IPSEC Diagnostics and logging
-
Good Afternoon all;
Got the home lab up. Zero to NAT was very straightforward. IPSEC however is presenting some woes.
This is a VM (KVM linux on a Sandy Bridge i7 socket 2011). MY NICs are Pro-1000T (E1000. I have a i350-t4 inbound for igb driver base but for now, e1000.
The remote site is a Fortinet 3601E running 6.0.9 System Software.I have poured over teh configs till my brain fell out, and I cannot find anything that would preclude the tunnel coming up but its stuck at connecting.
IPsec Tunnel: 0
IKE SA: ipip0 ID: 222 Version: IKEv2
Local: LOCAIP[500] Remote: REMOTEIP[500]
Status: CONNECTING
Local ID: 0x0.07ffc4131465p-1022ny Remote ID: 0x0.07ffc4131466p-1022ny
Cipher:
PRF:
SPI Init: 741094755088191030 Resp: 0
Initiator: true
tnsr-home tnsr#The remote site sees this connection attempt and shows succesful P1 negotiation.
date=2020-09-12 time=11:31:34 t subtype=vpn level=notice action=negotiate msg=progress IPsec phase 1 logdesc=Progress IPsec phase 1 user=N/A status=success remip=XXXXXXX locip=XXXXXXXXXX remport=500 locport=500 outintf=FW1-WAN_2034 cookies=7b4ddc05e227cb2a/27c7486c0102e3be group=N/A xauthuser=N/A xauthgroup=N/A vpntunnel=TNSR-TEST-1-1 dir=outbound init=remote exch=SA_INIT version=IKEv2 role=responder result=OK eventtime=1599935494 devid=FG36E1XXXXXXXX dtime=2020-09-12 11:31:34 itime_t=1599935495
It appears to be failing at P2 but all the P2 settings appear to aling. Is there a way to get better diagnostic logging on the IPSEC tunnel formation that I may use to look for more/better clues as to whats up.
<ipsec-config xmlns="urn:netgate:xml:yang:netgate-ipsec">
<tunnel>
<instance>0</instance>
<local-addr>XXXXXXXXXX</local-addr>
<remote-addr>XXXXXXXXXXXX</remote-addr>
<remote-type>gateway</remote-type>
<tunnel-type>interface</tunnel-type>
<crypto>
<config-type>ike</config-type>
<ike>
<version>2</version>
<role>both</role>
<lifetime>3600</lifetime>
<udp-encapsulation>false</udp-encapsulation>
<proposals>
<name>1</name>
<encryption-algorithm>aes128</encryption-algorithm>
<integrity-algorithm>sha1</integrity-algorithm>
<dh-group>modp1024</dh-group>
</proposals>
<identity>
<peer>local</peer>
<type>address</type>
<value>XXXXXXXXXXX</value>
</identity>
<identity>
<peer>remote</peer>
<type>address</type>
<value>XXXXXXXXXX</value>
</identity>
<authentication>
<peer>local</peer>
<round>
<number>1</number>
<type>psk</type>
<psk>XXXXXXXX</psk>
</round>
</authentication>
<authentication>
<peer>remote</peer>
<round>
<number>1</number>
<type>psk</type>
<psk>XXXXXXX</psk>
</round>
</authentication>
<child-sa>
<name>1</name>
<lifetime>3600</lifetime>
<mode>tunnel</mode>
<proposal>
<name>1</name>
<encryption-algorithm>aes128</encryption-algorithm>
<integrity-algorithm>sha1</integrity-algorithm>
<dh-group>modp1024</dh-group>
</proposal>
<protocol>esp</protocol>
</child-sa>
</ike>
</crypto>
</tunnel>
</ipsec-config>Interface:
<interface>
<name>ipip0</name>
<enabled>true</enabled>
<ipv4>
<address>
<ip>10.254.254.1/30</ip>
</address>
</ipv4>
</interface>
</interfaces-config>Static Route:
<route>
<destination-prefix>172.25.193.240/28</destination-prefix>
<next-hop>
<hop>
<hop-id>0</hop-id>
<ipv4-address>10.254.254.2</ipv4-address>
</hop>
</next-hop>
</route> -
/var/log/messages
tnsr uses strongswan just like pfSense does so the logging and fault-finding are similar.
-
@Derelict Thank you very much!
I got the tunnel up. Unfortunately I changed 3 things on the last config push....
1: Disabled Replay Protection.
2: P1 P2 Keytimes were the same 3600/3600. Chnged to 7200/3600
3: Fortigate has a separate area for remote PSK. It looked to be taken from Local PSK, but I hard set anyways.I have to do this all over on a different 3601. Ill post up a Fortigate Config and further findings.
However. Thus far. Looks like TNSR on "wrong" hardware (old sandy bridge, and e1000 nics) is too much for me 1G uplink. Cause my initial easy quick dirty test... ie no parallel flows, single TCP flow. 902mbits. LOL. Looks like Illhave to lab this up in my works vmWare environment and see what can be done with 10g and 25g links....
-
You can set asymmetric PSKs in tnsr too.