Hello, The Fortigate behaves incorrectly. It is incorrect to send packets with NON-ESP markers to port 500. The Fortigate needs to send those packets to port 4500 after faking a NAT situation to force the usage of UDP encapsulation. It did not do that.
Kind regards Noel On 11.05.2018 12:14, André Cruz wrote: > Hello. > > I've managed to fix the problem which was related to the usage of different > ports. StrongSwan was sending a request from port 500 to port 500, Fortigate > is answering from port 4500 which has an ESP marker, and so StrognSwan was > reading the protocol version in the wrong place. > > leftikeport = 4500 > rightikeport = 4500 > > managed to fix this. > > Best regards, > André > >> On 10 May 2018, at 22:11, André Cruz <[email protected]> wrote: >> >> Hello. >> >> I’m trying to establish a VPN (IKEv1) with a Fortigate peer and I’m having >> some difficulties. I’m sure this has worked in the past, however now I’m >> getting a strange error back. >> >> This is the StringSwan log: >> >> ipsec_starter[5409]: Starting strongSwan 5.6.2 IPsec [starter]… >> … >> charon[5424]: 06[IKE] queueing ISAKMP_VENDOR task >> charon[5424]: 06[IKE] queueing ISAKMP_CERT_PRE task >> charon[5424]: 06[IKE] queueing MAIN_MODE task >> charon[5424]: 06[IKE] queueing ISAKMP_CERT_POST task >> charon[5424]: 06[IKE] queueing ISAKMP_NATD task >> charon[5424]: 06[IKE] queueing QUICK_MODE task >> charon[5424]: 06[IKE] activating new tasks >> charon[5424]: 06[IKE] activating ISAKMP_VENDOR task >> charon[5424]: 06[IKE] activating ISAKMP_CERT_PRE task >> charon[5424]: 06[IKE] activating MAIN_MODE task >> charon[5424]: 06[IKE] activating ISAKMP_CERT_POST task >> charon[5424]: 06[IKE] activating ISAKMP_NATD task >> charon[5424]: 06[IKE] sending XAuth vendor ID >> charon[5424]: 06[IKE] sending DPD vendor ID >> charon[5424]: 06[IKE] sending FRAGMENTATION vendor ID >> charon[5424]: 06[IKE] sending NAT-T (RFC 3947) vendor ID >> charon[5424]: 06[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID >> charon[5424]: 06[IKE] initiating Main Mode IKE_SA ama[1] to (FORTIGATE) >> charon[5424]: 06[IKE] initiating Main Mode IKE_SA ama[1] to (FORTIGATE) >> charon[5424]: 06[IKE] IKE_SA ama[1] state change: CREATED => CONNECTING >> charon[5424]: 06[ENC] generating ID_PROT request 0 [ SA V V V V V ] >> charon[5424]: 06[NET] sending packet: from 10.132.0.2[500] to >> (FORTIGATE)[500] (184 bytes) >> charon[5424]: 03[ENC] generating INFORMATIONAL response 0 [ N(INVAL_MAJOR) ] >> charon[5424]: 03[NET] sending packet: from 10.132.0.2[500] to >> (FORTIGATE)[4500] (36 bytes) >> charon[5424]: 03[NET] received unsupported IKE version 9.9 from (FORTIGATE), >> sending INVALID_MAJOR_VERSION >> >> >> This is a pcap interpretation of the first 3 packets of the VPN attempt: >> >> >> SSwan port 500 -> Fortigate port 500 >> Internet Security Association and Key Management Protocol >> Initiator SPI: 15fdb0398dcc1262 >> Responder SPI: 0000000000000000 >> Next payload: Security Association (1) >> Version: 1.0 >> 0001 .... = MjVer: 0x1 >> .... 0000 = MnVer: 0x0 >> Exchange type: Identity Protection (Main Mode) (2) >> Flags: 0x00 >> .... ...0 = Encryption: Not encrypted >> .... ..0. = Commit: No commit >> .... .0.. = Authentication: No authentication >> Message ID: 0x00000000 >> Length: 184 >> Type Payload: Security Association (1) >> Next payload: Vendor ID (13) >> Payload length: 60 >> Domain of interpretation: IPSEC (1) >> Situation: 00000001 >> .... .... .... .... .... .... .... ...1 = Identity Only: True >> .... .... .... .... .... .... .... ..0. = Secrecy: False >> .... .... .... .... .... .... .... .0.. = Integrity: False >> Type Payload: Proposal (2) # 0 >> Next payload: NONE / No Next Payload (0) >> Payload length: 48 >> Proposal number: 0 >> Protocol ID: ISAKMP (1) >> SPI Size: 0 >> Proposal transforms: 1 >> Type Payload: Transform (3) # 1 >> Next payload: NONE / No Next Payload (0) >> Payload length: 40 >> Transform number: 1 >> Transform ID: KEY_IKE (1) >> Transform IKE Attribute Type (t=1,l=2) Encryption-Algorithm : >> AES-CBC >> 1... .... .... .... = Transform IKE Format: Type/Value >> (TV) >> Transform IKE Attribute Type: Encryption-Algorithm (1) >> Value: 0007 >> Encryption Algorithm: AES-CBC (7) >> Transform IKE Attribute Type (t=14,l=2) Key-Length : 256 >> 1... .... .... .... = Transform IKE Format: Type/Value >> (TV) >> Transform IKE Attribute Type: Key-Length (14) >> Value: 0100 >> Key Length: 256 >> Transform IKE Attribute Type (t=2,l=2) Hash-Algorithm : >> SHA2-256 >> 1... .... .... .... = Transform IKE Format: Type/Value >> (TV) >> Transform IKE Attribute Type: Hash-Algorithm (2) >> Value: 0004 >> HASH Algorithm: SHA2-256 (4) >> Transform IKE Attribute Type (t=4,l=2) Group-Description : >> 2048 bit MODP group >> 1... .... .... .... = Transform IKE Format: Type/Value >> (TV) >> Transform IKE Attribute Type: Group-Description (4) >> Value: 000e >> Group Description: 2048 bit MODP group (14) >> Transform IKE Attribute Type (t=3,l=2) Authentication-Method >> : PSK >> 1... .... .... .... = Transform IKE Format: Type/Value >> (TV) >> Transform IKE Attribute Type: Authentication-Method (3) >> Value: 0001 >> Authentication Method: PSK (1) >> Transform IKE Attribute Type (t=11,l=2) Life-Type : Seconds >> 1... .... .... .... = Transform IKE Format: Type/Value >> (TV) >> Transform IKE Attribute Type: Life-Type (11) >> Value: 0001 >> Life Type: Seconds (1) >> Transform IKE Attribute Type (t=12,l=4) Life-Duration : 86400 >> 0... .... .... .... = Transform IKE Format: >> Type/Length/Value (TLV) >> Transform IKE Attribute Type: Life-Duration (12) >> Length: 4 >> Value: 00015180 >> Life Duration: 86400 >> Type Payload: Vendor ID (13) : XAUTH >> Next payload: Vendor ID (13) >> Payload length: 12 >> Vendor ID: 09002689dfd6b712 >> Vendor ID: XAUTH >> Type Payload: Vendor ID (13) : RFC 3706 DPD (Dead Peer Detection) >> Next payload: Vendor ID (13) >> Payload length: 20 >> Vendor ID: afcad71368a1f1c96b8696fc77570100 >> Vendor ID: RFC 3706 DPD (Dead Peer Detection) >> Type Payload: Vendor ID (13) : Cisco Fragmentation >> Next payload: Vendor ID (13) >> Payload length: 24 >> Vendor ID: 4048b7d56ebce88525e7de7f00d6c2d380000000 >> Vendor ID: Cisco Fragmentation >> Type Payload: Vendor ID (13) : RFC 3947 Negotiation of NAT-Traversal in >> the IKE >> Next payload: Vendor ID (13) >> Payload length: 20 >> Vendor ID: 4a131c81070358455c5728f20e95452f >> Vendor ID: RFC 3947 Negotiation of NAT-Traversal in the IKE >> Type Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-02\n >> Next payload: NONE / No Next Payload (0) >> Payload length: 20 >> Vendor ID: 90cb80913ebb696e086381b5ec427b1f >> Vendor ID: draft-ietf-ipsec-nat-t-ike-02\n >> >> >> Fortigate port 4500 -> SSwan 500 >> Internet Security Association and Key Management Protocol >> Initiator SPI: 15fdb0398dcc1262 >> Responder SPI: 88f25e0e3299ec3c >> Next payload: Security Association (1) >> Version: 1.0 >> 0001 .... = MjVer: 0x1 >> .... 0000 = MnVer: 0x0 >> Exchange type: Identity Protection (Main Mode) (2) >> Flags: 0x00 >> .... ...0 = Encryption: Not encrypted >> .... ..0. = Commit: No commit >> .... .0.. = Authentication: No authentication >> Message ID: 0x00000000 >> Length: 148 >> Type Payload: Security Association (1) >> Next payload: Vendor ID (13) >> Payload length: 60 >> Domain of interpretation: IPSEC (1) >> Situation: 00000001 >> .... .... .... .... .... .... .... ...1 = Identity Only: True >> .... .... .... .... .... .... .... ..0. = Secrecy: False >> .... .... .... .... .... .... .... .0.. = Integrity: False >> Type Payload: Proposal (2) # 0 >> Next payload: NONE / No Next Payload (0) >> Payload length: 48 >> Proposal number: 0 >> Protocol ID: ISAKMP (1) >> SPI Size: 0 >> Proposal transforms: 1 >> Type Payload: Transform (3) # 1 >> Next payload: NONE / No Next Payload (0) >> Payload length: 40 >> Transform number: 1 >> Transform ID: KEY_IKE (1) >> Transform IKE Attribute Type (t=1,l=2) Encryption-Algorithm : >> AES-CBC >> 1... .... .... .... = Transform IKE Format: Type/Value >> (TV) >> Transform IKE Attribute Type: Encryption-Algorithm (1) >> Value: 0007 >> Encryption Algorithm: AES-CBC (7) >> Transform IKE Attribute Type (t=14,l=2) Key-Length : 256 >> 1... .... .... .... = Transform IKE Format: Type/Value >> (TV) >> Transform IKE Attribute Type: Key-Length (14) >> Value: 0100 >> Key Length: 256 >> Transform IKE Attribute Type (t=2,l=2) Hash-Algorithm : >> SHA2-256 >> 1... .... .... .... = Transform IKE Format: Type/Value >> (TV) >> Transform IKE Attribute Type: Hash-Algorithm (2) >> Value: 0004 >> HASH Algorithm: SHA2-256 (4) >> Transform IKE Attribute Type (t=4,l=2) Group-Description : >> 2048 bit MODP group >> 1... .... .... .... = Transform IKE Format: Type/Value >> (TV) >> Transform IKE Attribute Type: Group-Description (4) >> Value: 000e >> Group Description: 2048 bit MODP group (14) >> Transform IKE Attribute Type (t=3,l=2) Authentication-Method >> : PSK >> 1... .... .... .... = Transform IKE Format: Type/Value >> (TV) >> Transform IKE Attribute Type: Authentication-Method (3) >> Value: 0001 >> Authentication Method: PSK (1) >> Transform IKE Attribute Type (t=11,l=2) Life-Type : Seconds >> 1... .... .... .... = Transform IKE Format: Type/Value >> (TV) >> Transform IKE Attribute Type: Life-Type (11) >> Value: 0001 >> Life Type: Seconds (1) >> Transform IKE Attribute Type (t=12,l=4) Life-Duration : 86400 >> 0... .... .... .... = Transform IKE Format: >> Type/Length/Value (TLV) >> Transform IKE Attribute Type: Life-Duration (12) >> Length: 4 >> Value: 00015180 >> Life Duration: 86400 >> Type Payload: Vendor ID (13) : RFC 3947 Negotiation of NAT-Traversal in >> the IKE >> Next payload: Vendor ID (13) >> Payload length: 20 >> Vendor ID: 4a131c81070358455c5728f20e95452f >> Vendor ID: RFC 3947 Negotiation of NAT-Traversal in the IKE >> Type Payload: Vendor ID (13) : RFC 3706 DPD (Dead Peer Detection) >> Next payload: Vendor ID (13) >> Payload length: 20 >> Vendor ID: afcad71368a1f1c96b8696fc77570100 >> Vendor ID: RFC 3706 DPD (Dead Peer Detection) >> Type Payload: Vendor ID (13) : Unknown Vendor ID >> Next payload: NONE / No Next Payload (0) >> Payload length: 20 >> Vendor ID: 8299031757a36082c6a621de000402b6 >> Vendor ID: Unknown Vendor ID >> >> >> SSwan port 500 -> Fortigate port 4500 >> Internet Security Association and Key Management Protocol >> Initiator SPI: 0000000015fdb039 >> Responder SPI: 8dcc126288f25e0e >> Next payload: Notify (41) >> Version: 2.0 >> 0010 .... = MjVer: 0x2 >> .... 0000 = MnVer: 0x0 >> Exchange type: INFORMATIONAL (37) >> Flags: 0x20 (Responder, No higher version, Response) >> .... 0... = Initiator: Responder >> ...0 .... = Version: No higher version >> ..1. .... = Response: Response >> Message ID: 0x00000000 >> Length: 36 >> Type Payload: Notify (41) - INVALID_MAJOR_VERSION >> Next payload: NONE / No Next Payload (0) >> 0... .... = Critical Bit: Not Critical >> Payload length: 8 >> Protocol ID: RESERVED (0) >> SPI Size: 0 >> Notify Message Type: INVALID_MAJOR_VERSION (5) >> Notification DATA: <MISSING> >> >> >> Can anyone explain why the INVALID_MAJOR_VERSION error? >> >> This is the config I’m using: >> >> config setup >> charondebug="ike 2, knl 3, cfg 0" >> uniqueids = yes >> >> conn ama >> keyexchange = ikev1 >> right = (FORTIGATE) >> rightid = (FORTIGATE) >> rightsubnet = 172.31.200.0/23 >> rightauth = psk >> left = 10.132.0.2 >> leftid = (MYIP) >> leftsubnet = 172.31.229.240/29 >> leftauth = psk >> auto = start >> esp = aes256-sha256-modp2048! >> ike = aes256-sha256-modp2048! >> type = tunnel >> ikelifetime = 24h >> lifetime = 1h >> dpdaction = restart >> forceencaps = yes >> >> Thank you for the help! >> >> Best regards, >> André
signature.asc
Description: OpenPGP digital signature
