">Jan 4 17:32:17.131274: "SUBNETS" #43: sent CREATE_CHILD_SA request to rekey IKE SA</font></div><div><font size="4">Jan 4 17:32:17.303648: "SUBNETS" #43: rekeyed #42 STATE_V2_REKEY_IKE_I1 and expire it remaining life 937.812965s</font></div><div><font size="4">Jan 4 17:32:17.303764: "SUBNETS" #43: established IKE SA {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_512_256 prf=HMAC_SHA2_512 group=DH21}</font></div><div><font size="4">Jan 4 17:32:18.305011: "SUBNETS" #42: deleting state (STATE_V2_ESTABLISHED_IKE_SA) aged 2663.301907s and sending notification</font></div><div><b><font size="4">Jan 4 17:32:18.362454: packet from 6.7.8.9:4500: INFORMATIONAL message response has no corresponding IKE SA</font></b></div><div><font size="4"><br></font></div><div><font size="4"><br></font></div><div><font size="4">Appreciate your quick help. Thank you once again.</font></div><div><font size="4"><br></font></div><div><font size="4">BA</font></div><div><br></div><div><br></div><div>On Sun, 2021-01-03 at 13:20 +0530, Blue Aquan wrote:</div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><div><font color="#000000" size="4">Hi Paul</font></div><div><font color="#000000" size="4"> Thank you for your quick reply. I've set the values as suggested by you and here are the results. </font></div><div><font color="#000000" size="4"><br></font></div><div><font color="#000000" size="4"><br></font></div><div><font color="#000000" size="4"># /etc/ipsec.d/EURO-FORT.conf - Europa-Fortigate Centos 8 Libreswan IPsec configuration file</font></div><div><font color="#000000" size="4">#</font></div><div><font color="#000000" size="4">conn SUBNETS</font></div><div><font color="#000000" size="4"> also=EURO-FORT</font></div><div><font color="#000000" size="4"> leftsubnet=10.10.128.0/20</font></div><div><font color="#000000" size="4"> leftsourceip=10.10.128.1</font></div><div><font color="#000000" size="4"> rightsubnet=192.168.2.0/24</font></div><div><font color="#000000" size="4"> rightsourceip=192.168.2.1</font></div><div><font color="#000000" size="4"> auto=start</font></div><div><font color="#000000" size="4">conn EURO-FORT</font></div><div><font color="#000000" size="4"> type=tunnel</font></div><div><font color="#000000" size="4"> left=<b>1.2.3.4</b></font></div><div><font color="#000000" size="4"> right=<b>6.7.8.9</b></font></div><div><font color="#000000" size="4"> authby=secret</font></div><div><font color="#000000" size="4"> ikev2=yes</font></div><div><font color="#000000" size="4"> <b>pfs=no</b></font></div><div><font color="#000000" size="4"> ike=<b>aes256-sha2_512+sha2_256-dh21</b></font></div><div><font color="#000000" size="4"> esp=<b>aes256-sha2_512+sha1+sha2_256;dh21</b></font></div><div><font color="#000000" size="4"> dpddelay=5</font></div><div><font color="#000000" size="4"> dpdtimeout=120</font></div><div><font color="#000000" size="4"> dpdaction=restart</font></div><div><font color="#000000" size="4"> encapsulation=yes</font></div><div></div><div><font color="#000000" size="4"><br></font></div><div><font color="#000000" size="4">When "<b>systemctl restart ipsec</b>" is issued</font></div><div><font color="#000000" size="4"><br></font></div><div><font color="#000000" size="4">Jan 3 12:57:17.407404: loading secrets from "/etc/ipsec.secrets"</font></div><div><font color="#000000" size="4">Jan 3 12:57:17.407603: "SUBNETS" #1: initiating IKEv2 connection</font></div><div><font color="#000000" size="4">Jan 3 12:57:17.407616: "SUBNETS": local IKE proposals (IKE SA initiator selecting KE): </font></div><div><font color="#000000" size="4">Jan 3 12:57:17.407635: "SUBNETS": 1:IKE=AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-ECP_521</font></div><div><font color="#000000" size="4">Jan 3 12:57:17.419500: "SUBNETS" #1: sent IKE_SA_INIT request</font></div><div><font color="#000000" size="4">Jan 3 12:57:17.476885: "SUBNETS": local ESP/AH proposals (IKE SA initiator emitting ESP/AH proposals): </font></div><div><font color="#000000" size="4">Jan 3 12:57:17.476908: "SUBNETS": 1:ESP=AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA1_96+HMAC_SHA2_256_128-NONE-DISABLED</font></div><div><font color="#000000" size="4">Jan 3 12:57:17.476947: "SUBNETS" #1: sent IKE_AUTH request {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_512_256 prf=HMAC_SHA2_512 group=DH21}</font></div><div><font color="#000000" size="4">Jan 3 12:57:17.520722: "SUBNETS" #2: IKEv2 mode peer ID is ID_IPV4_ADDR: '6.7.8.9'</font></div><div><font color="#000000" size="4">Jan 3 12:57:17.520800: "SUBNETS" #1: authenticated using authby=secret</font></div><div><font color="#000000" size="4">Jan 3 12:57:17.555688: "SUBNETS" #2: negotiated connection [10.10.128.0-10.10.143.255:0-65535 0] -> [192.168.2.0-192.168.2.255:0-65535 0]</font></div><div><font color="#000000" size="4">Jan 3 12:57:17.555712: "SUBNETS" #2: <b>IPsec SA established tunnel mode {ESPinUDP=>0x32560773 <0x959c9061 xfrm=AES_CBC_256-HMAC_SHA2_512_256 NATOA=none NATD=6.7.8.9:4500 DPD=active}</b></font></div><div><font color="#000000" size="4"><br></font></div><div><font color="#000000" size="4"><br></font></div><div><font color="#000000" size="4"><br></font></div><div><font color="#000000" size="4">When "<b>ipsec whack --rekey-ipsec --name SUBNETS</b>" is issued</font></div><div><font color="#000000" size="4"><br></font></div><div><font color="#000000" size="4">193 "SUBNETS" #3: sent CREATE_CHILD_SA request to rekey IPsec SA</font></div><div><font color="#000000" size="4">010 "SUBNETS" #3: STATE_V2_REKEY_CHILD_I1: retransmission; will wait 0.5 seconds for response</font></div><div><font color="#000000" size="4">002 "SUBNETS" #3: rekeyed #2 STATE_V2_REKEY_CHILD_I1 and expire it remaining life 28494.626646s</font></div><div><font color="#000000" size="4">002 "SUBNETS" #3: negotiated connection [10.10.128.0-10.10.143.255:0-65535 0] -> [192.168.2.0-192.168.2.255:0-65535 0]</font></div><div><font color="#000000" size="4">004 "SUBNETS" #3:<b> IPsec SA established tunnel mode {ESPinUDP=>0x32560774 <0xdae31207 xfrm=AES_CBC_256-HMAC_SHA2_512_256 NATOA=none NATD=6.7.8.9:4500 DPD=active}</b></font></div><div><font color="#000000" size="4">002 "SUBNETS" #2: deleting state (STATE_V2_ESTABLISHED_CHILD_SA) aged 306.453605s and sending notification</font></div><div><font color="#000000" size="4">005 "SUBNETS" #2: ESP traffic information: in=0B out=0B</font></div><div><font color="#000000" size="4"><br></font></div><div><font color="#000000" size="4"><br></font></div><div><font color="#000000" size="4"><br></font></div><div><font color="#000000" size="4">It looks alright at the moment, will wait another day and let you know the final results.</font></div><div><font color="#000000" size="4"><br></font></div><div><font color="#000000" size="4"><br></font></div><div><font color="#000000" size="4">Thanks, Best</font></div><div><font color="#000000" size="4">BA</font></div><div><br></div><div></div><div><br></div><div><br></div><div><br></div><div>On Thu, 2020-12-31 at 12:24 -0500, Paul Wouters wrote:</div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><pre>On Thu, 31 Dec 2020, Blue Aquan wrote:</pre><br><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><pre>With a slight modification of IP and authentication method(Pre-Shared key) , I tried adapting it to the Fortigate firewall.</pre><pre>The tunnel gets established perfectly fine, I am able to reach machines behind the Fortigate as well, but since these are</pre><pre>testbed machine there's no traffic flowing between them continuously and the tunnel gets disconnected sometime during long</pre><pre>hours of inactivity. Every morning, I find the tunnel down, but it's restored with a simple restart of "systemctl restart</pre><pre>ipsec". This stays on a the entire day mostly and the next day it's down again... I am attaching the config on the Linux</pre><pre>machine; if you need the configuration on the Fortigate, I can post it here, but it's running just the same things I've</pre><pre>configured on CentOS.</pre></blockquote><br><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><pre>conn SUBNETS</pre></blockquote><br><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><pre>auto=start</pre></blockquote><br><pre>With auto=start and libreswan 4.1, that should keep the tunnel up. I</pre><pre>would be interested in seeing the logs to understand what is happening.</pre><br><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><pre>Dec 31 14:25:20.576958: "SUBNETS" #1: Received unauthenticated INVALID_KE_PAYLOAD response to DH DH19; resending with</pre><pre>suggested DH DH21</pre></blockquote><br><pre>Maybe this is affecting rekey on the fortigate? Can you try setting an</pre><pre>IKE line that only contains dh21 ? eg</pre><br><pre> ike=aes256-sha2_512+sha2_256-dh21</pre><br><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><pre>Dec 31 06:19:31.846499: "SUBNETS" #10641: sent CREATE_CHILD_SA request to rekey IPsec SA</pre><pre>Dec 31 06:19:31.891736: "SUBNETS" #10641: dropping unexpected CREATE_CHILD_SA message containing NO_PROPOSAL_CHOSEN</pre><pre>notification; message payloads: SK; encrypted payloads: N; missing payloads: SA,Ni,TSi,TSr</pre></blockquote><br><pre>So this is strange. We are rekeying the same proposal, so it should</pre><pre>never refuse the proposal we agreed on the first go. This looks like</pre><pre>a fortigate bug.</pre><br><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><pre>Dec 31 06:36:49.918252: "SUBNETS" #10643: no local proposal matches remote proposals</pre><pre>1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;ESN=DISABLED</pre></blockquote><br><pre>this is what you negotiated on the initial exchanges. So why refuse now?</pre><br><pre>Perhaps it is an issue of pfs? Try adding pfs=no ?</pre><br><pre>You can trigger a rekey without waiting an hour by:</pre><br><pre> ipsec whack --rekey-ipsec --name SUBNETS</pre><br><pre>you can also try adding the DH group to esp for PFS, eg:</pre><br><pre> esp=aes256-sha2_512+sha1+sha2_256;dh21</pre><br><pre>Paul</pre></blockquote>
</blockquote></body></html>