On Tue, 22 Jan 2019, Raees Khan wrote:
I am currently having an issue with Libreswan IPSec implementation with
Fortinet Firewall. Libreswan with Cisco is working fine for me.
The behavior is weird in case of Fortinet. I have matched all the parameters on
both sides (IKE ALGO + ESP ALGO) all is same including
timers. The ISAKMP/IPSEC SA is established and then it again starts Quick Mode.
Complete logs are given below. The continuous logging
activity and phase 2 failure messages are shown on both devices.
Jan 9 12:26:12 R1-1500 pluto[4507]: "Link1" #1: STATE_MAIN_I4: ISAKMP SA
established {auth=PRESHARED_KEY cipher=aes_256 integ=sha
group=MODP1536}
phase 1 came up.
Jan 9 12:26:12 R1-1500 pluto[4507]: "Link1" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using
isakmp#1 msgid:98bc42c3 proposal=AES(12)_256-SHA1(2)
pfsgroup=OAKLEY_GROUP_MODP1536}
Jan 9 12:26:12 R1-1500 pluto[4507]: "Link1" #1: ignoring informational payload
NO_PROPOSAL_CHOSEN, msgid=00000000, length=16
phase 2 got rejected. So there is a mismatch here.
Perhaps the DH for phase 2 is wrong, or they don't want PFS at all? Or
they don't like your aes 256 key size?
So try tweaking the phase2/esp line and try pfs=no
alternatively, try to have them initiate to you, so you get to see the
proposals in the logs and you can match up what they are asking for.
Or check their logs and see why they rejected your phase 2 proposal.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
