On Fri, 14 Feb 2020, zc2 wrote:

I am trying to connect to my office's SonicWall TZ300 firewall. The Phase1 completes, but the Phase2 fails with the message in the sonicwall's log: "IKE Responder: WAN GroupVPN Policy does not allow static IP for Virtual Adapter."

Seems like a configuration issue on the sonicwall, and not something
that can be fixed on the libreswan config side ?

I tried to set left=%any, but then libreswan throws the following error on
# ipsec whack --name sonicwall --initiate

%any is for incoming, %defaultroute is for outgoing.

My ipsec.conf:
conn sonicwall
        auto=add
#        left=%any
        left=%defaultroute
        leftid=@GroupVPN
        leftsubnet=192.168.1.2/32
        leftxauthclient=yes
        right=<sonicwallPublicIP>
        rightid=@<sonicwallID>
        rightsubnet=10.0.0.0/24
        keyingtries=0
        aggressive=yes
        authby=secret
        ike=3des-sha1;modp1536
        pfs=yes
        phase2alg=3des-sha1;modp1536
        ikelifetime=8h

This config looks okay perhaps add leftmodecfgclient=yes as well?

note that using 3des, sha1 and modp1536 is from around the 1995 era, and
really should be upgraded. If your sonicwall can do better, you should
really switch to aes-sha2;modp2048

Paul
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to