VPN (Ipsec/l2tp) not working with fortigate since Version 53
Reported by
georg.ge...@gmail.com,
Sep 22 2016
|
||
Issue description
Chrome Version : 55.0.2858.0
OS Version: 8798.0.0
URLs (if applicable) :
Other browsers tested:
Add OK or FAIL after other browsers where you have tested this issue:
Safari 5:
Firefox 4.x:
IE 7/8/9:
What steps will reproduce the problem?
1. Try connect with Fortigate
Connection worked well until Version 52 but refuses to work from Version 53 on (also 54, 55). In the fortigate protokoll you can read, that the second step in Phase 1 of Ipsec fails.
UserAgentString: Mozilla/5.0 (X11; CrOS x86_64 8798.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2858.0 Safari/537.36
,
Oct 24 2016
Here is the essential part of the log from my fortigate. When my android device logs in (successfully), everything else is quite the same. It seems, that there are problems with the pre-shared key. Was there any change from version 52 to 53? Is there a problem with german Umlaute? ike 0: IKEv1 exchange=Aggressive id=81a08a82d504d9a4/5ace32aa1462cc33 len=108 ike 0: in 81A08A82D504D9A45ACE32AA1462CC3314100401000000000000006C9A6F34F3A7134C5E7847292E30190BBB4A5881CB7F09156EBFF256026DBA3E105B5F5E927A12458297B353344E216873E6D856569D42361B1971D3203A389D011D40FBACFED5FA74E186EE129622FD99 ike 0:Zugang:374: responder: aggressive mode get 2nd response... ike 0:Zugang:374: dec 81A08A82D504D9A45ACE32AA1462CC3314100401000000000000006C2B56D8C13CBF2B13731F887547224594E04E1AD168500959BEC84B3B460B2B60FD0AB55CD9A8B941E6B7B80BDECD2FCF4061D0864CD0C6656B5A58CB4FF90C4F8A8D50305A4141214ACB170C5C40880B ike 0:Zugang:374: parse error
,
Mar 1 2017
to answer my own question: there is a problem with the proposals. They do match, according to the fortigate-log, but they do not. So the pre shared key is misunderstood and vpn will not connect. There are no reasonable error messages, the chromebook only says "interner Fehler", fortigate says "parse error" or sometimes that it is ignoring informational messages. Obviously this "informational message" is the pre shared key! BUT, the solution is easy: Just tell fortigate to use DH 15, AES128-SHA256 only, so Chromebook cannot connect with a not (or at least not really) matching proposal. So I guess there was a change in a proposal in ChromeOS in Version 53, not documentated, not explained and nobody took care about this post....
,
Mar 2 2018
Issue has not been modified or commented on in the last 365 days, please re-open or file a new bug if this is still an issue. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||
►
Sign in to add a comment |
||
Comment 1 by dtapu...@chromium.org
, Sep 22 2016