Project

General

Profile

Actions
Copy link

Bug #6809

closed

IPSEC connection does not pass the state "CONNECTING"

Added by Andres Gomez almost 9 years ago. Updated almost 9 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
09/23/2016
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.3.2
Affected Architecture:
amd64

Description

i have a have a IPSEC connection to fortigate, this connection not work after the upgrade to 2.3, 2.2 versions worked correctly

data for the conections : * my public ip X.X.X.X * other side public ip Y.Y.Y.Y * rightsubnet = 10.125.50.0/24 * leftsubnet = 192.168.1.0/24

/usr/local/etc/ipsec.conf

conn con5000
fragmentation = yes
keyexchange = ikev1
reauth = yes
forceencaps = no
mobike = no

rekey = yes
        installpolicy = yes
        type = tunnel
        dpdaction = restart
        dpddelay = 10s
        dpdtimeout = 60s
        auto = route
        left = X.X.X.X
        right = Y.Y.Y.Y
        leftid = X.X.X.X
        ikelifetime = 86400s
        lifetime = 3600s
        ike = aes128-sha256-modp1536!
        esp = 3des-md5!
        leftauth = psk
        rightauth = psk
        rightid = Y.Y.Y.Y
        aggressive = no
        rightsubnet = 10.125.50.0/24
        leftsubnet = 192.168.1.0/24

is ipsec statusall conn5000 show "Tasks queued: QUICK_MODE"

[2.3.2-RELEASE][]/usr/local/etc: ipsec statusall con5000
Status of IKE charon daemon (strongSwan 5.5.0, FreeBSD 10.3-RELEASE-p5, amd64):
uptime: 12 seconds, since Sep 20 15:46:45 2016
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 29
loaded plugins: charon unbound aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock unity
Listening IP addresses: *********
Connections:
con5000: X.X.X.X ...Y.Y.Y.Y IKEv1, dpddelay=10s
con5000: local: [X.X.X.X] uses pre-shared key authentication
con5000: remote: [Y.Y.Y.Y] uses pre-shared key authentication
con5000: child: 192.168.1.0/24|/0 === 10.125.50.0/24|/0 TUNNEL, dpdaction=restart
Routed Connections:
con5000{20}: ROUTED, TUNNEL, reqid 17
con5000{20}: 192.168.1.0/24|/0 === 10.125.50.0/24|/0
Security Associations (6 up, 2 connecting):
con50002: CONNECTING, X.X.X.X[%any]... Y.Y.Y.Y[%any]
con50002: IKEv1 SPIs: ffcfff895aeff4a8_i* 0000000000000000_r
con50002: Tasks queued: QUICK_MODE
con50002: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE ISAKMP_CERT_POST ISAKMP_NATD

i found related information in : * https://forum.fortinet.com/tm.aspx?m=119677 * https://lists.strongswan.org/pipermail/users/2013-November/005604.html

Actions
Copy link
 #1

Updated by Jim Pingle almost 9 years ago

  • Status changed from New to Rejected

Please post on the forum for help diagnosing the issue until a definite bug can be identified. It could still be a configuration issue, despite the change in behavior between versions, and this is not the proper place for a troubleshooting discussion.

Actions
Copy link

Also available in: Atom PDF