Linux – Connecting to a FortiGate VPN from a remote Linux machine via OpenSwan

fortigateipseclinuxopenswanvpn

Here's the setup:

I have a FortiGate unit on a business network, which has a FortiGate VPN set up. Machines on a remote network that can run FortiClient (Windows and Mac machines) have no problem connecting to this VPN. I have been tasked with getting Linux machines to connect to the VPN, which is unsupported by Fortigate.

To try to figure out how, I have an Ubuntu 16.04 machine set up on a remote network, with OpenSwan running trying to connect to a specific tunnel I set up for it on the FortiGate.

The closest I can get it to connecting so far, though, is this:

002 "icms" #1: initiating Aggressive Mode #1, connection "icms"
113 "icms" #1: STATE_AGGR_I1: initiate
003 "icms" #1: received Vendor ID payload [RFC 3947] method set to=115 
003 "icms" #1: received Vendor ID payload [Dead Peer Detection]
003 "icms" #1: received Vendor ID payload [XAUTH]
003 "icms" #1: ignoring unknown Vendor ID payload [8299031757a36082c6a621de0005024d]
002 "icms" #1: Aggressive mode peer ID is ID_IPV4_ADDR: 'a.b.c.d'
003 "icms" #1: no suitable connection for peer 'a.b.c.d'
003 "icms" #1: initial Aggressive Mode packet claiming to be from a.b.c.d on a.b.c.d but no connection has been authorized
218 "icms" #1: STATE_AGGR_I1: INVALID_ID_INFORMATION
002 "icms" #1: sending notification INVALID_ID_INFORMATION to a.b.c.d:500

Where "icms" is the name of the connection, and 'a.b.c.d' is standing in for the public IP of the FortiGate.

My /etc/ipsec.d/icms.conf configuration:

conn icms  
    type=tunnel  
    authby=secret  
    pfs=no  
    ike=aes128-sha1;modp1536  
    phase2alg=aes128-sha1  
    aggrmode=yes  
    keylife=28800s  
    ikelifetime=1800s  
    right=a.b.c.d  
    rightnexthop=%defaultroute  
    rightsubnet=172.16.1.0/16
    left=e.f.g.h  
    leftnexthop=%defaultroute 
    auto=add

'e.f.g.h' is the IP of the Ubuntu machine.

My /etc/ipsec.d/icms.secrets:

a.b.c.d : PSK "presharedsecret"

Any help or advice at all would be appreciated, and if I can provide any more information please tell me. I have tried multiple configurations of OpenSwan and FortiGate tunnels, to no avail so far.

EDIT 1: the FortiGate config info!

config vpn ipsec phase1-interface
    edit "icms"
        set type static
        set interface "wan1"
        set ip-version 4
        set ike-version 1
        set local-gw 0.0.0.0
        set nattraversal enable
        set keylife 86400
        set authmethod psk
        set mode aggressive
        set peertype any
        set mode-cfg disable
        set proposal aes128-sha1 aes192-sha256
        set localid "icms"
        set localid-type auto
        set negotiate-timeout 30
        set fragmentation enable
        set dpd enable
        set forticlient-enforcement disable
        set comments "Phase1 to Remote Linux"
        set npu-offload enable
        set dhgrp 14 5
        set wizard-type custom
--More--                  set xauthtype disable
        set mesh-selector-type disable
        set remote-gw '<IP of Ubuntu Machine>'
        set monitor ''
        set add-gw-route disable
        set psksecret ENC <encrypted string>
        set keepalive 10
        set auto-negotiate enable
        set dpd-retrycount 3
        set dpd-retryinterval 5
    next
 end

And the phase2 fortigate config:

config vpn ipsec phase2-interface

edit "@icms"
    set phase1name "icms"
    set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256
    set pfs disable
    set replay enable
    set keepalive disable
    set auto-negotiate enable
    set keylife-type seconds
    set encapsulation tunnel-mode
    set comments ''
    set protocol 0
    set src-addr-type subnet
    set src-port 0
    set dst-addr-type ip
    set dst-port 0
    set keylifeseconds 43200
    set src-subnet 172.16.1.0 255.255.255.248
    set dst-start-ip '<IP of Ubuntu Machine>'
next
end

Best Answer

If you're not tied to OpenSwan, here's a discussion on how to connect to FortiGate via an IPsec VPN tunnel using the strongSwan client (no DNS, though).

Authentication is done using a preshared key and XAuth.

The relevant configuration from /etc/ipsec.conf:

# Introduction to IPsec: http://www.ipsec-howto.org/x202.html
config setup
  charondebug = "dmn 1, mgr 1, ike 2, chd 1, job 1, cfg 3, knl 2, net 2, lib 1"

conn myConn
  keyexchange = ikev1

  # Cipher used for the key exchange
  # modp3072 is Diffie Hellman group 15. Refer to this for other groups:
  # http://www.omnisecu.com/tcpip/what-is-diffie-hellman-group.php
  ike = aes128-sha256-modp3072
  esp = aes128-sha256-modp3072

  # You'll have to find out whether your FortiGate uses aggressive mode for
  # authentication. If it does, you must set "aggressive = yes" here to
  # connect successfully
  aggressive = yes

  right = 83.xxx.xxx.xx
  #right = vpn.the-vpn-server.com
  rightsubnet = 10.7.0.0/24
  rightid = %any
  rightauth = psk

  left = %defaultroute
  leftauth = psk
  leftauth2 = xauth
  # The user name used for authentication
  xauth_identity = "theuser"

  auto = start

/etc/ipsec.secrets:

# ipsec.secrets - strongSwan IPsec secrets file
: PSK "secret_preshared_key"
: XAUTH "secret_xauth_password"

Create the tunnel using sudo ipsec start --nofork.

Resources about strongSwan:

Related Solutions

RV082 Gateway-Gateway VPN Won’t Connect

I have a site to site VPN beween two rv082's also. Checking my settings they show on both sides:

Local Security Gateway Type: IP Only
IP Address: external address
Local Security Group Type: Subnet
IP Address 192.168.188.0
Subnet Mask: 255.255.255.0

Remote Security Gateway Type: IP Only
IP Address: external address
Remote Security Group Type: Subnet
IP Address 192.168.166.0
Subnet Mask: 255.255.255.0

Keying Mode: IKE with Preshared key
Phase1 DH Group: Group 1
Phase1 Encryption: DES
Phase1 Authentication: MD5
Phase1 SA Life Time: 28800
Perfect Forward Secrecy: Enabled
Phase2 DH Group: Group 1
Phase2 Encryption: DES
Phase2 Authentication: MD5
Phase2 SA Life Time: 3600

Aggressive Mode: Disabled
Dead Peer Detection (DPD): Enabled

The only difference I see is agressive mode, but you tried that. Obviously you have a matching preshared key. Interface is WAN1 on both. So you don't have anything glaring - but maybe disable aggressive mode. I also remember having to delete and recreate them a few times to get it connected. Have you tried that?

Linux – OpenSwan IPSec phase #2 complications

You'll want to get the remote end to enable NAT-T on their end of the connection as well.

IPSec communication cryptographically signs the entire packet - any change to the IP header will invalidate that signature. NAT works by rewriting the source and/or destination IP fields; having NAT on either end of the connection means that every packet is having the header changed in transit; the source is changed on packets leaving your 192.168 network, and the destination is changed on inbound packets.

NAT-T counteracts this by encapsulating the entire ESP packet in a new UDP packet. The UDP packet can safely have its headers mangled to the satisfaction of any NAT devices, while the ESP payload will make the entire trip unchanged. The remote node will need to enable this to protect the packets they're sending your way from the NAT modifications, and you'll both need to be allowing UDP port 4500.

This may not be the only issue in the configuration of the VPN tunnel, but it would certainly explain a malformed payload message; give it a shot, and let us know if any further issues come up!

Best Answer

Related Solutions

RV082 Gateway-Gateway VPN Won’t Connect

Linux – OpenSwan IPSec phase #2 complications

Related Topic