IPSec VPN To FortiGate wtih PSK and XAuth2 Not Routing Traffic?

Treyarch · 2023-11-16 06:08:29

Howdy Do People,

This one is a head-scratch for me, I'm hoping you might be able to shed some fresh eyes on it.
I've got a VPN that I am connecting to that is on a FortiGate firewall, I'm using StrongSwan and mostly CLI, I am using the legacy IPSec conf not swanctl, and I don't particularly want to change unless it's absolutely essential that I do.

tarting strongSwan 5.9.11 IPsec [starter]...
00[DMN] Starting IKE charon daemon (strongSwan 5.9.11, Linux 6.6.1-arch1-1, x86_64)
00[CFG] PKCS11 module '<name>' lacks library path
00[LIB] providers loaded by OpenSSL: legacy default
00[LIB] plugin 'mysql' failed to load: libmariadb.so.3: cannot open shared object file: No such file or directory
00[CFG] using '/sbin/resolvconf' to install DNS servers
00[KNL] XFRM interfaces supported by kernel
00[KNL] known interfaces and IP addresses:
00[KNL]   lo
00[KNL]     127.0.0.1
00[KNL]     ::1
00[KNL]   enp4s0
00[KNL]     192.168.20.203
00[KNL]     fe80::500e:739b:5800:7d40
00[CFG] attr-sql plugin: database URI not set
00[NET] using forecast interface enp4s0
00[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
00[NET] forwarding multicast group 224.0.0.1
00[NET] forwarding multicast group 224.0.0.22
00[NET] forwarding multicast group 224.0.0.251
00[NET] forwarding multicast group 224.0.0.252
00[NET] forwarding multicast group 239.255.255.250
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG]   loaded IKE secret for %any
00[CFG]   loaded EAP secret for %any
00[CFG] sql plugin: database URI not set
00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory
00[CFG] loaded 0 RADIUS server configurations
00[CFG] HA config misses local/remote address
00[CFG] no script for ext-auth script defined, disabled
00[LIB] loaded plugins: charon ldap pkcs11 aesni aes des rc2 sha2 sha3 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl pkcs8 fips-prf gmp curve25519 agent chapoly xcbc cmac hmac kdf gcm ntru drbg newhope bliss curl sqlite attr kernel-netlink resolve socket-default connmark forecast farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp radattr unity counters
00[LIB] dropped capabilities, running as uid 0, gid 0
00[JOB] spawning 16 worker threads
03[NET] waiting for data on sockets
charon (2416) started after 80 ms
09[CFG] stroke message => 831 bytes @ 0x7f9b94000d10
09[CFG] received stroke: add connection ''
09[CFG] conn 
09[CFG]   left=%any
09[CFG]   leftsubnet=192.168.20.0/24
09[CFG]   leftsourceip=%config4
09[CFG]   leftauth=psk
09[CFG]   leftauth2=xauth
09[CFG]   right=
09[CFG]   rightauth=psk
09[CFG]   rightid=%any
09[CFG]   xauth_identity=
09[CFG]   ike=aes256-sha256-modp4096,aes256-sha512-modp4096
09[CFG]   esp=aes256-sha256-modp4096,aes256-sha512-modp4096
09[CFG]   dpddelay=30
09[CFG]   dpdtimeout=150
09[CFG]   dpdaction=3
09[CFG]   sha256_96=no
09[CFG]   mediation=no
09[CFG]   keyexchange=ikev1
09[KNL] REMOTE is not a local address or the interface is down
09[CFG] added configuration ''
11[CFG] stroke message => 667 bytes @ 0x7f9b88000d10
11[CFG] received stroke: initiate ''
11[KNL] using 192.168.20.203 as address to reach REMOTE/32
11[IKE] queueing ISAKMP_VENDOR task
11[IKE] queueing ISAKMP_CERT_PRE task
11[IKE] queueing AGGRESSIVE_MODE task
11[IKE] queueing ISAKMP_CERT_POST task
11[IKE] queueing ISAKMP_NATD task
11[IKE] queueing QUICK_MODE task
11[IKE] activating new tasks
11[IKE]   activating ISAKMP_VENDOR task
11[IKE]   activating ISAKMP_CERT_PRE task
11[IKE]   activating AGGRESSIVE_MODE task
11[IKE]   activating ISAKMP_CERT_POST task
11[IKE]   activating ISAKMP_NATD task
11[IKE] sending XAuth vendor ID
11[IKE] sending DPD vendor ID
11[IKE] sending FRAGMENTATION vendor ID
11[IKE] sending NAT-T (RFC 3947) vendor ID
11[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
11[IKE] initiating Aggressive Mode IKE_SA VPN[1] to REMOTE
11[IKE] IKE_SA VPN[1] state change: CREATED => CONNECTING
11[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/NTRU_128/NTRU_192/NTRU_256/NEWHOPE_128/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/NTRU_128/NTRU_192/NTRU_256/NEWHOPE_128/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
11[ENC] generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
11[NET] sending packet: from 192.168.20.203[500] to REMOTE[500] (856 bytes)
04[NET] sending packet: from 192.168.20.203[500] to REMOTE[500]
03[NET] received packet: from REMOTE[500] to 192.168.20.203[500]
03[NET] waiting for data on sockets
13[NET] received packet: from REMOTE[500] to 192.168.20.203[500] (972 bytes)
13[ENC] parsed AGGRESSIVE response 0 [ SA KE No ID HASH V NAT-D NAT-D V V V V V ]
13[IKE] received NAT-T (RFC 3947) vendor ID
13[IKE] received DPD vendor ID
13[IKE] received XAuth vendor ID
13[ENC] received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00
13[IKE] received FRAGMENTATION vendor ID
13[IKE] received FRAGMENTATION vendor ID
13[CFG] selecting proposal:
13[CFG]   no acceptable INTEGRITY_ALGORITHM found
13[CFG] selecting proposal:
13[CFG]   proposal matches
13[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096
13[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/NTRU_128/NTRU_192/NTRU_256/NEWHOPE_128/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/NTRU_128/NTRU_192/NTRU_256/NEWHOPE_128/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
13[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096
13[IKE] local host is behind NAT, sending keep alives
13[IKE] reinitiating already active tasks
13[IKE]   ISAKMP_VENDOR task
13[IKE]   AGGRESSIVE_MODE task
13[IKE] queueing MODE_CONFIG task
13[ENC] generating AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
13[NET] sending packet: from 192.168.20.203[4500] to REMOTE[4500] (236 bytes)
13[IKE] activating new tasks
13[IKE] nothing to initiate
04[NET] sending packet: from 192.168.20.203[4500] to REMOTE[4500]
03[NET] received packet: from REMOTE[4500] to 192.168.20.203[4500]
03[NET] waiting for data on sockets
14[NET] received packet: from REMOTE[4500] to 192.168.20.203[4500] (124 bytes)
14[ENC] parsed TRANSACTION request 2005351732 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
14[ENC] generating TRANSACTION response 2005351732 [ HASH CPRP(X_USER X_PWD) ]
14[NET] sending packet: from 192.168.20.203[4500] to REMOTE[4500] (140 bytes)
04[NET] sending packet: from 192.168.20.203[4500] to REMOTE[4500]
03[NET] received packet: from REMOTE[4500] to 192.168.20.203[4500]
03[NET] waiting for data on sockets
15[NET] received packet: from REMOTE[4500] to 192.168.20.203[4500] (124 bytes)
15[ENC] parsed TRANSACTION request 84814842 [ HASH CPS(X_STATUS) ]
15[IKE] XAuth authentication of 'MEj' (myself) successful
15[IKE] IKE_SA VPN[1] established between 192.168.20.203[192.168.20.203]...REMOTE[REMOTE]
15[IKE] IKE_SA VPN[1] state change: CONNECTING => ESTABLISHED
15[IKE] scheduling reauthentication in 85548s
15[IKE] maximum IKE_SA lifetime 86088s
15[ENC] generating TRANSACTION response 84814842 [ HASH CPA(X_STATUS) ]
15[NET] sending packet: from 192.168.20.203[4500] to REMOTE[4500] (124 bytes)
15[IKE] activating new tasks
15[IKE]   activating MODE_CONFIG task
04[NET] sending packet: from 192.168.20.203[4500] to REMOTE[4500]
15[ENC] generating TRANSACTION request 1889478591 [ HASH CPRQ(ADDR DNS) ]
15[NET] sending packet: from 192.168.20.203[4500] to REMOTE[4500] (124 bytes)
04[NET] sending packet: from 192.168.20.203[4500] to REMOTE[4500]
03[NET] received packet: from REMOTE[4500] to 192.168.20.203[4500]
03[NET] waiting for data on sockets
16[NET] received packet: from REMOTE[4500] to 192.168.20.203[4500] (140 bytes)
16[ENC] parsed TRANSACTION response 1889478591 [ HASH CPRP(ADDR DNS DNS) ]
16[IKE] processing INTERNAL_IP4_ADDRESS attribute
16[IKE] processing INTERNAL_IP4_DNS attribute
16[IKE] installing DNS server 192.168.100.2 via resolvconf
16[IKE] processing INTERNAL_IP4_DNS attribute
16[IKE] installing DNS server 192.168.100.3 via resolvconf
16[KNL] 192.168.20.203 is on interface enp4s0
16[IKE] installing new virtual IP 172.31.0.1
16[KNL] virtual IP 172.31.0.1 installed on enp4s0
16[IKE] activating new tasks
16[IKE]   activating QUICK_MODE task
16[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_4096/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_512_256/MODP_4096/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ, ESP:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/NO_EXT_SEQ
16[KNL] got SPI cf1daeea
16[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_4096/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_512_256/MODP_4096/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ, ESP:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/NO_EXT_SEQ
16[CFG] proposing traffic selectors for us:
16[CFG]  192.168.20.0/24
16[CFG] proposing traffic selectors for other:
16[CFG]  REMOTE/32
16[ENC] generating QUICK_MODE request 2324900031 [ HASH SA No KE ID ID ]
16[NET] sending packet: from 192.168.20.203[4500] to REMOTE[4500] (780 bytes)
04[NET] sending packet: from 192.168.20.203[4500] to REMOTE[4500]
03[NET] received packet: from REMOTE[4500] to 192.168.20.203[4500]
03[NET] waiting for data on sockets
07[NET] received packet: from REMOTE[4500] to 192.168.20.203[4500] (748 bytes)
07[ENC] parsed QUICK_MODE response 2324900031 [ HASH SA No KE ID ID ]
07[CFG] selecting proposal:
07[CFG]   proposal matches
07[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_4096/NO_EXT_SEQ
07[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_4096/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_512_256/MODP_4096/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ, ESP:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/NO_EXT_SEQ
07[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_4096/NO_EXT_SEQ
07[KNL] adding SAD entry with SPI cf1daeea and reqid {1}
07[KNL]   using encryption algorithm AES_CBC with key size 256
07[KNL]   using integrity algorithm HMAC_SHA2_256_128 with key size 256
07[KNL]   using replay window of 32 packets
07[KNL]   HW offload: no
07[KNL] adding SAD entry with SPI 6b07e306 and reqid {1} (mark 42/0xffffffff)
07[KNL]   using encryption algorithm AES_CBC with key size 256
07[KNL]   using integrity algorithm HMAC_SHA2_256_128 with key size 256
07[KNL]   using replay window of 0 packets
07[KNL]   HW offload: no
07[KNL] adding policy REMOTE/32 === 192.168.20.0/24 in (mark 42/0xffffffff) [priority 371327, refcount 1]
07[KNL] adding policy REMOTE/32 === 192.168.20.0/24 fwd (mark 42/0xffffffff) [priority 371327, refcount 1]
07[KNL] adding policy 192.168.20.0/24 === REMOTE/32 out (mark 42/0xffffffff) [priority 371327, refcount 1]
07[KNL] getting a local address in traffic selector 192.168.20.0/24
07[KNL] using host 192.168.20.203
07[KNL] getting iface name for index 2
07[KNL] using 192.168.20.1 as nexthop and enp4s0 as dev to reach REMOTE/32
07[KNL] installing route: REMOTE/32 via 192.168.20.1 src 192.168.20.203 dev enp4s0
07[KNL] getting iface index for enp4s0
07[IKE] CHILD_SA VPN{1} established with SPIs cf1daeea_i 6b07e306_o and TS 192.168.20.0/24 === REMOTE/32
07[IKE] reinitiating already active tasks
07[IKE]   QUICK_MODE task
07[ENC] generating QUICK_MODE request 2324900031 [ HASH ]
07[NET] sending packet: from 192.168.20.203[4500] to REMOTE[4500] (108 bytes)
07[IKE] activating new tasks
07[IKE] nothing to initiate
04[NET] sending packet: from 192.168.20.203[4500] to REMOTE[4500]
10[KNL] getting iface index for enp4s0
15[NET] forecast intercepted packet: 192.168.20.10 to 192.168.20.255
05[NET] forecast intercepted packet: 192.168.20.10 to 192.168.20.255
11[NET] forecast intercepted packet: 192.168.20.10 to 239.255.255.250

we can see the connection and authentication are sucsesful, also verifed by ipsec status

ecurity Associations (1 up, 0 connecting):
    VPN[1]: ESTABLISHED 18 seconds ago, 192.168.20.203[192.168.20.203]...REMOTEIP[REMOTEIP]
    VPN{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c09162e0_i 6b07e308_o
    VPN{1}:   192.168.20.0/24 === REMOTEIP/32

The FortiGate sees an active connection but no traffic, and Wireshark on my end shows no out going traffic, the interface does have the IP assigned via the FortiGate

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether d4:5d:64:51:25:51 brd ff:ff:ff:ff:ff:ff
    inet 192.168.20.203/24 brd 192.168.20.255 scope global dynamic noprefixroute enp4s0
       valid_lft 86041sec preferred_lft 86041sec
    inet 172.31.0.1/32 scope global enp4s0
       valid_lft forever preferred_lft forever

I seemingly get route tables?

ip route show table 220
REMOTEIP via 192.168.20.1 dev enp4s0 proto static src 192.168.20.203

My subnet is 192.168.20.X, VPN is 172.16.0.X, what gives?

-thc · 2023-11-16 07:18:06

I have no practical knowledge of IPSEC/strongswan but what I can deduce is that strongswan seems to use policy based routing with "fwmark" marked packets - something WireGuard does when establishing a "full tunnel" VPN. You can verify this via output of

ip rule
ip route

This

Treyarch wrote:

I seemingly get route tables?

ip route show table 220
REMOTEIP via 192.168.20.1 dev enp4s0 proto static src 192.168.20.203

looks like a routing exception for the VPN endpoint - it's purpose is to exempt VPN tunnel traffic from the VPN itself.

Treyarch · 2023-11-16 08:40:21

ip rule
0:	from all lookup local
220:	from all lookup 220
32766:	from all lookup main
32767:	from all lookup default

and

ip route
default via 192.168.20.1 dev enp4s0 proto dhcp src 192.168.20.203 metric 100 
192.168.20.0/24 dev enp4s0 proto kernel scope link src 192.168.20.203 metric 100

I guess not? should Ichange my default via 172.16.0.X? X being my iP since it goes up for anyone connected (not DHCP something called mode config as part of ipsec)?

The Windows FortiClient program has support for IPSec, and our managed provider isn't able to open other vpn options, also since this is connected, I think this is a routing or slight misconfiguration, not really something wrong with the ipsec connection now, since the firewall and me both see we're connected, we just agree that there is no traffic happening once connected, sadly I am also limited in my access to the firewall

[br]

Sorry, I should also say, I did read the troubleshooting and followed the steps on the strongswan wiki page about routing to no joy

Last edited by Treyarch (2023-11-16 08:42:58)

-thc · 2023-11-16 09:16:31

This is really strange - strongswan is told by the VPN endpoint to add a "default bypass" via table 220 and isn't told to set the new main default rule.
So you're client is neither here not there.

If you want a full tunnel, try

ip route add default via 172.16.0.X dev enp4s0 metric 50

or if you want a split tunnel for reaching only the corporate network (example: "10.6.0.0/16") via VPN, try

ip route add 10.6.0.0/16 via 172.16.0.X dev enp4s0

Treyarch · 2023-11-16 09:36:26

ip route add default via 172.16.0.X dev enp4s0 metric 50

I ran that, and my network crashed and no traffic was passed, maybe it is a quirk with fortigate stuff? StrongSwan does have a wiki entry on fortigate but for ssl not ipsec, so I am kinda drawing up blanks here, windows works fine instantly, and linux just kinda says "yeah na, no traffic"

I've also tried the following in sysctl

net.ipv4.ip_forward=1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.enp4s0.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.enp4s0.accept_redirects = 0

Last edited by Treyarch (2023-11-16 09:37:04)

-thc · 2023-11-16 11:48:37

Yeah - I realized after my response that the 172er address on the Ethernet adapter has a /32 mask and should only be able to talk to itself.

The VPN setup through openswan seems to be incomplete. The FortiGate Windows client is proprietary software and not useful for comparison.

Treyarch · 2023-11-17 04:58:28

Kinda makes sense also, the Windows client does the same thing but it somehow routes traffic, not entirely sure how, maybe a setting is missed on strongSwan to allow it to route?

The wiki doesn't explain the troubleshooting reasoning behind the routing issues, so I could have a similar issue but the fix doesn't work still

Treyarch · 2023-11-17 05:20:09

Some more research, it looks like I have a IPSec connection to the Firewall, but I need to do L2TP on top of that?

-thc · 2023-11-17 06:01:12

Treyarch wrote:

Some more research, it looks like I have a IPSec connection to the Firewall, but I need to do L2TP on top of that?

That's a possibility - IPSec has it's own tunnel protocol but strongswan doesn't seem to set it up.
That a look in the Wiki: https://wiki.archlinux.org/title/Opensw … ient_setup. If you have the information needed by xl2tpd give it a try.

Treyarch · 2023-11-18 04:03:52

So, I think I was wrong, or I need to change some settings, but I am not sure which.

That didn't work

-thc · 2023-11-18 07:32:39

Since FortiGate's only concern is to connect to (nearly) every FortiGate VPN setup with the appropriate FortiGate client software we need to figure out what kind of "Arch VPN client" can be used instead.

To make things worse - even if you should be able to use a FortiGate client, there are differences between the clients across platforms:

Forticlient Linux do not include the capability to connect a MOBILE IPSEC IKEv1 vpn endpoint with a username, a password and a PSK.
This type of VPN is automatically created when using FortiGate vpn wizard to create a vpn endpoint for mobile client. The wizard create a MOBILE IPSEC IKEv1 tunnel and Forticlient Linux do not provide an interface to connect an IPSEC VPN (But Forticlient Windows does).

Can you obtain the type of FortiGate VPN configuration used for your connection?

Users report success with "VPNC" when connecting to "standard Fortigate IKEv1 IPSEC VPN for Mobile client":
https://askubuntu.com/questions/1248538 … untu-20-04

AUR contains a fixed version of VPNC ("vpnc-fortigate") and an open client ("openfortigui").

Treyarch · 2023-11-18 22:16:54

I can, I have the app on my phone (Though, I don't think the phone app supports modp4096), so it might not be to good to use.

I'll see what the ISP see as well, I'm back on the grind tomorrow, I logged a case with them, so I'll ask them to see if it could be some sort of fuckery on their end.

Thanks heaps for the help, I'll also give that a shot at some point today, it does make sense, and I should be able to get the conf if not from my phone, I have the same one on my laptop which is WIndows

openfortigui only uses SSL not IPSec , and the other looks to either do the same or not support agressive and the other legacy optioons.

We're moving to RUCKUS hopefully sometime next year so their VPN may be more friendly, I could also ask them if they'd allow me to put OpenVPN on the Raspberry Pi they use to monitor our network hmmmm

Last edited by Treyarch (2023-11-18 22:21:35)

Treyarch · 2023-11-20 06:18:41

So, I have a little bit more to produce.

It might not be L2TP, I am back to either IPTables or Routing, because if I connect to it, and then run IPSec statusall, it shows me that it's installed the tunnel 0 packets in and out, however, if I interact (ping etc) the vpn gateway (public iP) that counter goes up.
Both on the fortigate box and on my client, it just doesn't seem to want to nat things properly?

-thc · 2023-11-20 06:37:55

The only possibility - a wild guess - that I can think of is the new virtual IP created by strongswan. If strongswan/IPSec considers this to by a tunnel endpoint and it has a /32 netmask maybe you're supposed to send packets directly to it?

You can test this if you know the IPv4 address of a network or host on the other side of the firewall and set a route like this

ip route add RemoteIP/RemoteNetmask via 172.31.0.1

and try to ping this/a remote host.

Last edited by -thc (2023-11-20 06:39:25)

Treyarch · 2023-11-20 07:15:31

It is a Tunnel Endpoint, since even from my Windows laptop when just browsing it sends packets down the fake nic (in this case the ip) but all things back come through the main nic (I guess that' pseudo nat?)

I'll give that a shot in a few moments, I've just stepped away from my computer, but even if that is the case, wouldn't that mean I'd need to create routes for all my subnets? I have several on the remote site, and we've tried routing everything.

The VIP isn't made by StrongSwan that is allocated by the FortiGate as a Virtual IP, it doesn't really 'exist' anywhere but with me and the FortiGate.

-thc · 2023-11-20 07:40:53

Treyarch wrote:

I'll give that a shot in a few moments, I've just stepped away from my computer, but even if that is the case, wouldn't that mean I'd need to create routes for all my subnets? I have several on the remote site, and we've tried routing everything.

It's just a test. And if you scroll up you'll notice my mistake: I somehow thought your virtual IP to be 172.16.x.x - which is not the case.

Treyarch · 2023-11-20 07:51:27

Nah, no change even with that, also good eagle eye and memory there.

ip route show

default via 192.168.20.1 dev enp4s0 proto dhcp src 192.168.20.203 metric 100 
VPNIP via 172.31.0.1 dev enp4s0 
192.168.20.0/24 dev enp4s0 proto kernel scope link src 192.168.20.203 metric 100

I wonder if the default is just overriding it?

-thc · 2023-11-20 08:05:30

Good point - I normally enter subnets that I want to route via VPN into the preferences of that VPN connection.
The network management software adds them with a metric of "50". You can try

ip route add RemoteIP/RemoteNetmask via 172.31.0.1 metric 50

instead.

Treyarch · 2023-11-20 08:38:18

Nope, even with metric still no reply from local devices

130 Johnathon@Johnathon-PC ~ % traceroute 192.168.100.185
traceroute to 192.168.100.185 (192.168.100.185), 30 hops max, 60 byte packets
 1  _gateway (192.168.20.1)  0.500 ms  0.666 ms  0.944 ms

Damn routes doiung route things

Then again, even with no metric it still does the same thing to my local (router) gateway, and not the ip of the nic like in my windows install?

-thc · 2023-11-20 09:18:06

Treyarch wrote:

130 Johnathon@Johnathon-PC ~ % traceroute 192.168.100.185
traceroute to 192.168.100.185 (192.168.100.185), 30 hops max, 60 byte packets
 1  _gateway (192.168.20.1)  0.500 ms  0.666 ms  0.944 ms

And this happens even if you have a metric 50 route in place, that routes the address 192.168.100.185 to 172.31.0.1?

Treyarch · 2023-11-20 09:25:02

Weirdly when I explitlty set rightsubnet=0.0.0.0/0 I get no network connectivity what so ever....

I am very confusion as to what is going on here

-thc · 2023-11-20 10:03:54

Treyarch wrote:

Weirdly when I explitlty set rightsubnet=0.0.0.0/0 I get no network connectivity what so ever....
I am very confusion as to what is going on here

I am not familiar with the inner workings of IPSec (I heartily agree with one sentence from an analysis of IPSec by Bruce Schneier and colleagues: "IPSec is too complicated to be secure.") but I strongly advise you not to alter any IPSec parameters until you know exactly what you are doing.

Treyarch · 2023-11-20 10:18:44

I get it, however, the worst I'll do is lock my computer out of my own network, and worst comes to worst I end up back up on Winshit and lose a bet to some friends.

I've done worse, I am really at a loss of what to do, I am not on my desktop now to check, however, I am not sure if that route will work.

Anywho, thanks heaps for the help, I'll check in with results tomorrow

Treyarch · 2023-11-21 03:42:03

PING 192.168.100.185 (192.168.100.185) 56(84) bytes of data.
From 172.31.0.1 icmp_seq=1 Destination Host Unreachable
From 172.31.0.1 icmp_seq=5 Destination Host Unreachable
From 172.31.0.1 icmp_seq=6 Destination Host Unreachable
From 172.31.0.1 icmp_seq=7 Destination Host Unreachable

No dice, I am really at a loss as to what is going on here, I wonder if I'd have better luck asking StrongSwan.

I am unsure where it is breaking, because from my understanding is, I connect to the Firewall, then it acts like a tunnel so all my traffic is sent to the tunnel IP as the gateway not my normal one and routed back to me through the normal LAN gateway.

-thc · 2023-11-21 07:21:05

Treyarch wrote:

I am unsure where it is breaking, because from my understanding is, I connect to the Firewall, then it acts like a tunnel so all my traffic is sent to the tunnel IP as the gateway not my normal one and routed back to me through the normal LAN gateway.

Strongswan only creates a virtual IP with a /32 mask on your network adapter. I cannot see any kind of working tunnel setup.
To me it looks like IPSec only does the encryption and there has to be a separate tunnel using it.
Did you try VPNC?

Arch Linux

#1 2023-11-16 06:08:29

IPSec VPN To FortiGate wtih PSK and XAuth2 Not Routing Traffic?

#2 2023-11-16 07:18:06

Re: IPSec VPN To FortiGate wtih PSK and XAuth2 Not Routing Traffic?

#3 2023-11-16 08:40:21

Re: IPSec VPN To FortiGate wtih PSK and XAuth2 Not Routing Traffic?

#4 2023-11-16 09:16:31

Re: IPSec VPN To FortiGate wtih PSK and XAuth2 Not Routing Traffic?

#5 2023-11-16 09:36:26

Re: IPSec VPN To FortiGate wtih PSK and XAuth2 Not Routing Traffic?

#6 2023-11-16 11:48:37

Re: IPSec VPN To FortiGate wtih PSK and XAuth2 Not Routing Traffic?

#7 2023-11-17 04:58:28

Re: IPSec VPN To FortiGate wtih PSK and XAuth2 Not Routing Traffic?

#8 2023-11-17 05:20:09

Re: IPSec VPN To FortiGate wtih PSK and XAuth2 Not Routing Traffic?

#9 2023-11-17 06:01:12

Re: IPSec VPN To FortiGate wtih PSK and XAuth2 Not Routing Traffic?

#10 2023-11-18 04:03:52

Re: IPSec VPN To FortiGate wtih PSK and XAuth2 Not Routing Traffic?

#11 2023-11-18 07:32:39

Re: IPSec VPN To FortiGate wtih PSK and XAuth2 Not Routing Traffic?

#12 2023-11-18 22:16:54

Re: IPSec VPN To FortiGate wtih PSK and XAuth2 Not Routing Traffic?

#13 2023-11-20 06:18:41

Re: IPSec VPN To FortiGate wtih PSK and XAuth2 Not Routing Traffic?

#14 2023-11-20 06:37:55

Re: IPSec VPN To FortiGate wtih PSK and XAuth2 Not Routing Traffic?

#15 2023-11-20 07:15:31

Re: IPSec VPN To FortiGate wtih PSK and XAuth2 Not Routing Traffic?

#16 2023-11-20 07:40:53

Re: IPSec VPN To FortiGate wtih PSK and XAuth2 Not Routing Traffic?

#17 2023-11-20 07:51:27

Re: IPSec VPN To FortiGate wtih PSK and XAuth2 Not Routing Traffic?

#18 2023-11-20 08:05:30

Re: IPSec VPN To FortiGate wtih PSK and XAuth2 Not Routing Traffic?

#19 2023-11-20 08:38:18

Re: IPSec VPN To FortiGate wtih PSK and XAuth2 Not Routing Traffic?

#20 2023-11-20 09:18:06

Re: IPSec VPN To FortiGate wtih PSK and XAuth2 Not Routing Traffic?

#21 2023-11-20 09:25:02

Re: IPSec VPN To FortiGate wtih PSK and XAuth2 Not Routing Traffic?

#22 2023-11-20 10:03:54

Re: IPSec VPN To FortiGate wtih PSK and XAuth2 Not Routing Traffic?

#23 2023-11-20 10:18:44

Re: IPSec VPN To FortiGate wtih PSK and XAuth2 Not Routing Traffic?

#24 2023-11-21 03:42:03

Re: IPSec VPN To FortiGate wtih PSK and XAuth2 Not Routing Traffic?

#25 2023-11-21 07:21:05

Re: IPSec VPN To FortiGate wtih PSK and XAuth2 Not Routing Traffic?

Board footer