Re: [strongSwan] Strongswan connection to Sonicwall Enhanced OS 4.x using IKEv2

Fri, 17 Sep 2010 09:02:38 -0700 

Andreas - thanks for the help. The strict flag got me a little further.



I am beginning to think that SonicOS Enhanced 4.2 is not compatible with
 Strongswan. I am trying to set up a roadwarrior VPN scenario, using the
 Sonicwall GroupVPN policy. This does not support IKE v2, so I must use 
IKE v1. Since Strongswan doesn't support aggressive mode, I need to use 
main mode. Haven't had any luck with XAUTH, either. I'm also using 
preshared keys.



After spending several hours on this, I cannot even get past phase 1:



r...@mercury:/home/jack# ipsec up test

002 "home" #1: initiating Main Mode

104 "home" #1: STATE_MAIN_I1: initiate

003 "home" #1: ignoring Vendor ID payload [5b362bc820f60007]

003 "home" #1: received Vendor ID payload [RFC 3947]

002 "home" #1: enabling possible NAT-traversal with method 3

106 "home" #1: STATE_MAIN_I2: sent MI2, expecting MR2

003 "home" #1: ignoring Vendor ID payload [404bf439522ca3f6]

003 "home" #1: received Vendor ID payload [XAUTH]

003 "home" #1: received Vendor ID payload [Dead Peer Detection]

003 "home" #1: NAT-Traversal: Result using RFC 3947: i am NATed

108 "home" #1: STATE_MAIN_I3: sent MI3, expecting MR3

003 "home" #1: ModeCfg message is unacceptable because it is for an incomplete 
ISAKMP SA (state=STATE_MAIN_I3)

010 "home" #1: STATE_MAIN_I3: retransmission; will wait 20s for response



I've got complete control over the Sonicwall, and all I see in the logs:



Received packet retransmission. Drop duplicate packet

Received unencrypted packet in crypto active state

Received notify: PAYLOAD_MALFORMED

  

I know the crypto settings match between the ipspec.config and the 
Sonicwall, and the preshared key is set properly in ipsec.secrets.

  

config setup

        plutodebug=all

        charonstart=yes

        plutostart=yes

        nat_traversal=yes





conn %default

        ikelifetime=60m

        keylife=20m

        rekeymargin=3m

        keyingtries=0



# Add connections here.

conn home

        type=tunnel

        auto=add

        authby=secret

        ike=3des-md5-modp1536

        esp=3des-md5

        pfs=no

        auth=esp

        keyexchange=ikev1

        left=aaa.bbb.ccc.ddd


        leftnexthop=gateway ip address on roadwarrior side

        leftsubnet=aaa.bbb.ccc.0/24

        leftid=aaa.bbb.ccc.ddd

        right=Sonicwall public address

        rightsubnet=xxx.yyy.zzz.0/24

        right...@sonicwall Unique ID

N(INVAL_SYN) is sometimes returned if the peer does not recognize or
support all crypto proposals. Have you tried to restrict it to simple
ones as e.g.

  ike=aes128-sha1-modp2048!

Do not forget to set the strict flag '!' so that only this suite is
proposed.



      
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to