Any kind souls out there in this? On Sun, Mar 31, 2019 at 3:32 PM MOSES KARIUKI <[email protected]> wrote:
> Dear Team, > > I have not yet succeeded in establishing a connection to the remote > Fortigate client. The remote client has internal IPs in the range > I have the following configuration : > *sudo route -n* > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use > Iface > 0.0.0.0 10.138.0.1 0.0.0.0 UG 100 0 0 > ens4 > 10.138.0.1 0.0.0.0 255.255.255.255 UH 100 0 0 > ens4 > > *I have these rules :* > *nat > -A POSTROUTING -s 10.10.10.0/24 -o ens4 -m policy --pol ipsec --dir out > -j ACCEPT > -A POSTROUTING -s 10.10.10.0/24 -o ens4 -j MASQUERADE > COMMIT > > *mangle > -A FORWARD --match policy --pol ipsec --dir in -s 10.10.10.0/24 -o ens4 > -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS > --set-mss 1360 > COMMIT > > -A ufw-before-forward --match policy --pol ipsec --dir in --proto esp -s > 10.10.10.0/24 -j ACCEPT > -A ufw-before-forward --match policy --pol ipsec --dir out --proto esp -d > 10.10.10.0/24 -j ACCEPT > > *This is my Strongswan configuration :* > config setup > charondebug="ike 1, knl 1, cfg 2" > uniqueids=yes > > conn televida > auto=route > compress=no > type=tunnel > reauth=no > mobike=no > keyexchange=ikev2 > fragmentation=yes > forceencaps=yes > dpdaction=clear > dpddelay=300s > rekey=no > rightfirewall=yes > leftfirewall=yes > left=%any > leftid=35.185.2**.** > leftcert=server-cert.pem > leftsendcert=never > * leftsubnet=10.138.0.0/20,0.0.0.0/0 <http://10.138.0.0/20,0.0.0.0/0>* > right=200.1*.1*3.* > rightid=%any > rightauth=psk > * rightsourceip=10.10.10.0/24 <http://10.10.10.0/24>* > #rightsourceip= > rightdns=8.8.8.8,8.8.4.4 > rightsendcert=never > ike=aes256-sha256-ecp521 > esp=aes256-sha256-ecp521 > > This is the error that I am getting : > *sudo ipsec up televida* > initiating IKE_SA televida[1] to 200.1*.1*3.* > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) > N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] > sending packet: from 10.138.0.4[500] to 200.1*.1*3.*[500] (1006 bytes) > received packet: from 200.1*.1*3.*[500] to 10.138.0.4[500] (292 bytes) > parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > local host is behind NAT, sending keep alives > authentication of '35.185.2**.**' (myself) with RSA signature successful > establishing CHILD_SA televida{2} > generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(EAP_ONLY) > N(MSG_ID_SYN_SUP) ] > sending packet: from 10.138.0.4[4500] to 200.1*.1*3.*[4500] (816 bytes) > retransmit 1 of request with message ID 1 > sending packet: from 10.138.0.4[4500] to 200.1*.1*3.*[4500] (816 bytes) > retransmit 2 of request with message ID 1 > sending packet: from 10.138.0.4[4500] to 200.1*.1*3.*[4500] (816 bytes) > retransmit 3 of request with message ID 1 > sending packet: from 10.138.0.4[4500] to 200.1*.1*3.*[4500] (816 bytes) > sending keep alive to 200.1*.1*3.*[4500] > retransmit 4 of request with message ID 1 > sending packet: from 10.138.0.4[4500] to 200.1*.1*3.*[4500] (816 bytes) > sending keep alive to 200.1*.1*3.*[4500] > sending keep alive to 200.1*.1*3.*[4500] > retransmit 5 of request with message ID 1 > sending packet: from 10.138.0.4[4500] to 200.1*.1*3.*[4500] (816 bytes) > sending keep alive to 200.1*.1*3.*[4500] > sending keep alive to 200.1*.1*3.*[4500] > sending keep alive to 200.1*.1*3.*[4500] > giving up after 5 retransmits > peer not responding, trying again (2/3) > initiating IKE_SA televida[1] to 200.1*.1*3.* > establishing connection 'televida' failed > > My biggest question is : > Do the two private Subnets need to be under the same Subnet Mask? > My private IP is *10.138.0.4*. He tells me that 10.28.2.8/32 is his > private. > Please advise. I have re-installed again and again with no success. > > Regards, > Moses Kariuki > > >
