Alwyn,
Our SonicWall had a hardware failure several months ago and we
are now using something else. Below was my last working
configuration using libreswan to connect to the SonicWall. This
was with Ubuntu 16.04. Of course, your SonicWall settings would
need to match what I was using. I started the vpn from command
line, and this setup would prompt for username and password.
From /etc/ipsec.conf
conn JOE
type=tunnel
authby=secret
left=%defaultroute
leftid=@GroupVPN
leftxauthclient=yes
#leftmodecfgclient=yes # new for 3.29
#modecfgpull=yes # new for 3.29
right=www.xxx.yyy.zzz #sonic wall public IP
rightsubnet=10.0.15.0/24
rightxauthserver=yes
#rightmodecfgserver=yes # new for 3.29
rightid=@MYNet
keyingtries=%forever
pfs=no
auto=add
#auth=esp
phase2alg=3des-md5;modp1024
ike=3des-md5;modp1024
aggressive=yes
#aggrmode=yes # new for 3.29
#ike_frag=yes # new for 3.29
From /etc/ipsec.secrets
@GroupVPN @MYNet : PSK "123YOURSECRETHERE456"
Hi there,
FIrst off, the ciphers used are old, I know that but can't change it.
I am trying to connect to a SonicWall VPN setup for global vpn clients.
I have compiled libreswan to support DH2.
Client is a laptop on my home network, behind a TP-LINK router (doing NAT) with a dynamically assigned IP on the WAN.
My config is the following:
conn sonic
ikev2=no
leftid=@GroupVPN
leftxauthusername=alwyn
ike=aes_cbc-sha;modp1024
esp=aes_cbc-sha;modp1024
right=<sonicwall IP address>
rightid=@C0EAE402FFB8
initial-contact=yes
# nat-ikev1=drafts
# cisco_unity=yes
aggrmode=yes
authby=secret
left=%defaultroute
leftxauthclient=yes
leftmodecfgclient=yes
remote_peer_type=cisco
rightxauthserver=yes
rightmodecfgserver=yes
salifetime=24h
#ikelifetime=1h
ikelifetime=24h
dpdaction=restart
dpdtimeout=60
dpddelay=30
auto=add
rekey=no
modecfgpull=yes
# type=tunnel
# pfs=yes
When I restart IPSEC, this is what the logs says:
Feb 25 09:09:03 alwyn-hp pluto[859886]: "sonic": added IKEv1 connection
Feb 25 09:09:03 alwyn-hp pluto[859886]: listening for IKE messages
Feb 25 09:09:03 alwyn-hp pluto[859886]: Kernel supports NIC esp-hw-offload
Feb 25 09:09:03 alwyn-hp pluto[859886]: adding UDP interface virbr1 192.168.39.1:500
Feb 25 09:09:03 alwyn-hp pluto[859886]: adding UDP interface virbr1 192.168.39.1:4500
Feb 25 09:09:03 alwyn-hp pluto[859886]: adding UDP interface br-8e1865506143 172.19.0.1:500
Feb 25 09:09:03 alwyn-hp pluto[859886]: adding UDP interface br-8e1865506143 172.19.0.1:4500
Feb 25 09:09:03 alwyn-hp pluto[859886]: adding UDP interface docker0 172.17.0.1:500
Feb 25 09:09:03 alwyn-hp pluto[859886]: adding UDP interface docker0 172.17.0.1:4500
Feb 25 09:09:03 alwyn-hp pluto[859886]: adding UDP interface virbr0 192.168.122.1:500
Feb 25 09:09:03 alwyn-hp pluto[859886]: adding UDP interface virbr0 192.168.122.1:4500
Feb 25 09:09:03 alwyn-hp pluto[859886]: adding UDP interface wlp3s0 192.168.0.140:500
Feb 25 09:09:03 alwyn-hp pluto[859886]: adding UDP interface wlp3s0 192.168.0.140:4500
Feb 25 09:09:03 alwyn-hp pluto[859886]: adding UDP interface lo 127.0.0.1:500
Feb 25 09:09:03 alwyn-hp pluto[859886]: adding UDP interface lo 127.0.0.1:4500
Feb 25 09:09:03 alwyn-hp pluto[859886]: adding UDP interface lo [::1]:500
Feb 25 09:09:03 alwyn-hp pluto[859886]: loading secrets from "/etc/ipsec.secrets"
Feb 25 09:09:03 alwyn-hp pluto[859886]: loading secrets from "/etc/ipsec.d/sonic.secrets"
wlp3s0 is my wifi interface.
When I do 'ipsec auto --up sonic" I get the following log:
003 "tutuka" #1: IKEv1 Aggressive Mode with PSK is vulnerable to dictionary attacks and is cracked on large scale by TLA's
002 "tutuka" #1: initiating IKEv1 Aggressive Mode connection
110 "tutuka" #1: sent Aggressive Mode request
003 "tutuka" #1: ignoring unknown Vendor ID payload [5b 36 2b c8 20 f6 00 07]
002 "tutuka" #1: Peer ID is ID_FQDN: '@C0EAE402FFB8'
002 "tutuka" #1: Peer ID is ID_FQDN: '@C0EAE402FFB8'
004 "tutuka" #1: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA1 group=MODP1024}
003 "tutuka" #1: received and ignored notification payload: IPSEC_RESPONDER_LIFETIME
002 "tutuka" #1: XAUTH: Answering XAUTH challenge with user='alwyn'
004 "tutuka" #1: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA1 group=MODP1024}
003 "tutuka" #1: ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28
003 "tutuka" #1: received and ignored notification payload: IPSEC_INITIAL_CONTACT
002 "tutuka" #1: XAUTH: Successfully Authenticated
004 "tutuka" #1: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA1 group=MODP1024}
002 "tutuka" #1: modecfg: Sending IP request (MODECFG_I1)
003 "tutuka" #1: received Delete SA payload: self-deleting ISAKMP State #1
002 "tutuka" #1: deleting state (STATE_MODE_CFG_I1) aged 1.361573s and sending notification
My noob gut tells me I am supposed to get IP information sent, but I'm not even sure if I am done authenticating.
Any input welcome!
Regards,Alwyn Schoeman
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
