Hi Paul, thank you for a fast response!
On 2/14/2020 6:32 PM, Paul Wouters wrote:
On Fri, 14 Feb 2020, zc2 wrote:
I am trying to connect to my office's SonicWall TZ300 firewall. The
Phase1 completes, but the Phase2 fails with the message in the
sonicwall's log:
"IKE Responder: WAN GroupVPN Policy does not allow static IP for
Virtual Adapter."
Seems like a configuration issue on the sonicwall, and not something
that can be fixed on the libreswan config side ?
I did not see what could be changed. I even asked sonicwall tech
support, but they were not able to help.
I tried to set left=%any, but then libreswan throws the following
error on
# ipsec whack --name sonicwall --initiate
%any is for incoming, %defaultroute is for outgoing.
Got it, not a point to try.
My ipsec.conf:
conn sonicwall
auto=add
# left=%any
left=%defaultroute
leftid=@GroupVPN
leftsubnet=192.168.1.2/32
leftxauthclient=yes
right=<sonicwallPublicIP>
rightid=@<sonicwallID>
rightsubnet=10.0.0.0/24
keyingtries=0
aggressive=yes
authby=secret
ike=3des-sha1;modp1536
pfs=yes
phase2alg=3des-sha1;modp1536
ikelifetime=8h
This config looks okay perhaps add leftmodecfgclient=yes as well?
I tried to add that and now the sonicwall log does not have that "IKE
Responder: WAN GroupVPN Policy does not allow static IP for Virtual
Adapter." anymore,
but libreswan outputs to the console:
004 "sonicwall" #1: STATE_XAUTH_I1: XAUTH client - possibly awaiting
CFG_set {auth=PRESHARED_KEY cipher=AES_CBC_128 integ=HMAC_SHA2_256
group=MODP2048}
010 "sonicwall" #1: STATE_XAUTH_I1: retransmission; will wait 0.5
seconds for response
010 "sonicwall" #1: STATE_XAUTH_I1: retransmission; will wait 1 seconds
for response
........
031 "sonicwall" #1: STATE_XAUTH_I1: 60 second timeout exceeded after 7
retransmits. No response (or no acceptable response) to our IKEv1 message
000 "sonicwall" #1: starting keying attempt 2 of at most 1, but
releasing whack
Please advise.
note that using 3des, sha1 and modp1536 is from around the 1995 era, and
really should be upgraded. If your sonicwall can do better, you should
really switch to aes-sha2;modp2048
Thank you, I've raised the proposal to AES128-SHA256;Group 14
Paul
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan