Comunidad FORTIGATE.es

Web NO OFICIAL de soporte en español
https://www.fortigate.es/

configurar vpn ipsec Fortigate 500-A

https://www.fortigate.es/viewtopic.php?t=1017

Página 1 de 1

configurar vpn ipsec Fortigate 500-A

Publicado: 21 Ene 2010, 10:12
por santi-ti
Hola,

Estoy configurando una vpn ipsec. tengo un problema en el otro extremo de autentificación, mi problema es con la llave-precompartida...Sabéis si tengo que poner un mínimo de digitos o Mayúsculas y minúsculas, números...etc...Ahora tengo de llave "fortigate".

Nombre del Equipo Fortigate-500A [Cambiar]
Versión de firmware v4.0,build0185,091020 (MR1 Patch 1)

Mi conf es:

config vpn ipsec phase1
edit "linux"
set interface "port1"
set dhgrp 2 5
set proposal 3des-sha1 3des-md5
set remote-gw x.x.x.x
set psksecret ENC V4pFJp9lFrUbsjsy+S79kY13koTAmBvUa6LtTETVkADGfVD8zPDeUUKKUl1vBY1vurgZsd7Q9jANFUoq4rgkQ0cI0013iwCUjUCgORNTOuH4xeV+
Fortigate-500A # config vpn ipsec phase1
Fortigate-500A (phase1) # edit "linux"
set interface "port1"
Fortigate-500A (linux) # set interface "port1"
Fortigate-500A (linux) # set dhgrp 2 5
Fortigate-500A (linux) # set proposal 3des-sha1 3des-md5
Fortigate-500A (linux) # set remote-gw x.x.x.x
set psksecret ENC V4pFJp9lFrUbsjsy+S79kY13koTAmBvUa6LtTETVkADGfVD8zPDeUUKKUl1vBY1vurgZsd7Q9jANFUoq4rgkQ0cI0013iwCUjUCgORNTOuH4xeV+
Fortigate-500A (linux) # set psksecret ENC V4pFJp9lFrUbsjsy+S79kY13koTAmBvUa6LtTETVkADGfVD8zPDeUUKKUl1vBY1vurgZsd7Q9jANFUoq4rgkQ0cI0013iwCUjUCgORNTOuH4xeV+
Fortigate-500A (linux) # next
Fortigate-500A (phase1) # end
Fortigate-500A # config vpn ipsec phase1
Fortigate-500A (phase1) # edit "linux"
set interface "port1"
Fortigate-500A (linux) # set interface "port1"
Fortigate-500A (linux) # set dhgrp 2 5
Fortigate-500A (linux) # set proposal 3des-sha1 3des-md5
Fortigate-500A (linux) # set remote-gw X.x.xx
Fortigate-500A (linux) # set psksecret ENC V4pFJp9lFrUbsjsy+S79kY13koTAmBvUa6LtTETVkADGfVD8zPDeUUKKUl1vBY1vurgZsd7Q9jANFUoq4rgkQ0cI0013iwCUjUCgORNTOuH4xeV+
edit "linuxpaso2"
set keepalive enable
set keylife-type both
set phase1name "linux"
set proposal aes128-md5 3des-md5 3des-sha1
set dhgrp 2
set keylifekbs 4608000

Sabéis si el problema está en la llave-precompartida?????...tengo puesta "fortigate"

Muchas gracias

Re: configurar vpn ipsec Fortigate 500-A

Publicado: 21 Ene 2010, 16:25
por gabyrossi
Hola, las llaves precompartidas generalmente son mas largas.
que te muestra el log ??? es una vpn contra que equipo???


saludos

Re: configurar vpn ipsec Fortigate 500-A

Publicado: 22 Ene 2010, 08:31
por santi-ti
Hola,

Si es contra un equipo linux (openswan), ésta es mi conf de openswan:

config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/24
oe=off
protostack=netkey

conn ipseclinux
#CLIENT
left=172.16.0.21
leftsubnet=172.16.0.0/24
leftnexthop=172.16.0.1
right=X.X.176.249 (ip del Cliente)
rightnexthop=172.26.0.4 (es la gateway del router del cliente donde está configurado el NAT)
rightsubnet=172.26.51.0/24
# rightxauthclient=no
# rightmodecfgclient=yes
keyexchange=ike
#GENERAL
authby=secret
auto=add
# compress=no
type=tunnel
# pfs=yes
# forceencaps=yes
#PHASE1
# ike=3des-sha1,3des-md5
esp=3des
# keylife=86400s
#PHASE2
# phase2=esp
# phase2alg=3des-sha1,3des-md5;modp1536
# ikelifetime=86400s
#REKEYING
# rekey=no
# modecfgpull=yes
# rekeymargin=15m
compress=yes

Configuración de ipsec.secrets:

X.X.X.249 172.16.0.21: PSK "123456789"
IP de mi Cliente-Ip de eth1 que va a mi router : y la llave pre-compartida

Es log del Fortigate:
ike 0: IKEv1 exchange=Identity Protection id=9aa76154c782136b/0000000000000000 len=592
ike 0: found linux 172.26.0.4 2 -> 80.X.219.140:4500
ike 0:linux:326642: responder: main mode get 1st message...
ike 0:linux:326642: VID unknown (12): OElj@]rTMBuM
ike 0:linux:326642: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:linux:326642: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:linux:326642: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
ike 0:linux:326642: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
ike 0:linux:326642: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448
ike 0:linux:326642: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC
ike 0:linux:326642: negotiation result
ike 0:linux:326642: proposal id = 1:
ike 0:linux:326642: protocol id = ISAKMP:
ike 0:linux:326642: trans_id = KEY_IKE.
ike 0:linux:326642: encapsulation = IKE/none
ike 0:linux:326642: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike 0:linux:326642: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:linux:326642: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:linux:326642: type=OAKLEY_GROUP, val=1536.
ike 0:linux:326642: ISKAMP SA lifetime=28800
ike 0:linux:326642: selected NAT-T version: RFC 3947
ike 0:linux:326642: cookie 9aa76154c782136b/674c9f4c4a63d802
ike 0:linux:326642: confirmed nat-t RFC 3947
ike 0:linux:326642: sent IKE msg (ident_r1send): 172.26.0.4:4500->X.X.219.140:4500, len=120
ike 0: comes X.X.219.140:4500->172.26.0.4:4500,ifindex=2....
ike 0: IKEv1 exchange=Identity Protection id=9aa76154c782136b/674c9f4c4a63d802 len=292
ike 0: found linux 172.26.0.4 2 -> X.X.219.140:4500
ike 0:linux:326642: responder:main mode get 2nd message...
ike 0:linux:326642: NAT detected: ME PEER
ike 0:linux:326642: confirmed nat-t RFC 3947
ike 0:linux:326642: sent IKE msg (ident_r2send): 172.26.0.4:4500->X.X.219.140:4500, len=292
ike 0:linux:326642: put connection to natt list...ip=80.25.219.140.
ike 0: comes X.X.219.140:4500->172.26.0.4:4500,ifindex=2....
ike 0: IKEv1 exchange=Identity Protection id=9aa76154c782136b/674c9f4c4a63d802 len=68
ike 0:linux: Incoming X.X.219.140, my:X.X.219.140.
ike 0:linux: got conn from natt list, 172.26.0.4->X.X.219.140:4500.
ike 0:linux:326642: responder: main mode get 3rd message...
ike 0:linux:326642: parse error
ike 0:linux:326642: probable pre-shared secret mismatch
ike 0:linux: link fail 2 172.26.0.4->X.X.219.140:4500 dpd=1
ike 0:linux: ignore link fail, too old
ike 0:linux:326642: confirmed nat-t RFC 3947
ike 0:linux:326642: sent IKE msg (P1_RETRANSMIT): 172.26.0.4:4500->X.X.219.140:4500, len=292

Fortigate-500A # ike 0:linux: link fail 2 172.26.0.4->X.X.219.140:4500 dpd=1
ike 0:linux: ignore link fail, too old
ike 0:linux:326642: confirmed nat-t RFC 3947
ike 0:linux:326642: sent IKE msg (P1_RETRANSMIT): 172.26.0.4:4500->X.X.219.140:4500, len=292
ike 0:linux:linuxpaso2: IPsec SA connect 2 172.26.0.4->X.X.219.140:4500, natt_mode=2
ike 0:linux: using existing connection, dpd_fail=1
ike 0:linux: found phase2 linuxpaso2
ike 0:linux:linuxpaso2: IPsec SA connect 2 172.26.0.4->X.X.219.140:4500, natt_mode=2
ike 0:linux: using existing connection, dpd_fail=1
ike 0:linux: found phase2 linuxpaso2
ike 0: comes X.X.219.140:4500->172.26.0.4:4500,ifindex=2....
ike 0: IKEv1 exchange=Identity Protection id=9aa76154c782136b/674c9f4c4a63d802 len=68
ike 0: found linux 172.26.0.4 2 -> X.X.219.140:4500
ike 0:linux:326642: responder: main mode get 3rd message...
ike 0:linux:326642: parse error
ike 0:linux:326642: probable pre-shared secret mismatch
ike 0:linux: link fail 2 172.26.0.4->X.X.219.140:4500 dpd=1
ike 0:linux: ignore link fail, too old

log desde openswan:
Jan 22 08:24:08 amex pluto[12015]: packet from X.X.176.249:500: received Vendor ID payload [RFC 3947] method set to=109
Jan 22 08:24:08 amex pluto[12015]: packet from X.X.176.249:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
Jan 22 08:24:08 amex pluto[12015]: packet from X.X.176.249:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Jan 22 08:24:08 amex pluto[12015]: packet from X.X.176.249:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Jan 22 08:24:08 amex pluto[12015]: packet from X.X.176.249:500: ignoring unknown Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]
Jan 22 08:24:08 amex pluto[12015]: packet from X.X.176.249:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jan 22 08:24:08 amex pluto[12015]: packet from x.x.176.249:500: received Vendor ID payload [Dead Peer Detection]
Jan 22 08:24:08 amex pluto[12015]: "ipseclinux" #8006: responding to Main Mode
Jan 22 08:24:08 amex pluto[12015]: "ipseclinux" #8006: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan 22 08:24:08 amex pluto[12015]: "ipseclinux" #8006: STATE_MAIN_R1: sent MR1, expecting MI2
Jan 22 08:24:08 amex pluto[12015]: "ipseclinux" #8002: max number of retransmissions (2) reached STATE_MAIN_R2
Jan 22 08:24:08 amex pluto[12015]: "ipseclinux" #8006: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
Jan 22 08:24:08 amex pluto[12015]: "ipseclinux" #8006: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan 22 08:24:08 amex pluto[12015]: "ipseclinux" #8006: STATE_MAIN_R2: sent MR2, expecting MI3
Jan 22 08:24:08 amex pluto[12015]: "ipseclinux" #8006: next payload type of ISAKMP Identification Payload has an unknown value: 26
Jan 22 08:24:08 amex pluto[12015]: "ipseclinux" #8006: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
Jan 22 08:24:08 amex pluto[12015]: | payload malformed after IV
Jan 22 08:24:08 amex pluto[12015]: | 5c 1a d1 99 54 27 9d 53 c4 a9 0f bb dc 49 f3 be
Jan 22 08:24:08 amex pluto[12015]: | 6e f4 ec d2
Jan 22 08:24:08 amex pluto[12015]: "ipseclinux" #8006: sending notification PAYLOAD_MALFORMED to X.X.176.249:500

Muchas gracias!!!!!...De verdad que me está volviendo loco y no sé donde tengo el problema.

Re: configurar vpn ipsec Fortigate 500-A

Publicado: 22 Ene 2010, 12:55
por gabyrossi
Hola, como armaste la vpn en el fortigate? modo poolicy o modo ruta?

mostra em configuracion de la vpn , y politica

saludos

Re: configurar vpn ipsec Fortigate 500-A

Publicado: 26 Ene 2010, 03:08
por benjamin_h_s
mmmmm, no soy un experto en VPN sobre linux, pero es idea o en la phase 1 tine casi todo comentado y en la phase2 tiene todo comentado, de esta forma no va a funcionar nunca la VPN, debe realizar la configuracion adecuada en tu servidor linux.
una vez termines esto debes precuparte de crear las politicas tanto en el firewall fortinet como en el linux asociando y los dominios proxy en la phase 2

Re: configurar vpn ipsec Fortigate 500-A

Publicado: 26 Ene 2010, 16:19
por santi-ti
Hola!!
la conf de fortigate:
config vpn ipsec phase1
edit "linux"
set interface "port1"
set dhgrp 2 5
set proposal 3des-sha1 3des-md5
set remote-gw x.x.219.140 (Ip pública del cliente)
set psksecret ENC V4pFJooecwSPTbuujVULNgizKhx4ePwPi66lI1qXagEjRIuloheR/duWEhKCRiDcCiC6Lpb7Z5ADhMxjK3XYPvweitBU/zarwwNJSpSn9twW9sX6
next
end
config vpn ipsec phase2
edit "linuxpaso2"
set keepalive enable
set keylife-type both
set phase1name "linux"
set proposal aes128-md5 3des-md5 3des-sha1
set dhgrp 2
set dst-subnet 172.16.0.0 255.255.255.0 (Red de la LAN del Cliente)
set keylifekbs 4608000
set src-subnet 172.26.51.0 255.255.255.0
next
end

Y la política es:
edit 48
set srcintf "LAN_AMA"
set dstintf "Internet"
set srcaddr "S4483B2A" (Sólo quiero que accedan a este host de mi red local)
set dstaddr "ipsec_linux" (es el nombre para la Red del cliente 172.16.0.0/24)
set action ipsec
set schedule "always"
set service "ANY"
set profile-status enable
set profile "ipsec"
set inbound enable
set outbound enable
set vpntunnel "linux"
next

Gracias, por la ayuda!!!

Re: configurar vpn ipsec Fortigate 500-A

Publicado: 27 Ene 2010, 15:28
por benjamin_h_s
mmmm, verificaste el tema de la configuracion del linux?

Re: configurar vpn ipsec Fortigate 500-A

Publicado: 31 Ene 2010, 00:50
por gabyrossi
Hola, como estas? en el fortigate esta armado bien, el tema es poner los mismo datos de presared key, keylife y demas datos en la configuracion del linux.

saludos
Todos los horarios son UTC+02:00
Página 1 de 1

Desarrollado por phpBB® Forum Software © phpBB Limited

Traducción al español por phpBB España