I've choosen a new password and copied it directly from the generator to
FortiGate and ipsec.conf, finally managed to get P1 up.
Unfortunately P2 was still throwing mismatch errors. After changing from:
esp=aes256-sha256
to
esp=aes256-sha256-modp3072
I was finally able to bring up the full tunnel with both networks.
thanks again
----- Original Message -----
> From: "Noel Kuntze" <[email protected]>
> To: "Lorenzo Milesi" <[email protected]>, "Noel Kuntze"
> <[email protected]>
> Cc: "users" <[email protected]>
> Sent: Wednesday, May 26, 2021 5:21:14 PM
> Subject: Re: [strongSwan] Unable to find PSK for tunnel: no peer config found
> Hello Lorenzo,
>
> That's one that is also puzzling me at times.
> Maybe there's a newline at the end of the PSK in the fortigate and
> that's not filtered and also not displayed in the UI.
> Try entering the PSK there by hand. That way you can't unknowingly
> copy newlines - or enter special characters.
>
> Kind regards
> Noel
>
> Am 26.05.21 um 16:40 schrieb Lorenzo Milesi:
>> Thanks for the quick respose.
>> Gee, I feel ashamed, I'm usually the one spotting typos!! :(
>>
>> Fixed that now I've apparently a PSK mismatch because I get
>>
>> May 26 16:36:51 vpn01 charon: 03[NET] received packet: from
>> 217.133.18.100[4500]
>> to 95.110.128.186[4500]
>> May 26 16:36:51 vpn01 charon: 10[MGR] checkout IKEv1 SA by message with SPIs
>> 4e33bc842b30dd31_i 909c49b7e60be2ac_r
>> May 26 16:36:51 vpn01 charon: 10[MGR] IKE_SA sts-base[5] successfully checked
>> out
>> May 26 16:36:51 vpn01 charon: 10[NET] received packet: from
>> 217.133.18.100[4500]
>> to 95.110.128.186[4500] (556 bytes)
>> May 26 16:36:51 vpn01 charon: 10[ENC] invalid HASH_V1 payload length,
>> decryption
>> failed?
>> May 26 16:36:51 vpn01 charon: 10[ENC] could not decrypt payloads
>>
>> But I'm puzzled, as I'm directly copying from the secrets file to the
>> Fortigate
>> GUI!
>> My secrets is now:
>>
>> 2.3.8.1 : PSK "abcde"
>> Stelle : PSK abcde
>>
>> (2.3.8.1 being the fortigate public ip)
>>
>> ----- Original Message -----
>>> From: "Noel Kuntze" <[email protected]>
>>> To: "Lorenzo Milesi" <[email protected]>, "users"
>>> <[email protected]>
>>> Sent: Wednesday, May 26, 2021 4:24:31 PM
>>> Subject: Re: [strongSwan] Unable to find PSK for tunnel: no peer config
>>> found
>>> Hi Lorenzo,
>>>
>>> You are the victim of a typo.
>>>
>>>> righid=Stelle
>>> Should be rightid.
>>>
>>> Kind regards
>>> Noel
>>>
>>> Am 26.05.21 um 16:18 schrieb Lorenzo Milesi:
>>>> Hi.
>>>> I'm (still) trying to configure a tunnel between a StrongSwan 5.6.2 (Ubuntu
>>>> 18.04) host and a Fortigate device. I finally came up with a working
>>>> configuration, but now I'm unable to have srongswan authenticate, I get the
>>>> infamous
>>>> May 26 16:05:19 vpn01 charon: 13[IKE] no peer config found
>>>> I tried different formats of selectors but they all fail. I checked the
>>>> config
>>>> several times but I cannot find what's wrong.
>>>>
>>>> My ipsec.secrets:
>>>> 95.1.8.6 %any : PSK "abcde"
>>>> 95.1.8.6 2.3.8.1 : PSK "abcde"
>>>> 95.1.8.6 : PSK "abcde"
>>>> Stelle : PSK "abcde"
>>>>
>>>>
>>>> My ipsec.conf:
>>>> conn sts-base
>>>> keyexchange=ikev1
>>>> fragmentation=yes
>>>> dpdaction=restart
>>>> ike=aes256-sha256-modp3072
>>>> esp=aes256-sha256
>>>> keyingtries=%forever
>>>> leftsubnet=172.32.1.0/24
>>>> lifetime=86400
>>>> leftauth=psk
>>>> rightauth=psk
>>>> righid=Stelle
>>>> auto=start
>>>> right=2.3.8.1
>>>>
>>>> conn site-3-1
>>>> also=sts-base
>>>> leftsubnet=172.32.1.0/24
>>>> rightsubnet=192.168.8.0/24
>>>>
>>>> conn site-3-2
>>>> also=sts-base
>>>> leftsubnet=172.32.1.0/24
>>>> rightsubnet=192.168.9.0/24
>>>>
>>>>
>>>> Log:
>>>> May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] remote host is behind NAT
>>>> May 26 16:05:19 vpn01 ipsec[1367]: 15[CFG] peer config match local: 1
>>>> (ID_ANY)
>>>> May 26 16:05:19 vpn01 ipsec[1367]: 15[CFG] peer config match remote: 1
>>>> (ID_ANY)
>>>> May 26 16:05:19 vpn01 ipsec[1367]: 15[CFG] ike config match: 2076 (95.1.8.6
>>>> 2.3.8.1 IKEv1)
>>>> May 26 16:05:19 vpn01 ipsec[1367]: 15[CFG] candidate "sts-base", match:
>>>> 1/1/2076 (me/other/ike)
>>>> May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] natd_chunk => 22 bytes @
>>>> 0x7ff92cef4ac0
>>>> May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] 0: D6 50 6B F7 85 FD B6 F3
>>>> B1 F8
>>>> 20 48 71 AD 06 01 .Pk....... Hq...
>>>> May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] 16: D9 85 12 64 01 F4
>>>> ...d..
>>>> May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] natd_hash => 32 bytes @
>>>> 0x7ff91000c150
>>>> May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] 0: D1 DB AE ED 2E B2 94 77
>>>> 32 7E
>>>> 51 CE 9B 0A 49 D5 .......w2~Q...I.
>>>> May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] 16: 11 8F CC 18 33 70 47 FE
>>>> D0 04
>>>> 3B 8E EA DF 9E 3D ....3pG...;....=
>>>> May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] natd_chunk => 22 bytes @
>>>> 0x7ff92cef4ac0
>>>> May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] 0: D6 50 6B F7 85 FD B6 F3
>>>> B1 F8
>>>> 20 48 71 AD 06 01 .Pk....... Hq...
>>>> May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] 16: 5F 6E 80 BA 01 F4
>>>> _n....
>>>> May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] natd_hash => 32 bytes @
>>>> 0x7ff91000c150
>>>> May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] 0: 27 C0 28 F3 4D E2 DD 93
>>>> 03 04
>>>> E6 98 8A 20 02 3B '.(.M........ .;
>>>> May 26 16:05:19 vpn01 ipsec[1367]: 15[IKE] 16: BA AC FF 7F C6 23 EC 1E
>>>> 9F 77
>>>> 1A 9E D7 DD EB 11 .....#...w......
>>>> May 26 16:05:19 vpn01 ipsec[1367]: 15[ENC] generating ID_PROT response 0 [
>>>> KE No
>>>> NAT-D NAT-D ]
>>>> May 26 16:05:19 vpn01 ipsec[1367]: 15[NET] sending packet: from
>>>> 95.1.8.6[500] to
>>>> 2.3.8.1[500] (524 bytes)
>>>> May 26 16:05:19 vpn01 ipsec[1367]: 04[NET] sending packet: from
>>>> 95.1.8.6[500] to
>>>> 2.3.8.1[500]
>>>> May 26 16:05:19 vpn01 ipsec[1367]: 15[MGR] checkin IKE_SA (unnamed)[102]
>>>> May 26 16:05:19 vpn01 ipsec[1367]: 15[MGR] checkin of IKE_SA successful
>>>> May 26 16:05:19 vpn01 ipsec[1367]: 03[NET] received packet => 112 bytes @
>>>> 0x7ff9326fd440
>>>> May 26 16:05:19 vpn01 ipsec[1367]: 03[NET] 0: 00 00 00 00 D6 50 6B F7
>>>> 85 FD
>>>> B6 F3 B1 F8 20 48 .....Pk....... H
>>>> May 26 16:05:19 vpn01 ipsec[1367]: 03[NET] 16: 71 AD 06 01 05 10 02 01
>>>> 00 00
>>>> 00 00 00 00 00 6C q..............l
>>>> May 26 16:05:19 vpn01 charon: 03[NET] 0: 00 00 00 00 D6 50 6B F7 85 FD
>>>> B6 F3
>>>> B1 F8 20 48 .....Pk....... H
>>>> May 26 16:05:19 vpn01 ipsec[1367]: 03[NET] 32: DF 47 5C 43 7A CD 60 FF
>>>> DB 15
>>>> 51 27 EA 7B 39 1A .G\Cz.`...Q'.{9.
>>>> May 26 16:05:19 vpn01 charon: 03[NET] 16: 71 AD 06 01 05 10 02 01 00 00
>>>> 00 00
>>>> 00 00 00 6C q..............l
>>>> May 26 16:05:19 vpn01 charon: 03[NET] 32: DF 47 5C 43 7A CD 60 FF DB 15
>>>> 51 27
>>>> EA 7B 39 1A .G\Cz.`...Q'.{9.
>>>> May 26 16:05:19 vpn01 charon: 03[NET] 48: D2 4E D8 56 36 6B 3C B6 4D 48
>>>> 4A 65
>>>> B1 8B 90 B9 .N.V6k<.MHJe....
>>>> May 26 16:05:19 vpn01 charon: 03[NET] 64: E9 67 7F E3 0F 5B 38 43 41 6B
>>>> DA 67
>>>> FD 2C 69 4F .g...[8CAk.g.,iO
>>>> May 26 16:05:19 vpn01 charon: 03[NET] 80: 0D 36 D5 65 67 E5 CE D7 6C D4
>>>> 44 D3
>>>> 94 EF 55 CC .6.eg...l.D...U.
>>>> May 26 16:05:19 vpn01 charon: 03[NET] 96: 4F 84 82 E2 05 A0 DD E9 9F FB
>>>> F2 B5
>>>> DE 54 E1 77 O............T.w
>>>> May 26 16:05:19 vpn01 charon: 03[NET] received packet: from 2.3.8.1[4500]
>>>> to
>>>> 95.1.8.6[4500]
>>>> May 26 16:05:19 vpn01 charon: 03[NET] waiting for data on sockets
>>>> May 26 16:05:19 vpn01 charon: 13[MGR] checkout IKEv1 SA by message with
>>>> SPIs
>>>> d6506bf785fdb6f3_i b1f8204871ad0601_r
>>>> May 26 16:05:19 vpn01 charon: 13[MGR] IKE_SA (unnamed)[102] successfully
>>>> checked
>>>> out
>>>> May 26 16:05:19 vpn01 charon: 13[NET] received packet: from 2.3.8.1[4500]
>>>> to
>>>> 95.1.8.6[4500] (108 bytes)
>>>> May 26 16:05:19 vpn01 charon: 13[ENC] parsed ID_PROT request 0 [ ID HASH
>>>> N(INITIAL_CONTACT) ]
>>>> May 26 16:05:19 vpn01 charon: 13[CFG] looking for pre-shared key peer
>>>> configs
>>>> matching 95.1.8.6...2.3.8.1[Stelle]
>>>> May 26 16:05:19 vpn01 charon: 13[CFG] peer config match local: 1 (ID_ANY)
>>>> May 26 16:05:19 vpn01 charon: 13[CFG] peer config match remote: 0 (ID_FQDN
>>>> ->
>>>> 53:74:65:6c:6c:65)
>>>> May 26 16:05:19 vpn01 charon: 13[CFG] ike config match: 2076 (95.1.8.6
>>>> 2.3.8.1
>>>> IKEv1)
>>>> May 26 16:05:19 vpn01 charon: 13[IKE] no peer config found
>>>> May 26 16:05:19 vpn01 charon: 13[IKE] queueing INFORMATIONAL task
>>>> May 26 16:05:19 vpn01 charon: 13[IKE] activating new tasks
>>>> May 26 16:05:19 vpn01 charon: 13[IKE] activating INFORMATIONAL task
>>>> May 26 16:05:19 vpn01 charon: 13[IKE] Hash => 32 bytes @ 0x7ff910017940
>>>> May 26 16:05:19 vpn01 charon: 13[IKE] 0: D0 BD F8 53 09 8C 69 43 BF 35
>>>> 35 59
>>>> D3 72 08 B7 ...S..iC.55Y.r..
>>>> May 26 16:05:19 vpn01 charon: 13[IKE] 16: BF 25 1F 4A 79 65 78 55 F5 07
>>>> 30 F5
>>>> E4 8F 7A 7D .%.JyexU..0...z}
>>>> May 26 16:05:19 vpn01 charon: 13[ENC] generating INFORMATIONAL_V1 request
>>>> 3029794389 [ HASH N(AUTH_FAILED) ]
>>>> May 26 16:05:19 vpn01 charon: 13[NET] sending packet: from 95.1.8.6[4500]
>>>> to
>>>> 2.3.8.1[4500] (108 bytes)
>>>> May 26 16:05:19 vpn01 charon: 13[MGR] checkin and destroy IKE_SA
>>>> (unnamed)[102]
>>>> May 26 16:05:19 vpn01 charon: 13[IKE] IKE_SA (unnamed)[102] state change:
>>>> CONNECTING => DESTROYING
>>>> May 26 16:05:19 vpn01 charon: 13[MGR] checkin and destroy of IKE_SA
>>>> successful
>>>> May 26 16:05:19 vpn01 charon: 04[NET] sending packet: from 95.1.8.6[4500]
>>>> to
>>>> 2.3.8.1[4500]
>>>> May 26 16:05:22 vpn01 charon: 03[NET] received packet => 112 bytes @
>>>> 0x7ff9326fd440
>>>> May 26 16:05:22 vpn01 charon: 03[NET] 0: 00 00 00 00 D6 50 6B F7 85 FD
>>>> B6 F3
>>>> B1 F8 20 48 .....Pk....... H
>>>> May 26 16:05:22 vpn01 charon: 03[NET] 16: 71 AD 06 01 05 10 02 01 00 00
>>>> 00 00
>>>> 00 00 00 6C q..............l
>>>> May 26 16:05:22 vpn01 charon: 03[NET] 32: DF 47 5C 43 7A CD 60 FF DB 15
>>>> 51 27
>>>> EA 7B 39 1A .G\Cz.`...Q'.{9.
>>>> May 26 16:05:22 vpn01 charon: 03[NET] 48: D2 4E D8 56 36 6B 3C B6 4D 48
>>>> 4A 65
>>>> B1 8B 90 B9 .N.V6k<.MHJe....
>>>> May 26 16:05:22 vpn01 charon: 03[NET] 64: E9 67 7F E3 0F 5B 38 43 41 6B
>>>> DA 67
>>>> FD 2C 69 4F .g...[8CAk.g.,iO
>>>> May 26 16:05:22 vpn01 charon: 03[NET] 80: 0D 36 D5 65 67 E5 CE D7 6C D4
>>>> 44 D3
>>>> 94 EF 55 CC .6.eg...l.D...U.
>>>> May 26 16:05:22 vpn01 charon: 03[NET] 96: 4F 84 82 E2 05 A0 DD E9 9F FB
>>>> F2 B5
>>>> DE 54 E1 77 O............T.w
>>>> May 26 16:05:22 vpn01 charon: 03[NET] received packet: from 2.3.8.1[4500]
>>>> to
>>>> 95.1.8.6[4500]
>>>> May 26 16:05:22 vpn01 charon: 03[NET] waiting for data on sockets
>>>> May 26 16:05:22 vpn01 charon: 12[MGR] checkout IKEv1 SA by message with
>>>> SPIs
>>>> d6506bf785fdb6f3_i b1f8204871ad0601_r
>>>> May 26 16:05:22 vpn01 charon: 12[MGR] IKE_SA checkout not successful
>>>> May 26 16:05:28 vpn01 charon: 03[NET] received packet => 112 bytes @
>>>> 0x7ff9326fd440
>>>> May 26 16:05:28 vpn01 charon: 03[NET] 0: 00 00 00 00 D6 50 6B F7 85 FD
>>>> B6 F3
>>>> B1 F8 20 48 .....Pk....... H
>>>> May 26 16:05:28 vpn01 charon: 03[NET] 16: 71 AD 06 01 05 10 02 01 00 00
>>>> 00 00
>>>> 00 00 00 6C q..............l
>>>> May 26 16:05:28 vpn01 charon: 03[NET] 32: DF 47 5C 43 7A CD 60 FF DB 15
>>>> 51 27
>>>> EA 7B 39 1A .G\Cz.`...Q'.{9.
>>>> May 26 16:05:28 vpn01 charon: 03[NET] 48: D2 4E D8 56 36 6B 3C B6 4D 48
>>>> 4A 65
>>>> B1 8B 90 B9 .N.V6k<.MHJe....
>>>> May 26 16:05:28 vpn01 charon: 03[NET] 64: E9 67 7F E3 0F 5B 38 43 41 6B
>>>> DA 67
>>>> FD 2C 69 4F .g...[8CAk.g.,iO
>>>> May 26 16:05:28 vpn01 charon: 03[NET] 80: 0D 36 D5 65 67 E5 CE D7 6C D4
>>>> 44 D3
>>>> 94 EF 55 CC .6.eg...l.D...U.
>>>> May 26 16:05:28 vpn01 charon: 03[NET] 96: 4F 84 82 E2 05 A0 DD E9 9F FB
>>>> F2 B5
>>>> DE 54 E1 77 O............T.w
>>>> May 26 16:05:28 vpn01 charon: 03[NET] received packet: from 2.3.8.1[4500]
>>>> to
>>>> 95.1.8.6[4500]
>>>> May 26 16:05:28 vpn01 charon: 03[NET] waiting for data on sockets
>>>> May 26 16:05:28 vpn01 charon: 12[MGR] checkout IKEv1 SA by message with
>>>> SPIs
>>>> d6506bf785fdb6f3_i b1f8204871ad0601_r
>>>> May 26 16:05:28 vpn01 charon: 12[MGR] IKE_SA checkout not successful
>>>>
>>>>
>>>> thanks
>>>> --
>>>> Lorenzo Milesi - [email protected]
>>>> CTO @ YetOpen Srl
>>>>
>>>>
>>>> YetOpen <https://www.yetopen.com>
>>>> /Think green - Non stampare questa e-mail se non necessario / Don't print
>>>> this
>>>> email unless necessary/
>>>>
>>>> -------- D.Lgs. 196/2003 e GDPR 679/2016 --------
>>>> Tutte le informazioni contenute in questo messaggio sono riservate ed a uso
>>>> esclusivo del destinatario. Tutte le informazioni ivi contenute, compresi
>>>> eventuali allegati, sono da ritenere confidenziali e riservate secondo i
>>>> termini del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento
>>>> europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione
>>>> ulteriore non
>>>> autorizzata. Nel caso in cui questo messaggio Le fosse pervenuto per
>>>> errore, La
>>>> invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a
>>>> terzi e
>>>> ad avvertirci non appena possibile. Grazie.
>>>>
>>>> Confidentiality notice: this email message including any attachment is for
>>>> the
>>>> sole use of the intended recipient and may contain confidential and
>>>> privileged
>>>> information; pursuant to Legislative Decree 196/2003 and the European
>>>> General
>>>> Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use,
>>>> disclosure or distribution is prohibited. If you are not the intended
>>>> recepient
>>>> please delete this message without copying, printing or forwarding it to
> >>> others, and alert us as soon as possible. Thank you.
--
Lorenzo Milesi - [email protected]
CTO @ YetOpen Srl
YetOpen - https://www.yetopen.com/
Via Salerno 18 - 23900 Lecco - ITALY - | 4801 Glenwood Avenue - Suite 200
- Raleigh, NC 27612 - USA -
Tel +39 0341 220 205 - [email protected] | Phone +1 919-817-8106 -
[email protected]
Think green - Non stampare questa e-mail se non necessario / Don't print this
email unless necessary
-------- D.Lgs. 196/2003 e GDPR 679/2016 --------
Tutte le informazioni contenute in questo messaggio sono riservate ed a uso
esclusivo del destinatario.
Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da
ritenere confidenziali e riservate secondo i termini
del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo
679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non
autorizzata.
Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad
eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci
non appena possibile.
Grazie.
Confidentiality notice: this email message including any attachment is for the
sole use of the intended recipient and may contain confidential and privileged
information;
pursuant to Legislative Decree 196/2003 and the European General Data
Protection Regulation 679/2016 - GDPR - any unauthorized review, use,
disclosure or distribution
is prohibited. If you are not the intended recepient please delete this message
without copying, printing or forwarding it to others, and alert us as soon as
possible.
Thank you.
