Any other suggestion on this issue? Thanks
On Fri, Mar 15, 2019 at 10:52 AM MOSES KARIUKI <[email protected]> wrote: > Thanks Chris. > > The client says that the port is open. I will change the Ciphers. Thanks > > On Fri, Mar 15, 2019 at 4:40 AM Chris Sherry <[email protected]> wrote: > >> The first thing to check is 200.10.1.X is allowing UDP/4500 inbound. That >> being said, you should really rethink your ciphers, 3DES/SHA1 shouldn't be >> a thing anymore. >> >> Chris. >> >> On Thu, Mar 14, 2019 at 4:57 PM MOSES KARIUKI <[email protected]> >> wrote: >> >>> Dear Team, >>> >>> I have not been able to connect from a Fortigate firewall client to my >>> Sttrongswan Host. These are the parameters set up on the Fortigate : >>> Authentication Method Pre-Shared Secret >>> Encryption Schema IKE >>> Perfect Forward Secrecy- IKE DH Group-5 >>> Encryption Algorithm 3DES >>> Hashing Algorithm SHA1 >>> Renegotiate IKE SA every 28800 >>> Main or Aggressive Mode Main >>> IPSec ESP >>> Perfect Forward Secrecy-IPSEC DH Group-2 >>> Encryption Algorithm IPSec 3DES >>> Hashing Algorithm IPSec SHA1 >>> Renegotiate IPSec SA every 1800 >>> and below is my Strongswan config. >>> >>> conn ikev2-Teledida >>> auto=start >>> compress=no >>> type=tunnel >>> keyexchange=ikev2 >>> fragmentation=yes >>> forceencaps=yes >>> dpdaction=clear >>> dpddelay=300s >>> rekey=no >>> left=%any >>> leftid=35.185.2**.*** >>> leftsubnet=0.0.0.0/0 >>> right=200.10.1**.*** >>> rightid=%any >>> rightauth=psk >>> rightsourceip=10.11.10.0/9 >>> rightdns=8.8.8.8,8.8.4.4 >>> >>> ike=aes256-sha1-modp1024,aes128-sha1-modp1024,aes256-sha256-modp2048,aes128-sha256-modp2048,aes256-sha1-modp2048,aes128-sha1-modp2048,3des-sha1-modp1536,3des-sha1-modp1024 >>> >>> esp=aes256-sha256,aes256-sha1,aes256-sha256-modp2048,aes128-sha256-modp2048,aes256-sha1-modp2048,aes128-sha1-modp2048,3des-sha1-modp1024,3des-sha1-modp1536 >>> >>> When I try to connect, it fails with the below error: >>> LOG : >>> Mar 15 00:36:12 klick001 charon: 07[CFG] received stroke: add connection >>> 'ikev2-Teledida' >>> Mar 15 00:36:12 klick001 charon: 07[CFG] conn ikev2-Teledida >>> Mar 15 00:36:12 klick001 charon: 07[CFG] left=%any >>> Mar 15 00:36:12 klick001 charon: 07[CFG] leftsubnet=0.0.0.0/0 >>> Mar 15 00:36:12 klick001 charon: 07[CFG] leftid=35.185.2**.*** >>> Mar 15 00:36:12 klick001 charon: 07[CFG] right=200.10.1**.*** >>> Mar 15 00:36:12 klick001 charon: 07[CFG] rightsourceip=10.11.10.0/9 >>> Mar 15 00:36:12 klick001 charon: 07[CFG] rightdns=8.8.8.8,8.8.4.4 >>> Mar 15 00:36:12 klick001 charon: 07[CFG] rightauth=psk >>> Mar 15 00:36:12 klick001 charon: 07[CFG] rightid=%any >>> Mar 15 00:36:12 klick001 charon: 07[CFG] >>> >>> ike=aes256-sha1-modp1024,aes128-sha1-modp1024,aes256-sha256-modp2048,aes128-sha256-modp2048,aes256-sha1-modp2048,aes128-sha1-modp2048,3des-sha1-modp1536,3des-sha1-modp1024 >>> Mar 15 00:36:12 klick001 charon: 07[CFG] >>> >>> esp=aes256-sha256,aes256-sha1,aes256-sha256-modp2048,aes128-sha256-modp2048,aes256-sha1-modp2048,aes128-sha1-modp2048,3des-sha1-modp1024,3des-sha1-modp1536 >>> Mar 15 00:36:12 klick001 charon: 07[CFG] dpddelay=300 >>> Mar 15 00:36:12 klick001 charon: 07[CFG] dpdtimeout=150 >>> Mar 15 00:36:12 klick001 charon: 07[CFG] dpdaction=1 >>> Mar 15 00:36:12 klick001 charon: 07[CFG] sha256_96=no >>> Mar 15 00:36:12 klick001 charon: 07[CFG] mediation=no >>> Mar 15 00:36:12 klick001 charon: 07[CFG] keyexchange=ikev2 >>> Mar 15 00:36:12 klick001 charon: 07[CFG] adding virtual IP address pool >>> 10.11.10.0/9 >>> Mar 15 00:36:12 klick001 charon: 07[CFG] added configuration >>> 'ikev2-Teledida' >>> Mar 15 00:36:12 klick001 charon: 09[CFG] received stroke: initiate >>> 'ikev2-Teledida' >>> Mar 15 00:36:12 klick001 charon: 09[IKE] initiating IKE_SA >>> ikev2-Teledida[1] to 200.10.1**.*** >>> Mar 15 00:36:12 klick001 charon: 09[CFG] configured proposals: >>> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, >>> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, >>> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, >>> IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, >>> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, >>> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, >>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, >>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, >>> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/NTRU_128/NTRU_192/NTRU_256/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, >>> IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/NTRU_128/NTRU_192/NTRU_256/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048 >>> Mar 15 00:36:12 klick001 charon: 11[CFG] sending supported signature >>> hash algorithms: sha256 sha384 sha512 identity >>> Mar 15 00:36:12 klick001 charon: 11[ENC] generating IKE_SA_INIT request >>> 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) >>> ] >>> Mar 15 00:36:12 klick001 charon: 11[NET] sending packet: from >>> 10.138.0.4[500] to 200.10.1**.***[500] (1588 bytes) >>> Mar 15 00:36:12 klick001 charon: 12[NET] received packet: from >>> 200.10.1**.***[500] to 10.138.0.4[500] (348 bytes) >>> Mar 15 00:36:12 klick001 charon: 12[ENC] parsed IKE_SA_INIT response 0 [ >>> SA KE No N(NATD_S_IP) N(NATD_D_IP) ] >>> Mar 15 00:36:12 klick001 charon: 12[CFG] selecting proposal: >>> Mar 15 00:36:12 klick001 charon: 12[CFG] no acceptable >>> ENCRYPTION_ALGORITHM found >>> Mar 15 00:36:12 klick001 charon: 12[CFG] selecting proposal: >>> Mar 15 00:36:12 klick001 charon: 12[CFG] no acceptable >>> ENCRYPTION_ALGORITHM found >>> Mar 15 00:36:12 klick001 charon: 12[CFG] selecting proposal: >>> Mar 15 00:36:12 klick001 charon: 12[CFG] no acceptable >>> ENCRYPTION_ALGORITHM found >>> Mar 15 00:36:12 klick001 charon: 12[CFG] selecting proposal: >>> Mar 15 00:36:12 klick001 charon: 12[CFG] no acceptable >>> ENCRYPTION_ALGORITHM found >>> Mar 15 00:36:12 klick001 charon: 12[CFG] selecting proposal: >>> Mar 15 00:36:12 klick001 charon: 12[CFG] no acceptable >>> ENCRYPTION_ALGORITHM found >>> Mar 15 00:36:12 klick001 charon: 12[CFG] selecting proposal: >>> Mar 15 00:36:12 klick001 charon: 12[CFG] no acceptable >>> ENCRYPTION_ALGORITHM found >>> Mar 15 00:36:12 klick001 charon: 12[CFG] selecting proposal: >>> Mar 15 00:36:12 klick001 charon: 12[CFG] proposal matches >>> Mar 15 00:36:12 klick001 charon: 12[CFG] received proposals: >>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536 >>> Mar 15 00:36:12 klick001 charon: 12[CFG] configured proposals: >>> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, >>> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, >>> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, >>> IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, >>> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, >>> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, >>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, >>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, >>> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/NTRU_128/NTRU_192/NTRU_256/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, >>> IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/NTRU_128/NTRU_192/NTRU_256/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048 >>> Mar 15 00:36:12 klick001 charon: 12[CFG] selected proposal: >>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536 >>> Mar 15 00:36:12 klick001 charon: 12[IKE] local host is behind NAT, >>> sending keep alives >>> Mar 15 00:36:12 klick001 charon: 12[IKE] sending cert request for >>> "CN=VPN root CA" >>> Mar 15 00:36:12 klick001 charon: 12[IKE] authentication of >>> '35.185.2**.***' (myself) with RSA signature successful >>> Mar 15 00:36:12 klick001 charon: 12[CFG] proposing traffic selectors for >>> us: >>> Mar 15 00:36:12 klick001 charon: 12[CFG] 0.0.0.0/0 >>> Mar 15 00:36:12 klick001 charon: 12[CFG] proposing traffic selectors for >>> other: >>> Mar 15 00:36:12 klick001 charon: 12[CFG] dynamic >>> Mar 15 00:36:12 klick001 charon: 12[CFG] configured proposals: >>> ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, >>> ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, >>> ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ, >>> ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, >>> ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, >>> ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ >>> Mar 15 00:36:12 klick001 charon: 12[IKE] establishing CHILD_SA >>> ikev2-Teledida{1} >>> Mar 15 00:36:12 klick001 charon: 12[ENC] generating IKE_AUTH request 1 [ >>> IDi CERTREQ AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) >>> N(MSG_ID_SYN_SUP) ] >>> Mar 15 00:36:12 klick001 charon: 12[NET] sending packet: from >>> 10.138.0.4[4500] to 200.10.1**.***[4500] (988 bytes) >>> Mar 15 00:36:16 klick001 charon: 15[IKE] retransmit 1 of request with >>> message ID 1 >>> Mar 15 00:36:16 klick001 charon: 15[NET] sending packet: from >>> 10.138.0.4[4500] to 200.10.1**.***[4500] (988 bytes) >>> Mar 15 00:36:23 klick001 charon: 16[IKE] retransmit 2 of request with >>> message ID 1 >>> Mar 15 00:36:23 klick001 charon: 16[NET] sending packet: from >>> 10.138.0.4[4500] to 200.10.1**.***[4500] (988 bytes) >>> Mar 15 00:36:36 klick001 charon: 06[IKE] retransmit 3 of request with >>> message ID 1 >>> Mar 15 00:36:36 klick001 charon: 06[NET] sending packet: from >>> 10.138.0.4[4500] to 200.10.1**.***[4500] (988 bytes) >>> Mar 15 00:36:56 klick001 charon: 10[IKE] sending keep alive to >>> 200.10.1**.***[4500] >>> Mar 15 00:36:59 klick001 charon: 09[IKE] retransmit 4 of request with >>> message ID 1 >>> Mar 15 00:36:59 klick001 charon: 09[NET] sending packet: from >>> 10.138.0.4[4500] to 200.10.1**.***[4500] (988 bytes) >>> Mar 15 00:37:20 klick001 charon: 12[IKE] sending keep alive to >>> 200.10.1**.***[4500] >>> Mar 15 00:37:40 klick001 charon: 13[IKE] sending keep alive to >>> 200.10.1**.***[4500] >>> Mar 15 00:37:41 klick001 charon: 14[IKE] retransmit 5 of request with >>> message ID 1 >>> Mar 15 00:37:41 klick001 charon: 14[NET] sending packet: from >>> 10.138.0.4[4500] to 200.10.1**.***[4500] (988 bytes) >>> >>> Please assist as we are about to go live soon. >>> >>> Thanks in advance. >>> >>> Moses K >>> >>
