这是设置:
我在一个有FortiGate VPN的商业networking上安装了FortiGate设备。 可以运行FortiClient(Windows和Mac机器)的远程networking上的机器连接到这个VPN没有问题。 我一直负责让Linux机器连接到FortiGate不支持的VPN。
为了弄清楚如何,我在远程networking上安装了Ubuntu 16.04机器,OpenSwan正在运行,试图连接到我在FortiGate上设置的特定通道。
但是,我可以把它连接到目前为止,这是:
002 "icms" #1: initiating Aggressive Mode #1, connection "icms" 113 "icms" #1: STATE_AGGR_I1: initiate 003 "icms" #1: received Vendor ID payload [RFC 3947] method set to=115 003 "icms" #1: received Vendor ID payload [Dead Peer Detection] 003 "icms" #1: received Vendor ID payload [XAUTH] 003 "icms" #1: ignoring unknown Vendor ID payload [8299031757a36082c6a621de0005024d] 002 "icms" #1: Aggressive mode peer ID is ID_IPV4_ADDR: 'abcd' 003 "icms" #1: no suitable connection for peer 'abcd' 003 "icms" #1: initial Aggressive Mode packet claiming to be from abcd on abcd but no connection has been authorized 218 "icms" #1: STATE_AGGR_I1: INVALID_ID_INFORMATION 002 "icms" #1: sending notification INVALID_ID_INFORMATION to abcd:500 其中“icms”是连接的名称,“abcd”代表FortiGate的公共IP。
我的/etc/ipsec.d/icms.confconfiguration:
conn icms type=tunnel authby=secret pfs=no ike=aes128-sha1;modp1536 phase2alg=aes128-sha1 aggrmode=yes keylife=28800s ikelifetime=1800s right=abcd rightnexthop=%defaultroute rightsubnet=172.16.1.0/16 left=efgh leftnexthop=%defaultroute auto=add
'efgh'是Ubuntu机器的IP地址。
我的/etc/ipsec.d/icms.secrets:
abcd : PSK "presharedsecret"
任何帮助或build议,将不胜感激,如果我可以提供更多的信息,请告诉我。 我尝试过OpenSwan和FortiGate隧道的多种configuration,目前为止还没有成功。
编辑1:FortiGateconfiguration信息!
config vpn ipsec phase1-interface edit "icms" set type static set interface "wan1" set ip-version 4 set ike-version 1 set local-gw 0.0.0.0 set nattraversal enable set keylife 86400 set authmethod psk set mode aggressive set peertype any set mode-cfg disable set proposal aes128-sha1 aes192-sha256 set localid "icms" set localid-type auto set negotiate-timeout 30 set fragmentation enable set dpd enable set forticlient-enforcement disable set comments "Phase1 to Remote Linux" set npu-offload enable set dhgrp 14 5 set wizard-type custom --More-- set xauthtype disable set mesh-selector-type disable set remote-gw '<IP of Ubuntu Machine>' set monitor '' set add-gw-route disable set psksecret ENC <encrypted string> set keepalive 10 set auto-negotiate enable set dpd-retrycount 3 set dpd-retryinterval 5 next end
而第二阶段的fortigateconfiguration:
config vpn ipsec phase2-interface edit "@icms" set phase1name "icms" set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256 set pfs disable set replay enable set keepalive disable set auto-negotiate enable set keylife-type seconds set encapsulation tunnel-mode set comments '' set protocol 0 set src-addr-type subnet set src-port 0 set dst-addr-type ip set dst-port 0 set keylifeseconds 43200 set src-subnet 172.16.1.0 255.255.255.248 set dst-start-ip '<IP of Ubuntu Machine>' next end
如果您拥有有效的支持合同,您也可以从其支持站点下载适用于Linux的ssl vpn客户端,这可能会更容易。 我已经使用了几年不同版本没有问题。
https://support.fortinet.com/Download/FirmwareImages.aspx
/ FortiGate / v5.00 / 5.2 / 5.2.7 / VPN / SSLVPNTools /