Hello,
I've created a connection to with a client who is using a fortigate
firewall. The connection comes up and is usable. However, when the phase
two tunnel is due to rekey it fails as per the logs. The phase one tunnel
remains in place and continues to function.
Unfortunately I do not have the clients config. I have pasted the config
from my side below along with the logs.
Any help or advice would be much appreciated. I have created several
connections between strongswan and cisco devices in the past but never
using fortigate. Not sure if there are any quirky things you have to do
when doing so.
conn %default
ikelifetime=1440m
margintime=3m
keyingtries=0
authby=secret
left=10.129.1.0/24
leftid=1.2.3.4
auto=start
reauth=no
rekey=no
dpdaction=hold
dpddelay=40
closeaction=hold
conn Client1
keylife=60m
keyexchange=ikev2
ike=aes256-sha1-modp1024
esp=aes128-md5
leftsubnet=10.129.11.0/29
right=5.6.7.8
rightsubnet=10.90.1.0/24
rightid=10.0.3.239
dpdtimeout=60s
dpddelay=5s
Apr 6 13:02:49 localhost charon: 05[KNL] creating rekey job for CHILD_SA
ESP/0xc66a8fb2/10.129.1.131
Apr 6 13:02:49 localhost charon: 05[IKE] establishing CHILD_SA Client1{1}
Apr 6 13:02:49 localhost charon: 05[IKE] establishing CHILD_SA Client1{1}
Apr 6 13:02:49 localhost charon: 05[ENC] generating CREATE_CHILD_SA
request 200 [ N(REKEY_SA) SA No TSi TSr ]
Apr 6 13:02:49 localhost charon: 05[NET] sending packet: from
10.129.1.131[4500] to 5.6.7.8[4500] (332 bytes)
Apr 6 13:02:49 localhost charon: 07[NET] received packet: from
5.6.7.8[4500] to 10.129.1.131[4500] (76 bytes)
Apr 6 13:02:49 localhost charon: 07[ENC] parsed CREATE_CHILD_SA response
200 [ N(INVAL_SYN) ]
Apr 6 13:02:49 localhost charon: 07[IKE] received INVALID_SYNTAX notify
error
Apr 6 13:02:49 localhost charon: 07[IKE] CHILD_SA rekeying failed, trying
again in 18 seconds
Many thanks,
Tormod
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
