On Fri, 14 Feb 2020, zc2 wrote:
I am trying to connect to my office's SonicWall TZ300 firewall. The Phase1 completes, but the Phase2 fails with the message in the sonicwall's log: "IKE Responder: WAN GroupVPN Policy does not allow static IP for Virtual Adapter."
Seems like a configuration issue on the sonicwall, and not something that can be fixed on the libreswan config side ?
I tried to set left=%any, but then libreswan throws the following error on # ipsec whack --name sonicwall --initiate
%any is for incoming, %defaultroute is for outgoing.
My ipsec.conf: conn sonicwall auto=add # left=%any left=%defaultroute leftid=@GroupVPN leftsubnet=192.168.1.2/32 leftxauthclient=yes right=<sonicwallPublicIP> rightid=@<sonicwallID> rightsubnet=10.0.0.0/24 keyingtries=0 aggressive=yes authby=secret ike=3des-sha1;modp1536 pfs=yes phase2alg=3des-sha1;modp1536 ikelifetime=8h
This config looks okay perhaps add leftmodecfgclient=yes as well? note that using 3des, sha1 and modp1536 is from around the 1995 era, and really should be upgraded. If your sonicwall can do better, you should really switch to aes-sha2;modp2048 Paul _______________________________________________ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan