Re: [strongSwan] Unable to establish connection with Fortigate device

2021-03-01 Thread Andreas Steffen

Hello Lorenzo,

if you define DH group 15 (modp3072) only but the peer's proposals
are for MODP1536 and MODP2048 then the negotiatio hast to fail with

  ike Negotiate ISAKMP SA Error: ike 
0:fc70f37fa6c9ee8d/:383: no SA proposal chosen


Best regards

Andreas

On 01.03.2021 08:03, Lorenzo Milesi wrote:

Hi.
I'm trying to set up a IPSec connection between a StrongSwan server and a 
Fortigate device. Auth uses PSK, so according to [1] I've chosen IKEv1. The 
Fortigate is behind an ADSL modem.

In Fortinet I've set P1 to enc AES256 auth SHA256, DH 15, key lifetime 86400.

This is ipsec.conf:

config setup
 charondebug="ike 3, knl 3, cfg 3, net 3, esp 3, dmn 3, mgr 3"
 uniqueids=yes
 strictcrlpolicy=no


conn sts-base
 fragmentation=yes
 dpdaction=restart
 ike=aes256-sha256-modp3072
 esp=aes256-sha256
 keyingtries=%forever
 leftsubnet=172.16.12.0/24
 lifetime=86400

conn site-3-legacy-base
 keyexchange=ikev1
 rightid=L***
 also=sts-base
 ike=aes256-sha256-modp3072
 esp=aes256-sha256
 rightsubnet=192.168.4.0/24,192.168.5.0/24
 right=95.x.x.x
 leftauth=psk
 auto=start


This is the debug log on fortinet, which seems the problematic side (doesn't 
like other party offers):

ike 0:to VpnTunnelName:378: out 
8AD3789557DB282D9AA1D56EDDD9184605100201006C6EFC8335B133C6267388C1A0BEB63B6A2CC4E120DE7627C9166D99AFF9EAE094E5368631BB2626D86B31FFED37F29DB6CC4E5D6B2E8B9A6FA79DF8FC03531CB7EB476EC1CE6240D586943E6A675E4695
ike 0:to VpnTunnelName:378: sent IKE msg (P1_RETRANSMIT): 
192.168.1.2:4500->95.x.x.x:4500, len=108, id=8ad3789557db282d/9aa1d56eddd91846
ike 0: comes 62.11.245.232:500->192.168.1.2:500,ifindex=4
ike 0: IKEv1 exchange=Identity Protection id=fc70f37fa6c9ee8d/ 
len=452
ike 0: in 
FC70F37FA6C9EE8D0110020001C40D0001540001000101480101000803280101800B0001000C00040001518080010007800E008080030001800200048004000E03280201800B0001000C00040001518080010007800E008080030001800200048004000503280301800B0001000C00040001518080010007800E010080030001800200048004000E03280401800B0001000C00040001518080010007800E010080030001800200048004000503280501800B0001000C00040001518080010007800E008080030001800200028004000E03280601800B0001000C00040001518080010007800E008080030001800200028004000503280701800B0001000C00040001518080010007800E010080030001800200028004000E00280801800B0001000C00040001518080010007800E01008003000180020002800400050D14AFCAD71368A1F1C96B8696FC775701000D144048B7D56EBCE88525E7DE7F00D6C2D30D184048B7D56EBCE88525E7DE7F00D6C2D3C0148299031757A36082C6A621DE
ike 0:fc70f37fa6c9ee8d/:383: responder: main mode get 1st 
message...
ike 0:fc70f37fa6c9ee8d/:383: VID DPD 
AFCAD71368A1F1C96B8696FC77570100
ike 0:fc70f37fa6c9ee8d/:383: VID FRAGMENTATION 
4048B7D56EBCE88525E7DE7F00D6C2D3
ike 0:fc70f37fa6c9ee8d/:383: VID FRAGMENTATION 
4048B7D56EBCE88525E7DE7F00D6C2D3C000
ike 0:fc70f37fa6c9ee8d/:383: VID FORTIGATE 
8299031757A36082C6A621DE
ike 0:fc70f37fa6c9ee8d/:383: incoming proposal:
ike 0:fc70f37fa6c9ee8d/:383: proposal id = 0:
ike 0:fc70f37fa6c9ee8d/:383:   protocol id = ISAKMP:
ike 0:fc70f37fa6c9ee8d/:383:  trans_id = KEY_IKE.
ike 0:fc70f37fa6c9ee8d/:383:  encapsulation = IKE/none
ike 0:fc70f37fa6c9ee8d/:383: type=OAKLEY_ENCRYPT_ALG, 
val=AES_CBC, key-len=128
ike 0:fc70f37fa6c9ee8d/:383: type=OAKLEY_HASH_ALG, 
val=SHA2_256.
ike 0:fc70f37fa6c9ee8d/:383: type=AUTH_METHOD, 
val=PRESHARED_KEY.
ike 0:fc70f37fa6c9ee8d/:383: type=OAKLEY_GROUP, 
val=MODP2048.
ike 0:fc70f37fa6c9ee8d/:383: ISAKMP SA lifetime=86400
ike 0:fc70f37fa6c9ee8d/:383: proposal id = 0:
ike 0:fc70f37fa6c9ee8d/:383:   protocol id = ISAKMP:
ike 0:fc70f37fa6c9ee8d/:383:  trans_id = KEY_IKE.
ike 0:fc70f37fa6c9ee8d/:383:  encapsulation = IKE/none
ike 0:fc70f37fa6c9ee8d/:383: type=OAKLEY_ENCRYPT_ALG, 
val=AES_CBC, key-len=128
ike 0:fc70f37fa6c9ee8d/:383: type=OAKLEY_HASH_ALG, 
val=SHA2_256.
ike 0:fc70f37fa6c9ee8d/:383: type=AUTH_METHOD, 
val=PRESHARED_KEY.
ike 0:fc70f37fa6c9ee8d/:383: type=OAKLEY_GROUP, 
val=MODP1536.
ike 0:fc70f37fa6c9ee8d/:383: ISAKMP SA lifetime=86400
ike 0:fc70f37fa6c9ee8d/:383: proposal id = 0:
ike 0:fc70f37fa6c9ee8d/:383:   protocol id = ISAKMP:
ike 0:fc70f37fa6c9ee8d/:383:  trans_id = KEY_IKE.
ike 0:fc70f37fa6c9ee8d/:383:  encapsulation = IKE/none
ike 0:fc7

[strongSwan] how to compute charon's MAC address?

2021-03-01 Thread Harald Dunkel

Hi folks,

how can I compute the MAC address used for farp/dhcp (7a:a7:xx:xx:xx:xx),
*before* trying to connect? Need this for configuring dhcp.


Regards
Harri