Cant setup Fortigate 111c IPSEC from OpenSwan

Hello,

We have a VPN connection at work setup from where people with OSX have got it to work. But I cant get it to work on ubuntu Ubuntu 12.04.4 LTS.

On OSX the settings that work are: Server: 123.123.123, accountname: pelle, password: pwd_pelle, with a shared key: pwd_group (and empty group name). [as a cisco vpn tunnel]

This is my /etc/ipsec.conf

Code:

# /etc/ipsec.conf - Openswan IPsec configuration file

# $Id$

# Manual: ipsec.conf(5)

# Created: Tue Mar 25 09:08:06 2014

# by: The L2TP IPsec VPN Manager application version 1.0.6

#

# WARNING! All changes made in this file will be lost!

version 2.0 # conforms to second version of ipsec.conf specification

config setup

# plutodebug="parsing emitting control private"

plutodebug=none

strictcrlpolicy=no

nat_traversal=yes

interfaces=%defaultroute

oe=off

# which IPsec stack to use. netkey,klips,mast,auto or none

protostack=netkey

conn %default

keyingtries=3

pfs=no

rekey=yes

type=transport

left=%defaultroute

leftprotoport=17/1701

rightprotoport=17/1701

# Add connections here.

conn Work

leftid=[AT sign]VPN_Group_2

leftxauthusername=pelle

left=%defaultroute

right=123.123.123

keyexchange=ike

auto=start

auth=esp

authby=secret

ikelifetime=28800s

esp=3des-sha1;modp1024

ike=3des-sha1,aes128-sha1;modp1024

pfs=yes

compress=no

forceencaps=yes

remote_peer_type=cisco

rightxauthserver=yes

And this is my ipsec.secrets

Code:

# /etc/ipsec.secrets - secrets for IKE/IPsec authentication

# $Id$

# Manual: ipsec.secrets(5)

# Created: Tue Mar 25 09:08:06 2014

# by: The L2TP IPsec VPN Manager application version 1.0.6

#

# WARNING! All changes made in this file will be lost!

#

#

# This file holds shared secrets or RSA private keys for inter-Pluto

# authentication. See ipsec_pluto(8) manpage, and HTML documentation.

# RSA private key for this host, authenticating it to any other host

# which knows the public part. Suitable public keys, for ipsec.conf, DNS,

# or configuration of other implementations, can be extracted conveniently

# with "ipsec showhostkey".

#

%any : PSK "pwd_group"

[at sign]pelle : XAUTH "pwd_pelle"

I get this while connecting:

Code:

root_pc:~# ipsec auto --add Work

root_pc:~# ipsec auto --up Work

104 "Work" #4: STATE_MAIN_I1: initiate

003 "Work" #4: received Vendor ID payload [RFC 3947] method set to=109

003 "Work" #4: received Vendor ID payload [Dead Peer Detection]

003 "Work" #4: ignoring unknown Vendor ID payload [8299031757a36082c6a621de000500b3]

106 "Work" #4: STATE_MAIN_I2: sent MI2, expecting MR2

003 "Work" #4: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed

108 "Work" #4: STATE_MAIN_I3: sent MI3, expecting MR3

010 "Work" #4: STATE_MAIN_I3: retransmission; will wait 20s for response

010 "Work" #4: STATE_MAIN_I3: retransmission; will wait 40s for response

031 "Work" #4: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message

000 "Work" #4: starting keying attempt 2 of at most 3, but releasing whack

And these are the settings in the fortigate 111c web-UI as seen from the people who set up the tunnel.

at this URL:

i.imgur.comXXX/BKSyvRg.jpg

Note: using vpnc with cisco vpn does not work either. My settings are:

root_pc:~# cat /etc/vpnc/myvpn.conf

Code:

IPSec gateway 123.123.123

IPSec secret pwd_group

IKE Authmode psk

Xauth username pelle

Xauth password pwd_pelle

Debug 200

IKE DH Group dh2

Continue reading...