Connection to Fortigate VPN stopped working
I'm on arch linux and I was able to set up a VPN connection to a Fortigate VPN server with the help of libreswan
and networkmanager-libreswan
which worked without an issue until Monday last week (22nd February). The last time it worked was Friday (19th February). The strangest thing is that I definitely didn't upgrade any package in the mentioned time interval.
The packages I currently have are:
$ yay -Qs libreswan
local/libreswan 4.2-1
IPsec implementation with IKEv1 and IKEv2 keying protocols
local/networkmanager-libreswan 1.2.14-3
NetworkManager IPSec VPN plugin for Libreswan
Here is the relevant log from the last successful connection:
Feb 19 22:14:19 localhost pluto[1011]: listening for IKE messages
Feb 19 22:14:19 localhost pluto[1011]: forgetting secrets
Feb 19 22:14:19 localhost pluto[1011]: loading secrets from "/etc/ipsec.secrets"
Feb 19 22:14:19 localhost pluto[1011]: loading secrets from "/etc/ipsec.d/ipsec-7d36a796-5bc6-46f9-833a-cede2d9b36ac.secrets"
Feb 19 22:14:19 localhost pluto[1011]: "7d36a796-5bc6-46f9-833a-cede2d9b36ac": added IKEv1 connection
Feb 19 22:14:19 localhost pluto[1011]: "7d36a796-5bc6-46f9-833a-cede2d9b36ac" #23: IKEv1 Aggressive Mode with PSK is vulnerable to dictionary attacks and is cracked on large scale by TLA's
Feb 19 22:14:19 localhost pluto[1011]: "7d36a796-5bc6-46f9-833a-cede2d9b36ac" #23: initiating IKEv1 Aggressive Mode connection
Feb 19 22:14:19 localhost pluto[1011]: "7d36a796-5bc6-46f9-833a-cede2d9b36ac" #23: sent Aggressive Mode request
Feb 19 22:14:19 localhost pluto[1011]: "7d36a796-5bc6-46f9-833a-cede2d9b36ac" #23: ignoring unknown Vendor ID payload [82 99 03 17 57 a3 60 82 c6 a6 21 de 00 00 00 00]
Feb 19 22:14:19 localhost pluto[1011]: "7d36a796-5bc6-46f9-833a-cede2d9b36ac" #23: Peer ID is ID_IPV4_ADDR: '<IP>'
Feb 19 22:14:19 localhost pluto[1011]: "7d36a796-5bc6-46f9-833a-cede2d9b36ac" #23: Peer ID is ID_IPV4_ADDR: '<IP>'
Feb 19 22:14:19 localhost pluto[1011]: "7d36a796-5bc6-46f9-833a-cede2d9b36ac" #23: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP1536}
Feb 19 22:14:19 localhost pluto[1011]: "7d36a796-5bc6-46f9-833a-cede2d9b36ac" #23: XAUTH: Answering XAUTH challenge with user='<user>'
Feb 19 22:14:19 localhost pluto[1011]: "7d36a796-5bc6-46f9-833a-cede2d9b36ac" #23: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP1536}
Feb 19 22:14:19 localhost pluto[1011]: "7d36a796-5bc6-46f9-833a-cede2d9b36ac" #23: XAUTH: Successfully Authenticated
Feb 19 22:14:19 localhost pluto[1011]: "7d36a796-5bc6-46f9-833a-cede2d9b36ac" #23: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP1536}
Feb 19 22:14:19 localhost pluto[1011]: "7d36a796-5bc6-46f9-833a-cede2d9b36ac" #23: modecfg: Sending IP request (MODECFG_I1)
Feb 19 22:14:19 localhost pluto[1011]: "7d36a796-5bc6-46f9-833a-cede2d9b36ac" #23: Received IPv4 address: <IP>
Feb 19 22:14:19 localhost pluto[1011]: "7d36a796-5bc6-46f9-833a-cede2d9b36ac" #23: Received DNS server <IP>
Feb 19 22:14:19 localhost pluto[1011]: "7d36a796-5bc6-46f9-833a-cede2d9b36ac" #23: Received DNS server <IP>
Feb 19 22:14:19 localhost pluto[1011]: "7d36a796-5bc6-46f9-833a-cede2d9b36ac" #23: Received subnet <IP>
...
Feb 19 22:14:19 localhost pluto[1011]: "7d36a796-5bc6-46f9-833a-cede2d9b36ac" #23: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP1536}
Feb 19 22:14:19 localhost pluto[1011]: "7d36a796-5bc6-46f9-833a-cede2d9b36ac" #24: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+XAUTH+MODECFG_PULL+AGGRESSIVE+IKEV1_ALLOW+IKE_FRAG_ALLOW+ESN_NO {using isakmp#2>
Feb 19 22:14:19 localhost pluto[1011]: "7d36a796-5bc6-46f9-833a-cede2d9b36ac" #24: sent Quick Mode request
and here is the relevant section from the first unsuccessful one:
Feb 22 09:47:21 localhost pluto[1011]: listening for IKE messages
Feb 22 09:47:21 localhost pluto[1011]: forgetting secrets
Feb 22 09:47:21 localhost pluto[1011]: loading secrets from "/etc/ipsec.secrets"
Feb 22 09:47:21 localhost pluto[1011]: loading secrets from "/etc/ipsec.d/ipsec-7d36a796-5bc6-46f9-833a-cede2d9b36ac.secrets"
Feb 22 09:47:21 localhost pluto[1011]: "7d36a796-5bc6-46f9-833a-cede2d9b36ac": added IKEv1 connection
Feb 22 09:47:21 localhost pluto[1011]: "7d36a796-5bc6-46f9-833a-cede2d9b36ac" #25: IKEv1 Aggressive Mode with PSK is vulnerable to dictionary attacks and is cracked on large scale by TLA's
Feb 22 09:47:21 localhost pluto[1011]: "7d36a796-5bc6-46f9-833a-cede2d9b36ac" #25: initiating IKEv1 Aggressive Mode connection
Feb 22 09:47:21 localhost pluto[1011]: "7d36a796-5bc6-46f9-833a-cede2d9b36ac" #25: sent Aggressive Mode request
Feb 22 09:47:22 localhost pluto[1011]: "7d36a796-5bc6-46f9-833a-cede2d9b36ac" #25: ignoring unknown Vendor ID payload [82 99 03 17 57 a3 60 82 c6 a6 21 de 00 00 00 00]
Feb 22 09:47:22 localhost pluto[1011]: "7d36a796-5bc6-46f9-833a-cede2d9b36ac" #25: Peer ID is ID_IPV4_ADDR: '<IP>'
Feb 22 09:47:22 localhost pluto[1011]: "7d36a796-5bc6-46f9-833a-cede2d9b36ac" #25: Peer ID is ID_IPV4_ADDR: '<IP>'
Feb 22 09:47:22 localhost pluto[1011]: "7d36a796-5bc6-46f9-833a-cede2d9b36ac" #25: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP1536}
Feb 22 09:47:22 localhost pluto[1011]: "7d36a796-5bc6-46f9-833a-cede2d9b36ac" #25: XAUTH: Answering XAUTH challenge with user='<user>'
Feb 22 09:47:22 localhost pluto[1011]: "7d36a796-5bc6-46f9-833a-cede2d9b36ac" #25: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP1536}
Feb 22 09:47:22 localhost pluto[1011]: "7d36a796-5bc6-46f9-833a-cede2d9b36ac" #25: XAUTH: Answering XAUTH challenge with user='<user>'
Feb 22 09:47:22 localhost pluto[1011]: "7d36a796-5bc6-46f9-833a-cede2d9b36ac" #25: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP1536}
Feb 22 09:47:22 localhost pluto[1011]: "7d36a796-5bc6-46f9-833a-cede2d9b36ac" #25: XAUTH: Answering XAUTH challenge with user='<user>'
Feb 22 09:47:22 localhost pluto[1011]: "7d36a796-5bc6-46f9-833a-cede2d9b36ac" #25: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP1536}
Feb 22 09:47:22 localhost pluto[1011]: "7d36a796-5bc6-46f9-833a-cede2d9b36ac" #25: received Delete SA payload: self-deleting ISAKMP State #25
Feb 22 09:47:22 localhost pluto[1011]: "7d36a796-5bc6-46f9-833a-cede2d9b36ac" #25: deleting state (STATE_XAUTH_I1) aged 0.56103s and sending notification
Feb 22 09:47:22 localhost pluto[1011]: "7d36a796-5bc6-46f9-833a-cede2d9b36ac" #25: deleting IKE SA but connection is supposed to remain up; schedule EVENT_REVIVE_CONNS
Feb 22 09:47:22 localhost pluto[1011]: "7d36a796-5bc6-46f9-833a-cede2d9b36ac": initiating connection '7d36a796-5bc6-46f9-833a-cede2d9b36ac' with serial $13 which received a Delete/Notify but must remain up per >
Feb 22 09:47:22 localhost pluto[1011]: "7d36a796-5bc6-46f9-833a-cede2d9b36ac" #26: IKEv1 Aggressive Mode with PSK is vulnerable to dictionary attacks and is cracked on large scale by TLA's
Feb 22 09:47:22 localhost pluto[1011]: "7d36a796-5bc6-46f9-833a-cede2d9b36ac" #26: initiating IKEv1 Aggressive Mode connection
Feb 22 09:47:22 localhost pluto[1011]: "7d36a796-5bc6-46f9-833a-cede2d9b36ac" #26: sent Aggressive Mode request
Feb 22 09:47:22 localhost pluto[1011]: "7d36a796-5bc6-46f9-833a-cede2d9b36ac" #26: ignoring unknown Vendor ID payload [82 99 03 17 57 a3 60 82 c6 a6 21 de 00 00 00 00]
Feb 22 09:47:22 localhost pluto[1011]: "7d36a796-5bc6-46f9-833a-cede2d9b36ac" #26: Peer ID is ID_IPV4_ADDR: '<IP>'
Feb 22 09:47:22 localhost pluto[1011]: "7d36a796-5bc6-46f9-833a-cede2d9b36ac" #26: Peer ID is ID_IPV4_ADDR: '<IP>'
Feb 22 09:47:22 localhost pluto[1011]: "7d36a796-5bc6-46f9-833a-cede2d9b36ac" #26: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP1536}
Feb 22 09:47:22 localhost pluto[1011]: "7d36a796-5bc6-46f9-833a-cede2d9b36ac" #26: XAUTH password requested, but no file descriptor available for prompt
Feb 22 09:47:22 localhost pluto[1011]: "7d36a796-5bc6-46f9-833a-cede2d9b36ac" #26: encountered fatal error in state STATE_AGGR_I2
I obfuscated the entries for the IPs and the user. Here is a description on how I managed to set it up (I don't know much about this technology, so it took a couple of trial and error to set it up):
1.) install 'networkmanager-libreswan' and 'libreswan'
2.) in network manager choose 'IPsec based VPN'
3.) basic conf:
- name: whatever
- Gateway: <gateway>
- Type: IKEv1 (XAUTH)
- User name: <user>
- User password: <pass> (choose store the password for all users (because of bug))
- Group name: <group_name>
- Secret: <secret> (choose store the password for all users (because of bug))
4.) advanced conf:
- Phase1 Algorithms: aes256-sha2_256-modp1536
- Phase2 Algorithms: aes128-sha256
- Phase1 Lifetime: 86400
- Phase2 Lifetime: 43200
Everything else remain default value
Again I obfuscated sensitive entries.
Couple of notes (and questions):
- Again I didn't upgrade any packages before it stopped working (in fact I didn't even switched off my computer in the given time interval)
- For others (using mainly Mac for which there is a working Fortinet client) the VPN still works without any issues
- I tried downgrading both
libreswan
andnetworkmanager-libreswan
mainly because recently I had an issue which was fixed in #6 (closed) and for that it temporarily solved the problem. But for the current issue it doesn't help - I may very well be reporting this issue in the wrong repository. That's because I'm not familiar with this technology, but also because I couldn't figure out how I could debug this issue. Since
networkmanager-libreswan
is frontend forlibreswan
I thought I can do some debugging myself withipsec
and/etc/ipsec.conf
, but I couldn't locate the generated config file. (I guess it's only created in memory when you try to connect to a VPN). Is it possible to generate this file from the GUI setup? - As I noted in the VPN setup section I could work around a small bug for password storage by storing it for all users. I don't think it's related at all, but it's worth mentioning that I faced a behavior there which I didn't expect and it's maybe a bug.
Please let me know if you need some additional info!