1

Trying to setup a VPN connection to Office Fortigate but I can't pass phase 2.

Received info from sysadmins:

  • PSK
  • IKE v1

  • Aggressive mode

  • Phase1 3DES-SHA1

  • DH group 5

  • Key lifetime 28800

  • XAUTH PAP Server (not sure if this necessary to know)

  • Phase2 3DES-SHA1

  • PFS no

This is one of many configuration attempts, I've tried adding/removing different parameters.

config setup
interfaces=%defaultroute
plutodebug="control parsing"
plutoopts="--interface=wlan0"
dumpdir=/var/run/pluto/
nat_traversal=no
virtual_private=%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
oe=off
protostack=netkey

conn office
left=%defaultroute
right=<my gateway ip>

phase2=ah
phase2alg=sha1;modp1536
type=transport
authby=secret
pfs=no
compress=no
   keyingtries=%forever

the output

?  /etc  sudo service ipsec restart
?  /etc  sudo ipsec auto --add office && sudo ipsec auto --up office
104 "office" #1: STATE_MAIN_I1: initiate
003 "office" #1: received Vendor ID payload [Dead Peer Detection]
003 "office" #1: ignoring unknown Vendor ID payload
[8299031757a36082c6a621de00050282]
106 "office" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "office" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "office" #1: discarding duplicate packet; already STATE_MAIN_I3
010 "office" #1: STATE_MAIN_I3: retransmission; will wait 20s for response
003 "office" #1: discarding duplicate packet; already STATE_MAIN_I3
010 "office" #1: STATE_MAIN_I3: retransmission; will wait 40s for response
031 "office" #1: max number of retransmissions (2) reached STATE_MAIN_I3.
Possible authentication failure: no acceptable response to our first
encrypted message
000 "office" #1: starting keying attempt 2 of an unlimited number, but
releasing whack

Update

Added aggresive mode in my config and got an error about invalid hash information, how come? Aren't the parameters correctly set?

conn office 
    aggrmode=yes
     left=%defaultroute
     right=<vpn gateway>
     phase2=ah
     phase2alg=sha1;modp1536
     type=transport
     ike=3des-sha1;modp1536

     authby=secret
     #esp=3des;modp1536
     pfs=no
     compress=no
     keyingtries=%forever

Output

➜  /etc  sudo ipsec auto --up office 
112 "office" #1: STATE_AGGR_I1: initiate
003 "office" #1: received Vendor ID payload [Dead Peer Detection]
003 "office" #1: received Vendor ID payload [XAUTH]
003 "office" #1: ignoring unknown Vendor ID payload [8299031757a36082c6a621de00050282]
003 "office" #1: received Hash Payload does not match computed value
223 "office" #1: STATE_AGGR_I1: INVALID_HASH_INFORMATION

ipsec auto --status

000 "office":     myip=unset; hisip=unset;
000 "office":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "office":   policy: PSK+AUTHENTICATE+UP+AGGRESSIVE+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,24; interface: wlan0; 
000 "office":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
000 "office":   IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)_000-MODP1536(5); flags=-strict
000 "office":   IKE algorithms found:  3DES_CBC(5)_192-SHA1(2)_160-MODP1536(5)
000 "office":   AH algorithms wanted: SHA1(2)_000; pfsgroup=MODP1536(5); flags=-strict
000 "office":   AH algorithms loaded: SHA1(2)_160
000  
000 #3: "office":500 STATE_AGGR_I1 (sent AI1, expecting AR1); none in -1s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #3: pending Phase 2 for "office" replacing #0

Update 2

Managed to get through phase 1. Analyzing firewall logs showed the tunnel established was different than expected, and had a different PSK.

Now phase 2 negotiation errors. Sys admin says it requires a user for phase 2 though, not sure how I would specify that?

➜  /etc  sudo ipsec auto --up office 
104 "office" #2: STATE_MAIN_I1: initiate
003 "office" #2: received Vendor ID payload [RFC 3947] method set to=109 
003 "office" #2: received Vendor ID payload [Dead Peer Detection]
003 "office" #2: ignoring unknown Vendor ID payload [8299031757a36082c6a621de00050282]
106 "office" #2: STATE_MAIN_I2: sent MI2, expecting MR2
003 "office" #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
108 "office" #2: STATE_MAIN_I3: sent MI3, expecting MR3
004 "office" #2: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
117 "office" #3: STATE_QUICK_I1: initiate
010 "office" #3: STATE_QUICK_I1: retransmission; will wait 20s for response
010 "office" #3: STATE_QUICK_I1: retransmission; will wait 40s for response
031 "office" #3: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
000 "office" #3: starting keying attempt 2 of an unlimited number, but releasing whack
H.Rabiee
  • 111
  • 1
  • 6
  • Can't you ask your sysadmins for help ? –  May 02 '15 at 03:07
  • No. They don't support Linux. – H.Rabiee May 02 '15 at 07:14
  • 1
    Use a supported OS then ? – yagmoth555 May 02 '15 at 11:21
  • So I should limit myself to Windows because that's what the sysadmins know about? Please, unless you can post a constructive hint or a solution then don't post anything at all. Especially unnecessary comments. Thank you. – H.Rabiee May 02 '15 at 11:35
  • Can you give the fortigate model ? Fortigate KB's base could be a place to find an answer. For unsupported OS some router can enable a web-ssl plugin, so the vpn software is run as a java client/activex. – yagmoth555 May 04 '15 at 15:46
  • Fortigate 111C v 5.2.2 – H.Rabiee May 05 '15 at 08:56
  • If you use Tip from there help, to use the fortinet client in cli mode ? http://serverfault.com/questions/412220/fortinet-ssl-vpn-client-setup-without-gui-on-linux-centos – yagmoth555 May 05 '15 at 13:17
  • I don't want to setup SSL VPN, but IPSec – H.Rabiee May 05 '15 at 13:32
  • You are sure of the IKE mode and cypher suite and I seen reference to rightxauthserver=yes for the hash error – yagmoth555 May 05 '15 at 14:04
  • Yes I am sure. I will skip this solution for now and try racoon instead. – H.Rabiee May 07 '15 at 14:25
  • `phase2=ah` is wrong, you quoted the received info as "Phase2 3DES-SHA1", so you want to use ESP instead (i.e. `phase2=esp`, or just remove it as that's the default). And `phase2alg=sha1;modp1536` is also not correct, you quoted "PFS no", so that DH group should not be there, and you'd have to add the encryption algorithm, i.e. `phase2alg=3des-sha1`. – ecdsa May 08 '18 at 14:44

1 Answers1

0

Without receiver (Fortigate) logs it is difficult to give a definite answer.

Let's begin with the obvious: reconfigure your VPN in main mode (not aggressive mode) and change type from transport to tunnel.

Re-try connection and, if possible, give us the Fortigate logs.

shodanshok
  • 44,038
  • 6
  • 98
  • 162