Hello dear community.
Unfortunately, I won't be able to reconfigure to IKEv2 as the entire infrastructure is configured to IKEv1.
Tried to set it up like this:
conn fortinet
authby=secret
pfs=yes
auto=start
compress=yes
rekey=yes
left=%defaultroute
leftid=@<left_id>
leftusername=<left_username>
leftxauthclient=yes
leftmodecfgclient=yes
right=<public_ip_fortinet>
rightid=<public_ip_fortinet>
rightxauthserver=yes
rightmodecfgserver=yes
cisco-unity=no
modecfgpull=yes
remote-peer-type=cisco
ignore-peer-dns=yes
send-vendorid=yes
dpddelay=3
dpdtimeout=60
dpdaction=restart
fragmentation=yes
encapsulation=auto
ikev2=no
aggressive=yes
ipsec-interface=0
keyexchange=ike
ike=aes256-sha2_256;dh14
phase2=esp
phase2alg=aes256-sha2_256;dh14
salifetime=24h
type=tunnel
conn fortinet_1
also=fortinet
leftsubnet=10.0.5.2/32
rightsubnet=10.0.0.0/24
conn fortinet_2
also=fortinet
leftsubnet=10.0.5.2/32
rightsubnet=10.0.1.0/24
conn fortinet_3
also=fortinet
leftsubnet=10.0.5.2/32
rightsubnet=10.0.2.0/23
conn fortinet_4
also=fortinet
leftsubnet=10.0.5.2/32
rightsubnet=10.0.4.0/24
conn fortinet_5
also=fortinet
leftsubnet=10.0.5.2/32
rightsubnet=172.16.0.0/21
With this configuration, it also failed to configure.
And with any configurations, I get a message in the logs:
tail -f /var/log/pluto.log | grep "FAILED:"
May 8 19:54:05.721213: ABORT: ASSERTION FAILED: switch (ue->state.id.proto) case 108 (0x6c) unexpected (netlink_kernel_sa_expire() +2011 /programs/pluto/kernel_xfrm.c)
May 8 19:54:38.017198: ABORT: ASSERTION FAILED: switch (ue->state.id.proto) case 108 (0x6c) unexpected (netlink_kernel_sa_expire() +2011 /programs/pluto/kernel_xfrm.c)
May 8 19:55:10.195420: ABORT: ASSERTION FAILED: switch (ue->state.id.proto) case 108 (0x6c) unexpected (netlink_kernel_sa_expire() +2011 /programs/pluto/kernel_xfrm.c)
May 8 19:55:42.539204: ABORT: ASSERTION FAILED: switch (ue->state.id.proto) case 108 (0x6c) unexpected (netlink_kernel_sa_expire() +2011 /programs/pluto/kernel_xfrm.c)
May 8 19:56:21.746061: ABORT: ASSERTION FAILED: switch (ue->state.id.proto) case 108 (0x6c) unexpected (netlink_kernel_sa_expire() +2011 /programs/pluto/kernel_xfrm.c)
May 8 19:56:53.951330: ABORT: ASSERTION FAILED: switch (ue->state.id.proto) case 108 (0x6c) unexpected (netlink_kernel_sa_expire() +2011 /programs/pluto/kernel_xfrm.c)
May 8 19:57:26.343813: ABORT: ASSERTION FAILED: switch (ue->state.id.proto) case 108 (0x6c) unexpected (netlink_kernel_sa_expire() +2011 /programs/pluto/kernel_xfrm.c)
May 8 19:57:58.810289: ABORT: ASSERTION FAILED: switch (ue->state.id.proto) case 108 (0x6c) unexpected (netlink_kernel_sa_expire() +2011 /programs/pluto/kernel_xfrm.c)
May 8 19:58:31.013801: ABORT: ASSERTION FAILED: switch (ue->state.id.proto) case 108 (0x6c) unexpected (netlink_kernel_sa_expire() +2011 /programs/pluto/kernel_xfrm.c)
May 8 19:59:03.226261: ABORT: ASSERTION FAILED: switch (ue->state.id.proto) case 108 (0x6c) unexpected (netlink_kernel_sa_expire() +2011 /programs/pluto/kernel_xfrm.c)
May 8 19:59:35.483016: ABORT: ASSERTION FAILED: switch (ue->state.id.proto) case 108 (0x6c) unexpected (netlink_kernel_sa_expire() +2011 /programs/pluto/kernel_xfrm.c)
May 8 20:00:07.743153: ABORT: ASSERTION FAILED: switch (ue->state.id.proto) case 108 (0x6c) unexpected (netlink_kernel_sa_expire() +2011 /programs/pluto/kernel_xfrm.c)
May 8 20:00:40.004018: ABORT: ASSERTION FAILED: switch (ue->state.id.proto) case 108 (0x6c) unexpected (netlink_kernel_sa_expire() +2011 /programs/pluto/kernel_xfrm.c)
I have Libreswan 4.11 installed. Compiled according to the instructions (deb package). OS Debian 11.
08.05.2023, 00:36, "Paul Wouters" <[email protected]>:
On Thu, 4 May 2023, Armen Dilanyan wrote:
I am setting up IPSec between Fortinet and my linux machine using the IKEv1 protocol.
I need to access networks 10.0.0.0/24, 10.0.1.0/24, 10.0.2.0/23, 10.0.4.0/24, 172.16.0.0/21 which are behind the Fortinet firewall.
When I connect Forticlient everything works. When I connect from a Linux machine, I only have access to the 172.16.0.0/21 network.
Your best bet is to copy the connection for each subnet, and add a
rightsubnet= statement to each of them to bring up separate tunnels
for each of your subnets.
Note it is stronly recommended you switch to IKEv2, see RFC-9395
https://datatracker.ietf.org/doc/html/rfc9395
Paul
08.05.2023, 00:36, "Paul Wouters" <[email protected]>:
On Thu, 4 May 2023, Armen Dilanyan wrote:
I am setting up IPSec between Fortinet and my linux machine using the IKEv1 protocol.
I need to access networks 10.0.0.0/24, 10.0.1.0/24, 10.0.2.0/23, 10.0.4.0/24, 172.16.0.0/21 which are behind the Fortinet firewall.
When I connect Forticlient everything works. When I connect from a Linux machine, I only have access to the 172.16.0.0/21 network.
Your best bet is to copy the connection for each subnet, and add a
rightsubnet= statement to each of them to bring up separate tunnels
for each of your subnets.
Note it is stronly recommended you switch to IKEv2, see RFC-9395
https://datatracker.ietf.org/doc/html/rfc9395
Paul
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
