Thank you for the clarification. On Fri, 11 May 2018 at 22:00, Noel Kuntze <[email protected]> wrote:
> Hello, > > The Fortigate behaves incorrectly. > It is incorrect to send packets with NON-ESP markers to port 500. The > Fortigate needs to send those packets to port 4500 after faking a NAT > situation to force the usage of UDP encapsulation. > It did not do that. > > Kind regards > > Noel > > On 11.05.2018 12:14, André Cruz wrote: > > Hello. > > > > I've managed to fix the problem which was related to the usage of > different ports. StrongSwan was sending a request from port 500 to port > 500, Fortigate is answering from port 4500 which has an ESP marker, and so > StrognSwan was reading the protocol version in the wrong place. > > > > leftikeport = 4500 > > rightikeport = 4500 > > > > managed to fix this. > > > > Best regards, > > André > > > >> On 10 May 2018, at 22:11, André Cruz <[email protected]> wrote: > >> > >> Hello. > >> > >> I’m trying to establish a VPN (IKEv1) with a Fortigate peer and I’m > having some difficulties. I’m sure this has worked in the past, however now > I’m getting a strange error back. > >> > >> This is the StringSwan log: > >> > >> ipsec_starter[5409]: Starting strongSwan 5.6.2 IPsec [starter]… > >> … > >> charon[5424]: 06[IKE] queueing ISAKMP_VENDOR task > >> charon[5424]: 06[IKE] queueing ISAKMP_CERT_PRE task > >> charon[5424]: 06[IKE] queueing MAIN_MODE task > >> charon[5424]: 06[IKE] queueing ISAKMP_CERT_POST task > >> charon[5424]: 06[IKE] queueing ISAKMP_NATD task > >> charon[5424]: 06[IKE] queueing QUICK_MODE task > >> charon[5424]: 06[IKE] activating new tasks > >> charon[5424]: 06[IKE] activating ISAKMP_VENDOR task > >> charon[5424]: 06[IKE] activating ISAKMP_CERT_PRE task > >> charon[5424]: 06[IKE] activating MAIN_MODE task > >> charon[5424]: 06[IKE] activating ISAKMP_CERT_POST task > >> charon[5424]: 06[IKE] activating ISAKMP_NATD task > >> charon[5424]: 06[IKE] sending XAuth vendor ID > >> charon[5424]: 06[IKE] sending DPD vendor ID > >> charon[5424]: 06[IKE] sending FRAGMENTATION vendor ID > >> charon[5424]: 06[IKE] sending NAT-T (RFC 3947) vendor ID > >> charon[5424]: 06[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID > >> charon[5424]: 06[IKE] initiating Main Mode IKE_SA ama[1] to (FORTIGATE) > >> charon[5424]: 06[IKE] initiating Main Mode IKE_SA ama[1] to (FORTIGATE) > >> charon[5424]: 06[IKE] IKE_SA ama[1] state change: CREATED => CONNECTING > >> charon[5424]: 06[ENC] generating ID_PROT request 0 [ SA V V V V V ] > >> charon[5424]: 06[NET] sending packet: from 10.132.0.2[500] to > (FORTIGATE)[500] (184 bytes) > >> charon[5424]: 03[ENC] generating INFORMATIONAL response 0 [ > N(INVAL_MAJOR) ] > >> charon[5424]: 03[NET] sending packet: from 10.132.0.2[500] to > (FORTIGATE)[4500] (36 bytes) > >> charon[5424]: 03[NET] received unsupported IKE version 9.9 from > (FORTIGATE), sending INVALID_MAJOR_VERSION > >> > >> > >> This is a pcap interpretation of the first 3 packets of the VPN attempt: > >> > >> > >> SSwan port 500 -> Fortigate port 500 > >> Internet Security Association and Key Management Protocol > >> Initiator SPI: 15fdb0398dcc1262 > >> Responder SPI: 0000000000000000 > >> Next payload: Security Association (1) > >> Version: 1.0 > >> 0001 .... = MjVer: 0x1 > >> .... 0000 = MnVer: 0x0 > >> Exchange type: Identity Protection (Main Mode) (2) > >> Flags: 0x00 > >> .... ...0 = Encryption: Not encrypted > >> .... ..0. = Commit: No commit > >> .... .0.. = Authentication: No authentication > >> Message ID: 0x00000000 > >> Length: 184 > >> Type Payload: Security Association (1) > >> Next payload: Vendor ID (13) > >> Payload length: 60 > >> Domain of interpretation: IPSEC (1) > >> Situation: 00000001 > >> .... .... .... .... .... .... .... ...1 = Identity Only: True > >> .... .... .... .... .... .... .... ..0. = Secrecy: False > >> .... .... .... .... .... .... .... .0.. = Integrity: False > >> Type Payload: Proposal (2) # 0 > >> Next payload: NONE / No Next Payload (0) > >> Payload length: 48 > >> Proposal number: 0 > >> Protocol ID: ISAKMP (1) > >> SPI Size: 0 > >> Proposal transforms: 1 > >> Type Payload: Transform (3) # 1 > >> Next payload: NONE / No Next Payload (0) > >> Payload length: 40 > >> Transform number: 1 > >> Transform ID: KEY_IKE (1) > >> Transform IKE Attribute Type (t=1,l=2) > Encryption-Algorithm : AES-CBC > >> 1... .... .... .... = Transform IKE Format: > Type/Value (TV) > >> Transform IKE Attribute Type: Encryption-Algorithm > (1) > >> Value: 0007 > >> Encryption Algorithm: AES-CBC (7) > >> Transform IKE Attribute Type (t=14,l=2) Key-Length : 256 > >> 1... .... .... .... = Transform IKE Format: > Type/Value (TV) > >> Transform IKE Attribute Type: Key-Length (14) > >> Value: 0100 > >> Key Length: 256 > >> Transform IKE Attribute Type (t=2,l=2) Hash-Algorithm : > SHA2-256 > >> 1... .... .... .... = Transform IKE Format: > Type/Value (TV) > >> Transform IKE Attribute Type: Hash-Algorithm (2) > >> Value: 0004 > >> HASH Algorithm: SHA2-256 (4) > >> Transform IKE Attribute Type (t=4,l=2) Group-Description > : 2048 bit MODP group > >> 1... .... .... .... = Transform IKE Format: > Type/Value (TV) > >> Transform IKE Attribute Type: Group-Description (4) > >> Value: 000e > >> Group Description: 2048 bit MODP group (14) > >> Transform IKE Attribute Type (t=3,l=2) > Authentication-Method : PSK > >> 1... .... .... .... = Transform IKE Format: > Type/Value (TV) > >> Transform IKE Attribute Type: Authentication-Method > (3) > >> Value: 0001 > >> Authentication Method: PSK (1) > >> Transform IKE Attribute Type (t=11,l=2) Life-Type : > Seconds > >> 1... .... .... .... = Transform IKE Format: > Type/Value (TV) > >> Transform IKE Attribute Type: Life-Type (11) > >> Value: 0001 > >> Life Type: Seconds (1) > >> Transform IKE Attribute Type (t=12,l=4) Life-Duration : > 86400 > >> 0... .... .... .... = Transform IKE Format: > Type/Length/Value (TLV) > >> Transform IKE Attribute Type: Life-Duration (12) > >> Length: 4 > >> Value: 00015180 > >> Life Duration: 86400 > >> Type Payload: Vendor ID (13) : XAUTH > >> Next payload: Vendor ID (13) > >> Payload length: 12 > >> Vendor ID: 09002689dfd6b712 > >> Vendor ID: XAUTH > >> Type Payload: Vendor ID (13) : RFC 3706 DPD (Dead Peer Detection) > >> Next payload: Vendor ID (13) > >> Payload length: 20 > >> Vendor ID: afcad71368a1f1c96b8696fc77570100 > >> Vendor ID: RFC 3706 DPD (Dead Peer Detection) > >> Type Payload: Vendor ID (13) : Cisco Fragmentation > >> Next payload: Vendor ID (13) > >> Payload length: 24 > >> Vendor ID: 4048b7d56ebce88525e7de7f00d6c2d380000000 > >> Vendor ID: Cisco Fragmentation > >> Type Payload: Vendor ID (13) : RFC 3947 Negotiation of NAT-Traversal > in the IKE > >> Next payload: Vendor ID (13) > >> Payload length: 20 > >> Vendor ID: 4a131c81070358455c5728f20e95452f > >> Vendor ID: RFC 3947 Negotiation of NAT-Traversal in the IKE > >> Type Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-02\n > >> Next payload: NONE / No Next Payload (0) > >> Payload length: 20 > >> Vendor ID: 90cb80913ebb696e086381b5ec427b1f > >> Vendor ID: draft-ietf-ipsec-nat-t-ike-02\n > >> > >> > >> Fortigate port 4500 -> SSwan 500 > >> Internet Security Association and Key Management Protocol > >> Initiator SPI: 15fdb0398dcc1262 > >> Responder SPI: 88f25e0e3299ec3c > >> Next payload: Security Association (1) > >> Version: 1.0 > >> 0001 .... = MjVer: 0x1 > >> .... 0000 = MnVer: 0x0 > >> Exchange type: Identity Protection (Main Mode) (2) > >> Flags: 0x00 > >> .... ...0 = Encryption: Not encrypted > >> .... ..0. = Commit: No commit > >> .... .0.. = Authentication: No authentication > >> Message ID: 0x00000000 > >> Length: 148 > >> Type Payload: Security Association (1) > >> Next payload: Vendor ID (13) > >> Payload length: 60 > >> Domain of interpretation: IPSEC (1) > >> Situation: 00000001 > >> .... .... .... .... .... .... .... ...1 = Identity Only: True > >> .... .... .... .... .... .... .... ..0. = Secrecy: False > >> .... .... .... .... .... .... .... .0.. = Integrity: False > >> Type Payload: Proposal (2) # 0 > >> Next payload: NONE / No Next Payload (0) > >> Payload length: 48 > >> Proposal number: 0 > >> Protocol ID: ISAKMP (1) > >> SPI Size: 0 > >> Proposal transforms: 1 > >> Type Payload: Transform (3) # 1 > >> Next payload: NONE / No Next Payload (0) > >> Payload length: 40 > >> Transform number: 1 > >> Transform ID: KEY_IKE (1) > >> Transform IKE Attribute Type (t=1,l=2) > Encryption-Algorithm : AES-CBC > >> 1... .... .... .... = Transform IKE Format: > Type/Value (TV) > >> Transform IKE Attribute Type: Encryption-Algorithm > (1) > >> Value: 0007 > >> Encryption Algorithm: AES-CBC (7) > >> Transform IKE Attribute Type (t=14,l=2) Key-Length : 256 > >> 1... .... .... .... = Transform IKE Format: > Type/Value (TV) > >> Transform IKE Attribute Type: Key-Length (14) > >> Value: 0100 > >> Key Length: 256 > >> Transform IKE Attribute Type (t=2,l=2) Hash-Algorithm : > SHA2-256 > >> 1... .... .... .... = Transform IKE Format: > Type/Value (TV) > >> Transform IKE Attribute Type: Hash-Algorithm (2) > >> Value: 0004 > >> HASH Algorithm: SHA2-256 (4) > >> Transform IKE Attribute Type (t=4,l=2) Group-Description > : 2048 bit MODP group > >> 1... .... .... .... = Transform IKE Format: > Type/Value (TV) > >> Transform IKE Attribute Type: Group-Description (4) > >> Value: 000e > >> Group Description: 2048 bit MODP group (14) > >> Transform IKE Attribute Type (t=3,l=2) > Authentication-Method : PSK > >> 1... .... .... .... = Transform IKE Format: > Type/Value (TV) > >> Transform IKE Attribute Type: Authentication-Method > (3) > >> Value: 0001 > >> Authentication Method: PSK (1) > >> Transform IKE Attribute Type (t=11,l=2) Life-Type : > Seconds > >> 1... .... .... .... = Transform IKE Format: > Type/Value (TV) > >> Transform IKE Attribute Type: Life-Type (11) > >> Value: 0001 > >> Life Type: Seconds (1) > >> Transform IKE Attribute Type (t=12,l=4) Life-Duration : > 86400 > >> 0... .... .... .... = Transform IKE Format: > Type/Length/Value (TLV) > >> Transform IKE Attribute Type: Life-Duration (12) > >> Length: 4 > >> Value: 00015180 > >> Life Duration: 86400 > >> Type Payload: Vendor ID (13) : RFC 3947 Negotiation of NAT-Traversal > in the IKE > >> Next payload: Vendor ID (13) > >> Payload length: 20 > >> Vendor ID: 4a131c81070358455c5728f20e95452f > >> Vendor ID: RFC 3947 Negotiation of NAT-Traversal in the IKE > >> Type Payload: Vendor ID (13) : RFC 3706 DPD (Dead Peer Detection) > >> Next payload: Vendor ID (13) > >> Payload length: 20 > >> Vendor ID: afcad71368a1f1c96b8696fc77570100 > >> Vendor ID: RFC 3706 DPD (Dead Peer Detection) > >> Type Payload: Vendor ID (13) : Unknown Vendor ID > >> Next payload: NONE / No Next Payload (0) > >> Payload length: 20 > >> Vendor ID: 8299031757a36082c6a621de000402b6 > >> Vendor ID: Unknown Vendor ID > >> > >> > >> SSwan port 500 -> Fortigate port 4500 > >> Internet Security Association and Key Management Protocol > >> Initiator SPI: 0000000015fdb039 > >> Responder SPI: 8dcc126288f25e0e > >> Next payload: Notify (41) > >> Version: 2.0 > >> 0010 .... = MjVer: 0x2 > >> .... 0000 = MnVer: 0x0 > >> Exchange type: INFORMATIONAL (37) > >> Flags: 0x20 (Responder, No higher version, Response) > >> .... 0... = Initiator: Responder > >> ...0 .... = Version: No higher version > >> ..1. .... = Response: Response > >> Message ID: 0x00000000 > >> Length: 36 > >> Type Payload: Notify (41) - INVALID_MAJOR_VERSION > >> Next payload: NONE / No Next Payload (0) > >> 0... .... = Critical Bit: Not Critical > >> Payload length: 8 > >> Protocol ID: RESERVED (0) > >> SPI Size: 0 > >> Notify Message Type: INVALID_MAJOR_VERSION (5) > >> Notification DATA: <MISSING> > >> > >> > >> Can anyone explain why the INVALID_MAJOR_VERSION error? > >> > >> This is the config I’m using: > >> > >> config setup > >> charondebug="ike 2, knl 3, cfg 0" > >> uniqueids = yes > >> > >> conn ama > >> keyexchange = ikev1 > >> right = (FORTIGATE) > >> rightid = (FORTIGATE) > >> rightsubnet = 172.31.200.0/23 > >> rightauth = psk > >> left = 10.132.0.2 > >> leftid = (MYIP) > >> leftsubnet = 172.31.229.240/29 > >> leftauth = psk > >> auto = start > >> esp = aes256-sha256-modp2048! > >> ike = aes256-sha256-modp2048! > >> type = tunnel > >> ikelifetime = 24h > >> lifetime = 1h > >> dpdaction = restart > >> forceencaps = yes > >> > >> Thank you for the help! > >> > >> Best regards, > >> André > >
