I've been trying to setup a VPN connection from my gentoo (which is natted) box to a remote site (VPN SERVER - Fortigate). Without success. This is the schema:
|Gentoo BOX | -----LAN------| GW | -----------Internet---------------| Fortigate |
Gentoo Box= it has a private address (192.168.0.5)
GW = It has a public address
Fortigate: (public address) / private (10.10.33.3)
Even When I dont have control of the GW on my side I know that its not configured to block ipsec traffic. I am using racoon nat mode. I got a buch of errors trying to establish phase1
Code: Select all
May 11 17:00:40 pbx racoon: DEBUG: 344 bytes from 192.168.0.5[500] to fortigatepubIP[500]
May 11 17:00:40 pbx racoon: DEBUG: sockname 192.168.0.5[4500]
May 11 17:00:40 pbx racoon: DEBUG: send packet from 192.168.0.5[500]
May 11 17:00:40 pbx racoon: DEBUG: send packet to fortigatepubIP[500]
May 11 17:00:40 pbx racoon: DEBUG: src4 192.168.0.5[500]
May 11 17:00:40 pbx racoon: DEBUG: dst4 fortigatepubIP[500]
May 11 17:00:40 pbx racoon: DEBUG: 1 times of 344 bytes message will be sent to fortigatepubIP[500]
May 11 17:00:40 pbx racoon: DEBUG: 26b5ff7d 250ecc69 00000000 00000000 01100400 00000000 00000158 04000034 00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c708080010005 80030001 80020001 80040002 0a000084 c5e86a86 49bce442 6a382510 4071f725 debf6bab 637bc46b 74f7986d 95611148 5a03d78e 725825ba 17d2e8a6 9ef652fb e99fad17 5ed026f4 3f045fd57a771804 a09ec567 995621b4 061be8ac 3dc1da11 84c16820 8e25f2d3 3d7e6199 48b7324f dcc5c2c1 ee02fbd9 1439fb10 dc615ca4 13707cca 279711ef b9883648 b8c00ccd 05000014 bce3ce32 42d9a7e7ebc69f09 cd6e6b13 0d00000c 011101f4 c0a80005 0d000014 4a131c81 07035845 5c5728f2 0e95452f 0d000014 cd604643 35df21f8 7cfdb2fc 68b6a448 0d000014 90cb8091 3ebb696e 086381b5 ec427b1f0d000014 4485152d 18b6bbcd 0be8a846 9579ddcc 00000014 afcad713 68a1f1c9 6b8696fc 77570100
May 11 17:00:40 pbx racoon: DEBUG: resend phase1 packet 26b5ff7d250ecc69:0000000000000000
May 11 17:00:40 pbx racoon: DEBUG2: CHKPH1THERE: extract_port.
May 11 17:00:40 pbx racoon: DEBUG2: CHKPH1THERE: found a ph1 wop.
May 11 17:00:40 pbx racoon: DEBUG2: CHKPH1THERE: no established ph1 handler found
May 11 17:00:41 pbx racoon: DEBUG2: CHKPH1THERE: extract_port.
May 11 17:00:41 pbx racoon: DEBUG2: CHKPH1THERE: found a ph1 wop.
May 11 17:00:41 pbx racoon: DEBUG2: CHKPH1THERE: no established ph1 handler found
May 11 17:00:42 pbx racoon: DEBUG2: CHKPH1THERE: extract_port.
May 11 17:00:42 pbx racoon: DEBUG2: CHKPH1THERE: found a ph1 wop.
May 11 17:00:42 pbx racoon: DEBUG2: CHKPH1THERE: no established ph1 handler found
May 11 17:00:43 pbx racoon: DEBUG2: CHKPH1THERE: extract_port.
May 11 17:00:43 pbx racoon: DEBUG2: CHKPH1THERE: found a ph1 wop.
May 11 17:00:43 pbx racoon: DEBUG2: CHKPH1THERE: no established ph1 handler found
May 11 17:00:44 pbx racoon: DEBUG2: CHKPH1THERE: extract_port.
May 11 17:00:44 pbx racoon: DEBUG2: CHKPH1THERE: found a ph1 wop.
May 11 17:00:44 pbx racoon: DEBUG2: CHKPH1THERE: no established ph1 handler found
May 11 17:00:45 pbx racoon: DEBUG2: CHKPH1THERE: extract_port.
May 11 17:00:45 pbx racoon: DEBUG2: CHKPH1THERE: found a ph1 wop.
May 11 17:00:45 pbx racoon: DEBUG2: CHKPH1THERE: no established ph1 handler found
May 11 17:00:46 pbx racoon: DEBUG2: CHKPH1THERE: extract_port.
May 11 17:00:46 pbx racoon: DEBUG2: CHKPH1THERE: found a ph1 wop.
May 11 17:00:46 pbx racoon: DEBUG2: CHKPH1THERE: no established ph1 handler found
May 11 17:00:47 pbx racoon: DEBUG2: CHKPH1THERE: extract_port.
May 11 17:00:47 pbx racoon: DEBUG2: CHKPH1THERE: found a ph1 wop.
May 11 17:00:47 pbx racoon: DEBUG2: CHKPH1THERE: no established ph1 handler found
Code: Select all
16:42:57.384025 IP 192.168.0.5.ipsec-nat-t > fortigatepubIP.isakmp: isakmp: phase 1 I agg
16:42:57.418894 IP fortigatepubIP.isakmp > 192.168.0.5.ipsec-nat-t: isakmp: phase 1 R agg
16:43:01.526216 IP fortigatepubIP.isakmp > 192.168.0.5.ipsec-nat-t: isakmp: phase 1 R agg
16:43:07.382147 IP 192.168.0.5.ipsec-nat-t > fortigatepubIP.isakmp: isakmp: phase 1 I agg
16:43:07.431404 IP fortigatepubIP.isakmp > 192.168.0.5.ipsec-nat-t: isakmp: phase 1 R agg
16:43:17.380286 IP 192.168.0.5.ipsec-nat-t > fortigatepubIP.isakmp: isakmp: phase 1 I agg
16:43:17.413990 IP fortigatepubIP.isakmp > 192.168.0.5.ipsec-nat-t: isakmp: phase 1 R agg
16:43:17.525521 IP fortigatepubIP.isakmp > 192.168.0.5.ipsec-nat-t: isakmp: phase 1 R agg
16:43:27.378448 IP 192.168.0.5.ipsec-nat-t > fortigatepubIP.isakmp: isakmp: phase 1 I agg
16:43:27.413383 IP fortigatepubIP.isakmp > 192.168.0.5.ipsec-nat-t: isakmp: phase 1 R agg
16:43:49.519748 IP fortigatepubIP.isakmp > 192.168.0.5.ipsec-nat-t: isakmp: phase 2/others R inf
This my config:
ipsec.conf
Code: Select all
pbx ~ # cat /etc/ipsec.conf
flush;
spdflush;
spdadd 10.10.33.3/32 192.168.0.5/32 any -P in ipsec esp/tunnel/fortigatepubIP-192.168.0.5/require;
spdadd 192.168.0.5/32 10.10.33.3/32 any -P out ipsec esp/tunnel/192.168.0.5-fortigatepubIP/require;
racoon.conf
Code: Select all
pbx ~ # cat /etc/racoon/racoon.conf
path pre_shared_key "/etc/racoon/psk.txt";
log debug2;
listen {
isakmp_natt 192.168.0.5 [4500];
}
timer {
natt_keepalive 10sec;
}
remote fortigatepubIP
{
exchange_mode aggressive;
nat_traversal on;
my_identifier address;
lifetime time 28800 seconds;
initial_contact on;
proposal_check exact;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key ;
dh_group 2;
}
}
#sainfo anonymous
sainfo address 192.168.0.5/32 any address 10.10.33.3/32 any
{
pfs_group 2;
encryption_algorithm 3des;
lifetime time 1800 seconds ;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
I have the config from the fortigate too. I think that the parameters are equal in both sides:
Code: Select all
config vpn ipsec phase1
edit "MY_VPN"
set type dynamic
set interface "wan1"
set dpd disable
set nattraversal enable
set dhgrp 2
set proposal 3des-md5
set mode aggressive
set psksecret mysecretword
next
end
config vpn ipsec phase2
edit "my_def"
set dhgrp 2
set dst-addr-type ip
set keepalive enable
set pfs enable
set phase1name "MY_VPN"
set proposal 3des-md5
set src-addr-type ip
set dst-start-ip 192.168.0.5
set src-start-ip 10.10.33.3
next
end
Thanks in advance