Re: [Swan] SonicWALL

Fri, 14 Feb 2020 16:12:49 -0800 

Hi Paul, thank you for a fast response!

On 2/14/2020 6:32 PM, Paul Wouters wrote:

On Fri, 14 Feb 2020, zc2 wrote:
I am trying to connect to my office's SonicWall TZ300 firewall. The Phase1 completes, but the Phase2 fails with the message in the sonicwall's log: "IKE Responder: WAN GroupVPN Policy does not allow static IP for Virtual Adapter." 

Seems like a configuration issue on the sonicwall, and not something
that can be fixed on the libreswan config side ?
I did not see what could be changed. I even asked sonicwall tech support, but they were not able to help.
I tried to set left=%any, but then libreswan throws the following error on 
# ipsec whack --name sonicwall --initiate


%any is for incoming, %defaultroute is for outgoing.

Got it, not a point to try.




My ipsec.conf:
conn sonicwall
        auto=add
#        left=%any
        left=%defaultroute
        leftid=@GroupVPN
        leftsubnet=192.168.1.2/32
        leftxauthclient=yes
        right=<sonicwallPublicIP>
        rightid=@<sonicwallID>
        rightsubnet=10.0.0.0/24
        keyingtries=0
        aggressive=yes
        authby=secret
        ike=3des-sha1;modp1536
        pfs=yes
        phase2alg=3des-sha1;modp1536
        ikelifetime=8h


This config looks okay perhaps add leftmodecfgclient=yes as well?
I tried to add that and now the sonicwall log does not have that "IKE Responder: WAN GroupVPN Policy does not allow static IP for Virtual Adapter." anymore, 
but libreswan outputs to the console:
004 "sonicwall" #1: STATE_XAUTH_I1: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=AES_CBC_128 integ=HMAC_SHA2_256 group=MODP2048} 010 "sonicwall" #1: STATE_XAUTH_I1: retransmission; will wait 0.5 seconds for response 010 "sonicwall" #1: STATE_XAUTH_I1: retransmission; will wait 1 seconds for response 
........
031 "sonicwall" #1: STATE_XAUTH_I1: 60 second timeout exceeded after 7 retransmits.  No response (or no acceptable response) to our IKEv1 message 000 "sonicwall" #1: starting keying attempt 2 of at most 1, but releasing whack 

Please advise.



note that using 3des, sha1 and modp1536 is from around the 1995 era, and
really should be upgraded. If your sonicwall can do better, you should
really switch to aes-sha2;modp2048

Thank you, I've raised the proposal to AES128-SHA256;Group 14



Paul


_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to