Results 1 to 3 of 3

Thread: openswan to fortigate

Hybrid View

  1. #1

    openswan to fortigate

    I have over 150 Openswan ipsec vpn tunnels from various parts of North America all connecting to a Fortigate 310b firewall/router
    The majority of the tunnels come up fine. The problem is that after an hour or so some (not all) of the tunnel drop for some unknown reason.
    I have created a script on each client that checks to see if the tunnel is up and if it is not, the tunnel is to be reestablished which works fine.
    The problem is that I am trying to run backup scripts through these tunnels and there up and down which is ruining my backups.
    I have been fighting this problem for many days and I have spent countless hours searching forum posts to no avail.

    FORTIGATE CONFIG
    PHASE1
    3DES-SHA1
    3DES-MD5
    AES128-MD5
    DIFFE GROUPS 2&5
    KEYLIFE 86400s
    NAT-TRANSVERSAL ENABLED
    KEEP ALIVE FREQ 10
    DPD ENABLE
    XAUTH SERVER = YES

    PHASE2
    3DES-SHA1
    3DES-MD5
    AES128-MD5
    REPLAY DETECTION ENABLED
    PFS ENABLED
    DIFFE GROUPS 5
    KEYLIFE 86400s
    AUTO KEEP ALIVE ENABLED
    DCHPIPSEC DISABLED

    OPENSWAN IPSEC.CONF
    config setup
    nat_traversal=yes
    protostack=netkey
    conn home
    #CLIENT
    leftxauthclient=XXXXXX
    leftxauthusername=XXXXXX
    leftsourceip=VAR2
    left=%defaultroute
    #REMOTEHOST
    rightxauthserver=yes
    right=XXX.XXX.XXX.XXX
    rightsubnet=192.168.80.0/24
    #GENERAL
    authby=secret
    auto=start
    compress=no
    type=tunnel
    pfs=yes
    forceencaps=yes
    #PHASE1
    ike=3des-sha1,3des-md5
    keylife=86400s
    #PHASE2
    phase2=esp
    phase2alg=3des-sha1,3des-md5;modp1536
    ikelifetime=86400s
    #REKEYING
    rekey=yes
    rekeymargin=15m


    Here is the tunnel being brought up successfully

    Mar 20 08:46:43 claimtools pluto[15697]: "home" #1: initiating Main Mode
    Mar 20 08:46:43 claimtools pluto[15697]: "home" #1: received Vendor ID payload [RFC 3947] method set to=109
    Mar 20 08:46:43 claimtools pluto[15697]: "home" #1: received Vendor ID payload [Dead Peer Detection]
    Mar 20 08:46:43 claimtools pluto[15697]: "home" #1: enabling possible NAT-traversal with method 4
    Mar 20 08:46:43 claimtools pluto[15697]: "home" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
    Mar 20 08:46:43 claimtools pluto[15697]: "home" #1: STATE_MAIN_I2: sent MI2, expecting MR2
    Mar 20 08:46:43 claimtools pluto[15697]: "home" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
    Mar 20 08:46:43 claimtools pluto[15697]: "home" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
    Mar 20 08:46:43 claimtools pluto[15697]: "home" #1: STATE_MAIN_I3: sent MI3, expecting MR3
    Mar 20 08:46:43 claimtools pluto[15697]: "home" #1: Main mode peer ID is ID_IPV4_ADDR: 'xxx.xxx.xxx.xxxx’
    Mar 20 08:46:43 claimtools pluto[15697]: "home" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
    Mar 20 08:46:43 claimtools pluto[15697]: "home" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1536}
    Mar 20 08:46:43 claimtools pluto[15697]: "home" #1: XAUTH: Answering XAUTH challenge with user='xxxxx’
    Mar 20 08:46:43 claimtools pluto[15697]: "home" #1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
    Mar 20 08:46:43 claimtools pluto[15697]: "home" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
    Mar 20 08:46:43 claimtools pluto[15697]: "home" #1: XAUTH: Successfully Authenticated
    Mar 20 08:46:43 claimtools pluto[15697]: "home" #1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
    Mar 20 08:46:43 claimtools pluto[15697]: "home" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
    Mar 20 08:46:43 claimtools pluto[15697]: "home" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#1 msgid:a0bec906 proposal=3DES(3)_192-SHA1(2)_160, 3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1536}
    Mar 20 08:46:44 claimtools pluto[15697]: "home" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I
    Mar 20 08:46:44 claimtools pluto[15697]: "home" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0x8b5c8037 <0x3bcfa844 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=xxx.xxx.xxx.xxx:4500 DPD=none}

    Tunnel was fine until now

    Here is the failure point

    Mar 20 10:35:57 claimtools pluto[15697]: "home" #1: DPD Info: received old or duplicate R_U_THERE
    Mar 20 10:36:57 claimtools pluto[15697]: "home" #1: DPD Info: received old or duplicate R_U_THERE
    Mar 20 10:37:57 claimtools pluto[15697]: "home" #1: received Delete SA payload: replace IPSEC State #2 in 10 seconds
    Mar 20 10:37:57 claimtools pluto[15697]: "home" #1: received and ignored informational message
    Mar 20 10:37:57 claimtools pluto[15697]: "home" #1: received Delete SA payload: deleting ISAKMP State #1
    Mar 20 10:37:57 claimtools pluto[15697]: packet from XXX.XXX.XXX.XXX:4500: received and ignored informational message
    Mar 20 10:38:07 claimtools pluto[15697]: "home" #3: initiating Main Mode
    Mar 20 10:38:07 claimtools pluto[15697]: "home" #3: received Vendor ID payload [RFC 3947] method set to=109
    Mar 20 10:38:07 claimtools pluto[15697]: "home" #3: received Vendor ID payload [Dead Peer Detection]
    Mar 20 10:38:07 claimtools pluto[15697]: "home" #3: enabling possible NAT-traversal with method 4
    Mar 20 10:38:07 claimtools pluto[15697]: "home" #3: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
    Mar 20 10:38:07 claimtools pluto[15697]: "home" #3: STATE_MAIN_I2: sent MI2, expecting MR2
    Mar 20 10:38:07 claimtools pluto[15697]: "home" #3: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
    Mar 20 10:38:07 claimtools pluto[15697]: "home" #3: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
    Mar 20 10:38:07 claimtools pluto[15697]: "home" #3: STATE_MAIN_I3: sent MI3, expecting MR3
    Mar 20 10:38:07 claimtools pluto[15697]: "home" #3: Main mode peer ID is ID_IPV4_ADDR: '70.67.129.119'
    Mar 20 10:38:07 claimtools pluto[15697]: "home" #3: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
    Mar 20 10:38:07 claimtools pluto[15697]: "home" #3: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1536}
    Mar 20 10:38:07 claimtools pluto[15697]: "home" #3: XAUTH: Answering XAUTH challenge with user='XXXXX'
    Mar 20 10:38:07 claimtools pluto[15697]: "home" #3: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
    Mar 20 10:38:07 claimtools pluto[15697]: "home" #3: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
    Mar 20 10:38:07 claimtools pluto[15697]: "home" #3: XAUTH: Successfully Authenticated
    Mar 20 10:38:07 claimtools pluto[15697]: "home" #3: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
    Mar 20 10:38:07 claimtools pluto[15697]: "home" #3: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
    Mar 20 10:38:07 claimtools pluto[15697]: "home" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#3 msgid:2bec3343 proposal=3DES(3)_192-SHA1(2)_160, 3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1536}
    Mar 20 10:38:07 claimtools pluto[15697]: "home" #4: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
    Mar 20 10:38:07 claimtools pluto[15697]: "home" #4: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0x8b5c8071 <0xf6c24685 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=XXX.XXX.XXX.XXX:4500 DPD=none}


    Any ideas?

  2. #2

    Openswan (Centos & Ubuntu) vs. Fortinet (800)

    Hi,

    I'm relatively new to Linux and I'm struggling with OpenSwan since early last month in Centos 5.3. I'll try to explain my experience because sadly there is very little info from Fortinet.
    First I must say that the latest FortiClient 3.0 & 4.0 worked well but I also had frequent disconnections with earlier 3.0 versions, so I would recommend you to use the Windows client as a reference.

    With Linux I have had tons of problems but at last I have a working config with version OpenSwan 2.6.16 which I had to compile in CentOS (in Ubuntu the 2.4.x version that comes doesn't work at all).

    My configuration looks pretty much like yours, except that I was obliged to use the parameter leftsourceip=MyPublicIPAddress because otherwise I connected but could not access the right private network. This is a problem because, at home I have a Public Dynamic IP that my ISP changes frequently, I would like to solve this issue.
    Other issue I had is that OpenSwan doesn't seem to accept the remote networks DNS's so I had to rely on an up/down script or use a local dnsmasq server.
    Now I'm planning to make the connection on demand and try to run OpenSwan in OpenWRT on a Wifi router. Any advice?

    Regards

  3. #3
    Sorry but I can't edit my previous post (but surprisingly I can edit this one), so .... last but not least, is there any alternative to openswan in order to connect to a Fortinet FW?

Similar Threads

  1. Openswan IPSec tunnel problems
    By jamesj in forum Linux - Hardware, Networking & Security
    Replies: 0
    Last Post: 08-12-2008, 09:36 PM
  2. Openswan IPSEC issue
    By prashanlk in forum Suse
    Replies: 0
    Last Post: 01-09-2008, 12:01 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •