You are not logged in.
Howdy Do People,
This one is a head-scratch for me, I'm hoping you might be able to shed some fresh eyes on it.
I've got a VPN that I am connecting to that is on a FortiGate firewall, I'm using StrongSwan and mostly CLI, I am using the legacy IPSec conf not swanctl, and I don't particularly want to change unless it's absolutely essential that I do.
tarting strongSwan 5.9.11 IPsec [starter]...
00[DMN] Starting IKE charon daemon (strongSwan 5.9.11, Linux 6.6.1-arch1-1, x86_64)
00[CFG] PKCS11 module '<name>' lacks library path
00[LIB] providers loaded by OpenSSL: legacy default
00[LIB] plugin 'mysql' failed to load: libmariadb.so.3: cannot open shared object file: No such file or directory
00[CFG] using '/sbin/resolvconf' to install DNS servers
00[KNL] XFRM interfaces supported by kernel
00[KNL] known interfaces and IP addresses:
00[KNL] lo
00[KNL] 127.0.0.1
00[KNL] ::1
00[KNL] enp4s0
00[KNL] 192.168.20.203
00[KNL] fe80::500e:739b:5800:7d40
00[CFG] attr-sql plugin: database URI not set
00[NET] using forecast interface enp4s0
00[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
00[NET] forwarding multicast group 224.0.0.1
00[NET] forwarding multicast group 224.0.0.22
00[NET] forwarding multicast group 224.0.0.251
00[NET] forwarding multicast group 224.0.0.252
00[NET] forwarding multicast group 239.255.255.250
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG] loaded IKE secret for %any
00[CFG] loaded EAP secret for %any
00[CFG] sql plugin: database URI not set
00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory
00[CFG] loaded 0 RADIUS server configurations
00[CFG] HA config misses local/remote address
00[CFG] no script for ext-auth script defined, disabled
00[LIB] loaded plugins: charon ldap pkcs11 aesni aes des rc2 sha2 sha3 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl pkcs8 fips-prf gmp curve25519 agent chapoly xcbc cmac hmac kdf gcm ntru drbg newhope bliss curl sqlite attr kernel-netlink resolve socket-default connmark forecast farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp radattr unity counters
00[LIB] dropped capabilities, running as uid 0, gid 0
00[JOB] spawning 16 worker threads
03[NET] waiting for data on sockets
charon (2416) started after 80 ms
09[CFG] stroke message => 831 bytes @ 0x7f9b94000d10
09[CFG] received stroke: add connection ''
09[CFG] conn
09[CFG] left=%any
09[CFG] leftsubnet=192.168.20.0/24
09[CFG] leftsourceip=%config4
09[CFG] leftauth=psk
09[CFG] leftauth2=xauth
09[CFG] right=
09[CFG] rightauth=psk
09[CFG] rightid=%any
09[CFG] xauth_identity=
09[CFG] ike=aes256-sha256-modp4096,aes256-sha512-modp4096
09[CFG] esp=aes256-sha256-modp4096,aes256-sha512-modp4096
09[CFG] dpddelay=30
09[CFG] dpdtimeout=150
09[CFG] dpdaction=3
09[CFG] sha256_96=no
09[CFG] mediation=no
09[CFG] keyexchange=ikev1
09[KNL] REMOTE is not a local address or the interface is down
09[CFG] added configuration ''
11[CFG] stroke message => 667 bytes @ 0x7f9b88000d10
11[CFG] received stroke: initiate ''
11[KNL] using 192.168.20.203 as address to reach REMOTE/32
11[IKE] queueing ISAKMP_VENDOR task
11[IKE] queueing ISAKMP_CERT_PRE task
11[IKE] queueing AGGRESSIVE_MODE task
11[IKE] queueing ISAKMP_CERT_POST task
11[IKE] queueing ISAKMP_NATD task
11[IKE] queueing QUICK_MODE task
11[IKE] activating new tasks
11[IKE] activating ISAKMP_VENDOR task
11[IKE] activating ISAKMP_CERT_PRE task
11[IKE] activating AGGRESSIVE_MODE task
11[IKE] activating ISAKMP_CERT_POST task
11[IKE] activating ISAKMP_NATD task
11[IKE] sending XAuth vendor ID
11[IKE] sending DPD vendor ID
11[IKE] sending FRAGMENTATION vendor ID
11[IKE] sending NAT-T (RFC 3947) vendor ID
11[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
11[IKE] initiating Aggressive Mode IKE_SA VPN[1] to REMOTE
11[IKE] IKE_SA VPN[1] state change: CREATED => CONNECTING
11[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/NTRU_128/NTRU_192/NTRU_256/NEWHOPE_128/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/NTRU_128/NTRU_192/NTRU_256/NEWHOPE_128/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
11[ENC] generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
11[NET] sending packet: from 192.168.20.203[500] to REMOTE[500] (856 bytes)
04[NET] sending packet: from 192.168.20.203[500] to REMOTE[500]
03[NET] received packet: from REMOTE[500] to 192.168.20.203[500]
03[NET] waiting for data on sockets
13[NET] received packet: from REMOTE[500] to 192.168.20.203[500] (972 bytes)
13[ENC] parsed AGGRESSIVE response 0 [ SA KE No ID HASH V NAT-D NAT-D V V V V V ]
13[IKE] received NAT-T (RFC 3947) vendor ID
13[IKE] received DPD vendor ID
13[IKE] received XAuth vendor ID
13[ENC] received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00
13[IKE] received FRAGMENTATION vendor ID
13[IKE] received FRAGMENTATION vendor ID
13[CFG] selecting proposal:
13[CFG] no acceptable INTEGRITY_ALGORITHM found
13[CFG] selecting proposal:
13[CFG] proposal matches
13[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096
13[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/NTRU_128/NTRU_192/NTRU_256/NEWHOPE_128/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/NTRU_128/NTRU_192/NTRU_256/NEWHOPE_128/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
13[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096
13[IKE] local host is behind NAT, sending keep alives
13[IKE] reinitiating already active tasks
13[IKE] ISAKMP_VENDOR task
13[IKE] AGGRESSIVE_MODE task
13[IKE] queueing MODE_CONFIG task
13[ENC] generating AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
13[NET] sending packet: from 192.168.20.203[4500] to REMOTE[4500] (236 bytes)
13[IKE] activating new tasks
13[IKE] nothing to initiate
04[NET] sending packet: from 192.168.20.203[4500] to REMOTE[4500]
03[NET] received packet: from REMOTE[4500] to 192.168.20.203[4500]
03[NET] waiting for data on sockets
14[NET] received packet: from REMOTE[4500] to 192.168.20.203[4500] (124 bytes)
14[ENC] parsed TRANSACTION request 2005351732 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
14[ENC] generating TRANSACTION response 2005351732 [ HASH CPRP(X_USER X_PWD) ]
14[NET] sending packet: from 192.168.20.203[4500] to REMOTE[4500] (140 bytes)
04[NET] sending packet: from 192.168.20.203[4500] to REMOTE[4500]
03[NET] received packet: from REMOTE[4500] to 192.168.20.203[4500]
03[NET] waiting for data on sockets
15[NET] received packet: from REMOTE[4500] to 192.168.20.203[4500] (124 bytes)
15[ENC] parsed TRANSACTION request 84814842 [ HASH CPS(X_STATUS) ]
15[IKE] XAuth authentication of 'MEj' (myself) successful
15[IKE] IKE_SA VPN[1] established between 192.168.20.203[192.168.20.203]...REMOTE[REMOTE]
15[IKE] IKE_SA VPN[1] state change: CONNECTING => ESTABLISHED
15[IKE] scheduling reauthentication in 85548s
15[IKE] maximum IKE_SA lifetime 86088s
15[ENC] generating TRANSACTION response 84814842 [ HASH CPA(X_STATUS) ]
15[NET] sending packet: from 192.168.20.203[4500] to REMOTE[4500] (124 bytes)
15[IKE] activating new tasks
15[IKE] activating MODE_CONFIG task
04[NET] sending packet: from 192.168.20.203[4500] to REMOTE[4500]
15[ENC] generating TRANSACTION request 1889478591 [ HASH CPRQ(ADDR DNS) ]
15[NET] sending packet: from 192.168.20.203[4500] to REMOTE[4500] (124 bytes)
04[NET] sending packet: from 192.168.20.203[4500] to REMOTE[4500]
03[NET] received packet: from REMOTE[4500] to 192.168.20.203[4500]
03[NET] waiting for data on sockets
16[NET] received packet: from REMOTE[4500] to 192.168.20.203[4500] (140 bytes)
16[ENC] parsed TRANSACTION response 1889478591 [ HASH CPRP(ADDR DNS DNS) ]
16[IKE] processing INTERNAL_IP4_ADDRESS attribute
16[IKE] processing INTERNAL_IP4_DNS attribute
16[IKE] installing DNS server 192.168.100.2 via resolvconf
16[IKE] processing INTERNAL_IP4_DNS attribute
16[IKE] installing DNS server 192.168.100.3 via resolvconf
16[KNL] 192.168.20.203 is on interface enp4s0
16[IKE] installing new virtual IP 172.31.0.1
16[KNL] virtual IP 172.31.0.1 installed on enp4s0
16[IKE] activating new tasks
16[IKE] activating QUICK_MODE task
16[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_4096/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_512_256/MODP_4096/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ, ESP:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/NO_EXT_SEQ
16[KNL] got SPI cf1daeea
16[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_4096/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_512_256/MODP_4096/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ, ESP:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/NO_EXT_SEQ
16[CFG] proposing traffic selectors for us:
16[CFG] 192.168.20.0/24
16[CFG] proposing traffic selectors for other:
16[CFG] REMOTE/32
16[ENC] generating QUICK_MODE request 2324900031 [ HASH SA No KE ID ID ]
16[NET] sending packet: from 192.168.20.203[4500] to REMOTE[4500] (780 bytes)
04[NET] sending packet: from 192.168.20.203[4500] to REMOTE[4500]
03[NET] received packet: from REMOTE[4500] to 192.168.20.203[4500]
03[NET] waiting for data on sockets
07[NET] received packet: from REMOTE[4500] to 192.168.20.203[4500] (748 bytes)
07[ENC] parsed QUICK_MODE response 2324900031 [ HASH SA No KE ID ID ]
07[CFG] selecting proposal:
07[CFG] proposal matches
07[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_4096/NO_EXT_SEQ
07[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_4096/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_512_256/MODP_4096/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ, ESP:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/NO_EXT_SEQ
07[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_4096/NO_EXT_SEQ
07[KNL] adding SAD entry with SPI cf1daeea and reqid {1}
07[KNL] using encryption algorithm AES_CBC with key size 256
07[KNL] using integrity algorithm HMAC_SHA2_256_128 with key size 256
07[KNL] using replay window of 32 packets
07[KNL] HW offload: no
07[KNL] adding SAD entry with SPI 6b07e306 and reqid {1} (mark 42/0xffffffff)
07[KNL] using encryption algorithm AES_CBC with key size 256
07[KNL] using integrity algorithm HMAC_SHA2_256_128 with key size 256
07[KNL] using replay window of 0 packets
07[KNL] HW offload: no
07[KNL] adding policy REMOTE/32 === 192.168.20.0/24 in (mark 42/0xffffffff) [priority 371327, refcount 1]
07[KNL] adding policy REMOTE/32 === 192.168.20.0/24 fwd (mark 42/0xffffffff) [priority 371327, refcount 1]
07[KNL] adding policy 192.168.20.0/24 === REMOTE/32 out (mark 42/0xffffffff) [priority 371327, refcount 1]
07[KNL] getting a local address in traffic selector 192.168.20.0/24
07[KNL] using host 192.168.20.203
07[KNL] getting iface name for index 2
07[KNL] using 192.168.20.1 as nexthop and enp4s0 as dev to reach REMOTE/32
07[KNL] installing route: REMOTE/32 via 192.168.20.1 src 192.168.20.203 dev enp4s0
07[KNL] getting iface index for enp4s0
07[IKE] CHILD_SA VPN{1} established with SPIs cf1daeea_i 6b07e306_o and TS 192.168.20.0/24 === REMOTE/32
07[IKE] reinitiating already active tasks
07[IKE] QUICK_MODE task
07[ENC] generating QUICK_MODE request 2324900031 [ HASH ]
07[NET] sending packet: from 192.168.20.203[4500] to REMOTE[4500] (108 bytes)
07[IKE] activating new tasks
07[IKE] nothing to initiate
04[NET] sending packet: from 192.168.20.203[4500] to REMOTE[4500]
10[KNL] getting iface index for enp4s0
15[NET] forecast intercepted packet: 192.168.20.10 to 192.168.20.255
05[NET] forecast intercepted packet: 192.168.20.10 to 192.168.20.255
11[NET] forecast intercepted packet: 192.168.20.10 to 239.255.255.250
we can see the connection and authentication are sucsesful, also verifed by ipsec status
ecurity Associations (1 up, 0 connecting):
VPN[1]: ESTABLISHED 18 seconds ago, 192.168.20.203[192.168.20.203]...REMOTEIP[REMOTEIP]
VPN{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c09162e0_i 6b07e308_o
VPN{1}: 192.168.20.0/24 === REMOTEIP/32
The FortiGate sees an active connection but no traffic, and Wireshark on my end shows no out going traffic, the interface does have the IP assigned via the FortiGate
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether d4:5d:64:51:25:51 brd ff:ff:ff:ff:ff:ff
inet 192.168.20.203/24 brd 192.168.20.255 scope global dynamic noprefixroute enp4s0
valid_lft 86041sec preferred_lft 86041sec
inet 172.31.0.1/32 scope global enp4s0
valid_lft forever preferred_lft forever
I seemingly get route tables?
ip route show table 220
REMOTEIP via 192.168.20.1 dev enp4s0 proto static src 192.168.20.203
My subnet is 192.168.20.X, VPN is 172.16.0.X, what gives?
Offline
I have no practical knowledge of IPSEC/strongswan but what I can deduce is that strongswan seems to use policy based routing with "fwmark" marked packets - something WireGuard does when establishing a "full tunnel" VPN. You can verify this via output of
ip rule
ip route
This
I seemingly get route tables?
ip route show table 220 REMOTEIP via 192.168.20.1 dev enp4s0 proto static src 192.168.20.203
looks like a routing exception for the VPN endpoint - it's purpose is to exempt VPN tunnel traffic from the VPN itself.
Offline
ip rule
0: from all lookup local
220: from all lookup 220
32766: from all lookup main
32767: from all lookup default
and
ip route
default via 192.168.20.1 dev enp4s0 proto dhcp src 192.168.20.203 metric 100
192.168.20.0/24 dev enp4s0 proto kernel scope link src 192.168.20.203 metric 100
I guess not? should Ichange my default via 172.16.0.X? X being my iP since it goes up for anyone connected (not DHCP something called mode config as part of ipsec)?
The Windows FortiClient program has support for IPSec, and our managed provider isn't able to open other vpn options, also since this is connected, I think this is a routing or slight misconfiguration, not really something wrong with the ipsec connection now, since the firewall and me both see we're connected, we just agree that there is no traffic happening once connected, sadly I am also limited in my access to the firewall
[br]
Sorry, I should also say, I did read the troubleshooting and followed the steps on the strongswan wiki page about routing to no joy
Last edited by Treyarch (2023-11-16 08:42:58)
Offline
This is really strange - strongswan is told by the VPN endpoint to add a "default bypass" via table 220 and isn't told to set the new main default rule.
So you're client is neither here not there.
If you want a full tunnel, try
ip route add default via 172.16.0.X dev enp4s0 metric 50
or if you want a split tunnel for reaching only the corporate network (example: "10.6.0.0/16") via VPN, try
ip route add 10.6.0.0/16 via 172.16.0.X dev enp4s0
Offline
ip route add default via 172.16.0.X dev enp4s0 metric 50
I ran that, and my network crashed and no traffic was passed, maybe it is a quirk with fortigate stuff? StrongSwan does have a wiki entry on fortigate but for ssl not ipsec, so I am kinda drawing up blanks here, windows works fine instantly, and linux just kinda says "yeah na, no traffic"
I've also tried the following in sysctl
net.ipv4.ip_forward=1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.enp4s0.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.enp4s0.accept_redirects = 0
Last edited by Treyarch (2023-11-16 09:37:04)
Offline
Yeah - I realized after my response that the 172er address on the Ethernet adapter has a /32 mask and should only be able to talk to itself.
The VPN setup through openswan seems to be incomplete. The FortiGate Windows client is proprietary software and not useful for comparison.
Offline
Kinda makes sense also, the Windows client does the same thing but it somehow routes traffic, not entirely sure how, maybe a setting is missed on strongSwan to allow it to route?
The wiki doesn't explain the troubleshooting reasoning behind the routing issues, so I could have a similar issue but the fix doesn't work still
Offline
Some more research, it looks like I have a IPSec connection to the Firewall, but I need to do L2TP on top of that?
Offline
Some more research, it looks like I have a IPSec connection to the Firewall, but I need to do L2TP on top of that?
That's a possibility - IPSec has it's own tunnel protocol but strongswan doesn't seem to set it up.
That a look in the Wiki: https://wiki.archlinux.org/title/Opensw … ient_setup. If you have the information needed by xl2tpd give it a try.
Offline
So, I think I was wrong, or I need to change some settings, but I am not sure which.
That didn't work
Offline
Since FortiGate's only concern is to connect to (nearly) every FortiGate VPN setup with the appropriate FortiGate client software we need to figure out what kind of "Arch VPN client" can be used instead.
To make things worse - even if you should be able to use a FortiGate client, there are differences between the clients across platforms:
Forticlient Linux do not include the capability to connect a MOBILE IPSEC IKEv1 vpn endpoint with a username, a password and a PSK.
This type of VPN is automatically created when using FortiGate vpn wizard to create a vpn endpoint for mobile client. The wizard create a MOBILE IPSEC IKEv1 tunnel and Forticlient Linux do not provide an interface to connect an IPSEC VPN (But Forticlient Windows does).
Can you obtain the type of FortiGate VPN configuration used for your connection?
Users report success with "VPNC" when connecting to "standard Fortigate IKEv1 IPSEC VPN for Mobile client":
https://askubuntu.com/questions/1248538 … untu-20-04
AUR contains a fixed version of VPNC ("vpnc-fortigate") and an open client ("openfortigui").
Offline
I can, I have the app on my phone (Though, I don't think the phone app supports modp4096), so it might not be to good to use.
I'll see what the ISP see as well, I'm back on the grind tomorrow, I logged a case with them, so I'll ask them to see if it could be some sort of fuckery on their end.
Thanks heaps for the help, I'll also give that a shot at some point today, it does make sense, and I should be able to get the conf if not from my phone, I have the same one on my laptop which is WIndows
openfortigui only uses SSL not IPSec , and the other looks to either do the same or not support agressive and the other legacy optioons.
We're moving to RUCKUS hopefully sometime next year so their VPN may be more friendly, I could also ask them if they'd allow me to put OpenVPN on the Raspberry Pi they use to monitor our network hmmmm
Last edited by Treyarch (2023-11-18 22:21:35)
Offline
So, I have a little bit more to produce.
It might not be L2TP, I am back to either IPTables or Routing, because if I connect to it, and then run IPSec statusall, it shows me that it's installed the tunnel 0 packets in and out, however, if I interact (ping etc) the vpn gateway (public iP) that counter goes up.
Both on the fortigate box and on my client, it just doesn't seem to want to nat things properly?
Offline
The only possibility - a wild guess - that I can think of is the new virtual IP created by strongswan. If strongswan/IPSec considers this to by a tunnel endpoint and it has a /32 netmask maybe you're supposed to send packets directly to it?
You can test this if you know the IPv4 address of a network or host on the other side of the firewall and set a route like this
ip route add RemoteIP/RemoteNetmask via 172.31.0.1
and try to ping this/a remote host.
Last edited by -thc (2023-11-20 06:39:25)
Offline
It is a Tunnel Endpoint, since even from my Windows laptop when just browsing it sends packets down the fake nic (in this case the ip) but all things back come through the main nic (I guess that' pseudo nat?)
I'll give that a shot in a few moments, I've just stepped away from my computer, but even if that is the case, wouldn't that mean I'd need to create routes for all my subnets? I have several on the remote site, and we've tried routing everything.
The VIP isn't made by StrongSwan that is allocated by the FortiGate as a Virtual IP, it doesn't really 'exist' anywhere but with me and the FortiGate.
Offline
I'll give that a shot in a few moments, I've just stepped away from my computer, but even if that is the case, wouldn't that mean I'd need to create routes for all my subnets? I have several on the remote site, and we've tried routing everything.
It's just a test. And if you scroll up you'll notice my mistake: I somehow thought your virtual IP to be 172.16.x.x - which is not the case.
Offline
Nah, no change even with that, also good eagle eye and memory there.
ip route show
default via 192.168.20.1 dev enp4s0 proto dhcp src 192.168.20.203 metric 100
VPNIP via 172.31.0.1 dev enp4s0
192.168.20.0/24 dev enp4s0 proto kernel scope link src 192.168.20.203 metric 100
I wonder if the default is just overriding it?
Offline
Good point - I normally enter subnets that I want to route via VPN into the preferences of that VPN connection.
The network management software adds them with a metric of "50". You can try
ip route add RemoteIP/RemoteNetmask via 172.31.0.1 metric 50
instead.
Offline
Nope, even with metric still no reply from local devices
130 Johnathon@Johnathon-PC ~ % traceroute 192.168.100.185
traceroute to 192.168.100.185 (192.168.100.185), 30 hops max, 60 byte packets
1 _gateway (192.168.20.1) 0.500 ms 0.666 ms 0.944 ms
Damn routes doiung route things
Then again, even with no metric it still does the same thing to my local (router) gateway, and not the ip of the nic like in my windows install?
Offline
130 Johnathon@Johnathon-PC ~ % traceroute 192.168.100.185 traceroute to 192.168.100.185 (192.168.100.185), 30 hops max, 60 byte packets 1 _gateway (192.168.20.1) 0.500 ms 0.666 ms 0.944 ms
And this happens even if you have a metric 50 route in place, that routes the address 192.168.100.185 to 172.31.0.1?
Offline
Weirdly when I explitlty set rightsubnet=0.0.0.0/0 I get no network connectivity what so ever....
I am very confusion as to what is going on here
Offline
Weirdly when I explitlty set rightsubnet=0.0.0.0/0 I get no network connectivity what so ever....
I am very confusion as to what is going on here
I am not familiar with the inner workings of IPSec (I heartily agree with one sentence from an analysis of IPSec by Bruce Schneier and colleagues: "IPSec is too complicated to be secure.") but I strongly advise you not to alter any IPSec parameters until you know exactly what you are doing.
Offline
I get it, however, the worst I'll do is lock my computer out of my own network, and worst comes to worst I end up back up on Winshit and lose a bet to some friends.
I've done worse, I am really at a loss of what to do, I am not on my desktop now to check, however, I am not sure if that route will work.
Anywho, thanks heaps for the help, I'll check in with results tomorrow
Offline
PING 192.168.100.185 (192.168.100.185) 56(84) bytes of data.
From 172.31.0.1 icmp_seq=1 Destination Host Unreachable
From 172.31.0.1 icmp_seq=5 Destination Host Unreachable
From 172.31.0.1 icmp_seq=6 Destination Host Unreachable
From 172.31.0.1 icmp_seq=7 Destination Host Unreachable
No dice, I am really at a loss as to what is going on here, I wonder if I'd have better luck asking StrongSwan.
I am unsure where it is breaking, because from my understanding is, I connect to the Firewall, then it acts like a tunnel so all my traffic is sent to the tunnel IP as the gateway not my normal one and routed back to me through the normal LAN gateway.
Offline
I am unsure where it is breaking, because from my understanding is, I connect to the Firewall, then it acts like a tunnel so all my traffic is sent to the tunnel IP as the gateway not my normal one and routed back to me through the normal LAN gateway.
Strongswan only creates a virtual IP with a /32 mask on your network adapter. I cannot see any kind of working tunnel setup.
To me it looks like IPSec only does the encryption and there has to be a separate tunnel using it.
Did you try VPNC?
Offline