[strongSwan] help with connection

Mon, 09 May 2016 06:42:11 -0700 

Hi everbody,
forgive me if I'm writing in the wrong list and please point me to the right 
one.
I'm having a bad time trying to set up a vpn between a Fortigate 200D and a 
strongswan linux box (ipfire):
what I'm trying to do is to translate the configuration I have on the 
Forticlient (windows application)
to make it work under Strongswan.

Forticlient configuration:

xauth disabled
mode aggressive
options mode config

phase 1:
ikev1
encryption aes256
auth sha256
DH group 5
key life 86400 sec
dead peer detection
nat traversal

phase 2:
ikev1
encryption aes256
auth sha256
DH group 5
key life 43200 sec
enable replay detection
enable PFS
DH Group 5


And this is the ipsec.conf file I tried to forge from the windows client:

version 2

conn %default
        keyingtries=%forever


conn CSAP
        left=MY_PLUBLIC_IP
        leftsubnet=192.168.1.0/24
        leftfirewall=yes
        lefthostaccess=yes
        right=PEER_IP
        rightsubnet=192.168.100.1/24
        ike=aes256,sha256,modp1536
        esp=aes256,sha256,modp1536
        keyexchange=ikev1
        ikelifetime=86400s
        keylife=43200s
        #compress=yes
        dpdaction=restart
        dpddelay=30
        dpdtimeout=120
        authby=secret
        auto=start
        fragmentation=yes


But when I try to connect all I get is this from the console:

[root@firewall ~]# ipsec up CSAP
initiating Main Mode IKE_SA CSAP[3] to 151.11.136.132
generating ID_PROT request 0 [ SA V V V V V V ]
sending packet: from MY_PUBLIC_IP[500] to PEER_IP[500] (320 bytes)
sending retransmit 1 of request message ID 0, seq 1
sending packet: from MY_PUBLIC_IP[500] to PEER_IP[500] (320 bytes)
sending retransmit 2 of request message ID 0, seq 1
sending packet: from MY_PUBLIC_IP[500] to PEER_IP[500] (320 bytes)
sending retransmit 3 of request message ID 0, seq 1
sending packet: from MY_PUBLIC_IP[500] to PEER_IP[500] (320 bytes)
sending retransmit 4 of request message ID 0, seq 1
sending packet: from MY_PUBLIC_IP[500] to PEER_IP[500] (320 bytes)
sending retransmit 5 of request message ID 0, seq 1
sending packet: from MY_PUBLIC_IP[500] to PEER_IP[500] (320 bytes)
giving up after 5 retransmits
peer not responding, trying again (2/0)
initiating Main Mode IKE_SA CSAP[3] to PEER_IP
generating ID_PROT request 0 [ SA V V V V V V ]
sending packet: from MY_PUBLIC_IP[500] to PEER_IP[500] (320 bytes)
sending retransmit 1 of request message ID 0, seq 1
sending packet: from MY_PUBLIC_IP[500] to PEER_IP[500] (320 bytes)
sending retransmit 2 of request message ID 0, seq 1
sending packet: from MY_PUBLIC_IP[500] to PEER_IP[500] (320 bytes)
sending retransmit 3 of request message ID 0, seq 1
sending packet: from MY_PUBLIC_IP[500] to PEER_IP[500] (320 bytes)
destroying IKE_SA in state CONNECTING without notification
establishing connection 'CSAP' failed
(here I stopped it manually from another console)


In /var/log/messages all I see is this:

May  9 09:14:37 firewall charon: 06[ENC] generating ID_PROT request 0 [ SA V V 
V V V V ] 
May  9 09:14:37 firewall charon: 06[NET] sending packet: from MY_PUBLIC_IP[500] 
to PEER_IP[500] (320 bytes) 
May  9 09:14:37 firewall charon: 03[NET] error writing to socket: Invalid 
argument 
May  9 09:14:41 firewall charon: 07[IKE] sending retransmit 1 of request 
message ID 0, seq 1 
May  9 09:14:41 firewall charon: 07[NET] sending packet: from MY_PUBLIC_IP[500] 
to PEER_IP[500] (320 bytes) 
May  9 09:14:41 firewall charon: 03[NET] error writing to socket: Invalid 
argument 
May  9 09:14:48 firewall charon: 10[IKE] sending retransmit 2 of request 
message ID 0, seq 1 
May  9 09:14:48 firewall charon: 10[NET] sending packet: from MY_PUBLIC_IP[500] 
to PEER_IP[500] (320 bytes) 
May  9 09:14:48 firewall charon: 03[NET] error writing to socket: Invalid 
argument 
May  9 09:15:01 firewall charon: 05[IKE] sending retransmit 3 of request 
message ID 0, seq 1 
May  9 09:15:01 firewall charon: 05[NET] sending packet: from MY_PUBLIC_IP[500] 
to PEER_IP[500] (320 bytes) 
May  9 09:15:01 firewall charon: 03[NET] error writing to socket: Invalid 
argument 
May  9 09:15:19 firewall charon: 15[CFG] received stroke: terminate 'CSAP' 
May  9 09:15:19 firewall charon: 14[IKE] destroying IKE_SA in state CONNECTING 
without notification 
May  9 09:15:19 firewall charon: 06[CFG] received stroke: terminate 'CSAP' 
May  9 09:15:20 firewall charon: 06[CFG] no IKE_SA named 'CSAP' found


I'm obviously doing something wrong here, I think that message "error writing 
to socket: Invalid argument" in the
log might be the culprit but I don't know what does it mean, I can ping and 
reach via telnet the PEER so there is
no connection problem (also the windows client version is connecting correctly 
to the vpn).
Strongswan version is 5.3.5, kernel is 3.14.65, I already checked that all the 
required kernel modules are loaded.

Please advice in any way.

Thanks
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to