<div dir="ltr">Hello,<div><br></div><div><div>I followed the sonicwall manual to the letter, but after 48h the tunnel drops and there is no possibility of lifting the tunnel from any side.</div><div>I can only lift it by entering the sonicwall and the vpn by dialing renegociate. (i'm restart ipsec and force up tunnel and not working only renegociate in sonicwall).</div><div><br></div><div>The parameters that you quote me "In sonicwall, activate keep a live in advanced tab, in ipsec.conf put auto = start" I have them as you told me following the tutorial.</div><div><br></div><div>I gave you the route table 220</div><div>Ip route show table 220</div><div><a href="http://172.20.1.0/24">172.20.1.0/24</a> dev eth0 scope link</div><div><br></div><div>I only see the route of the sonicwall vpn, I have 3 up more raised.</div><div>2 cisco and a Zyxel.</div><div><br></div><div>In all I happen something similar, there is no traffic and only from one side or renegotiating with it to work correctly the VPN.</div><div>If you need more data, I'll give it to you.</div><div>I also give you the iptables in case you can help (camouflaging the ips).</div></div><div><br></div><div><div>~# iptables -L</div><div>-- START ---</div><div>Chain INPUT (policy DROP)</div><div>target prot opt source destination</div><div>ACCEPT all -- anywhere anywhere</div><div>ACCEPT tcp -- anywhere anywhere tcp flags:ACK/ACK</div><div>ACCEPT all -- anywhere anywhere state ESTABLISHED</div><div>ACCEPT all -- anywhere anywhere state RELATED</div><div>ACCEPT udp -- anywhere anywhere udp spt:domain dpt s:1024:65535</div><div>ACCEPT icmp -- anywhere anywhere icmp echo-reply</div><div>ACCEPT icmp -- anywhere anywhere icmp destination-u nreachable</div><div>ACCEPT icmp -- anywhere anywhere icmp source-quench</div><div>ACCEPT icmp -- anywhere anywhere icmp time-exceeded</div><div>ACCEPT icmp -- anywhere anywhere icmp parameter-pro blem</div><div>ACCEPT tcp -- anywhere anywhere tcp dpt:ssh</div><div>ACCEPT tcp -- anywhere anywhere tcp dpt:auth</div><div>ACCEPT icmp -- anywhere anywhere icmp echo-request</div><div>ACCEPT tcp -- anywhere anywhere tcp dpt:domain</div><div>ACCEPT udp -- anywhere anywhere udp dpt:domain</div><div>ACCEPT tcp -- anywhere anywhere tcp dpt:http</div><div>ACCEPT tcp -- anywhere anywhere tcp dpt:https</div><div>ACCEPT tcp -- anywhere anywhere tcp multiport dpor ts smtp,submission</div><div>ACCEPT tcp -- anywhere anywhere tcp dpts:ftp-data: ftp</div><div>ACCEPT tcp -- anywhere anywhere tcp multiport dpor ts pop3,pop3s</div><div>ACCEPT tcp -- anywhere anywhere tcp multiport dpor ts imap2,imap3,imaps</div><div>ACCEPT tcp -- anywhere anywhere tcp dpts:webmin:10 010</div><div>ACCEPT tcp -- anywhere anywhere tcp dpt:20000</div><div>ACCEPT ah -- anywhere anywhere</div><div>ACCEPT esp -- anywhere anywhere</div><div>ACCEPT udp -- anywhere anywhere udp dpt:isakmp</div><div>ACCEPT udp -- anywhere anywhere udp dpt:ipsec-nat- t</div><div>ACCEPT udp -- anywhere anywhere udp dpts:re-mail-c k:58</div><div>ACCEPT tcp -- anywhere anywhere tcp dpts:re-mail-c k:58</div><div>ACCEPT all -- <a href="http://172.20.1.0/24">172.20.1.0/24</a> anywhere</div><div>ACCEPT all -- <a href="http://192.168.4.0/24">192.168.4.0/24</a> anywhere</div><div>ACCEPT all -- <a href="http://192.168.1.0/24">192.168.1.0/24</a> anywhere</div><div>ACCEPT all -- <a href="http://192.168.3.0/24">192.168.3.0/24</a> anywhere</div><div>ACCEPT all -- <a href="http://192.168.3.0/24">192.168.3.0/24</a> anywhere</div><div>ACCEPT all -- <a href="http://192.168.6.0/24">192.168.6.0/24</a> anywhere</div><div><br></div><div>Chain FORWARD (policy ACCEPT)</div><div>target prot opt source destination</div><div>ACCEPT all -- <a href="http://172.20.1.0/24">172.20.1.0/24</a> <a href="http://10.200.1.0/24">10.200.1.0/24</a> policy match dir i n pol ipsec reqid 1 proto esp</div><div>ACCEPT all -- <a href="http://10.200.1.0/24">10.200.1.0/24</a> <a href="http://172.20.1.0/24">172.20.1.0/24</a> policy match dir o ut pol ipsec reqid 1 proto esp</div><div>ACCEPT all -- <a href="http://10.200.1.0/24">10.200.1.0/24</a> <a href="http://192.168.3.0/24">192.168.3.0/24</a> policy match dir o ut pol ipsec reqid 1 proto esp</div><div>ACCEPT all -- <a href="http://192.168.3.0/24">192.168.3.0/24</a> <a href="http://10.200.1.0/24">10.200.1.0/24</a> policy match dir i n pol ipsec reqid 1 proto esp</div><div>ACCEPT all -- <a href="http://192.168.4.0/24">192.168.4.0/24</a> <a href="http://10.200.1.0/24">10.200.1.0/24</a> policy match dir i n pol ipsec reqid 1 proto esp</div><div>ACCEPT all -- <a href="http://10.200.1.0/24">10.200.1.0/24</a> <a href="http://192.168.4.0/24">192.168.4.0/24</a> policy match dir o ut pol ipsec reqid 1 proto esp</div><div>ACCEPT all -- <a href="http://192.168.6.0/24">192.168.6.0/24</a> <a href="http://10.200.1.0/24">10.200.1.0/24</a> policy match dir i n pol ipsec reqid 1 proto esp</div><div>ACCEPT all -- <a href="http://10.200.1.0/24">10.200.1.0/24</a> <a href="http://192.168.6.0/24">192.168.6.0/24</a> policy match dir o ut pol ipsec reqid 1 proto esp</div><div>ACCEPT all -- <a href="http://192.168.6.0/24">192.168.6.0/24</a> <a href="http://10.200.1.0/24">10.200.1.0/24</a> policy match dir i n pol ipsec reqid 1 proto esp</div><div>ACCEPT all -- <a href="http://10.200.1.0/24">10.200.1.0/24</a> <a href="http://192.168.1.0/24">192.168.1.0/24</a> policy match dir o ut pol ipsec reqid 1 proto esp</div><div>ACCEPT all -- <a href="http://192.168.1.0/24">192.168.1.0/24</a> <a href="http://10.200.1.0/24">10.200.1.0/24</a> policy match dir i n pol ipsec reqid 1 proto esp</div><div><br></div><div>Chain OUTPUT (policy ACCEPT)</div><div>target prot opt source destination</div><div>ACCEPT udp -- anywhere <a href="http://205.red-80-32-138.staticip.rima-tde.net">205.red-80-32-138.staticip.rima-tde.net</a> udp dpt:isakmp</div><div>ACCEPT esp -- anywhere <a href="http://205.red-80-32-138.staticip.rima-tde.net">205.red-80-32-138.staticip.rima-tde.net</a> </div><div>ACCEPT udp -- anywhere <a href="http://8x.1xx.1.2x.static.user.ono.com">8x.1xx.1.2x.static.user.ono.com</a> udp dp t:isakmp</div><div>ACCEPT esp -- anywhere <a href="http://8x.1xx.1.2x.static.user.ono.com">8x.1xx.1.2x.static.user.ono.com</a></div><div>ACCEPT udp -- anywhere default udp dpt:isakmp</div><div>ACCEPT esp -- anywhere default</div></div><div>----- END --- </div><div><br></div><div><div>As I understand routes 220 are not necessary as long as this is correct in the policies. (Maybe I misunderstood).</div><div><br></div><div>Ip xfrm policy</div><div>Src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a></div><div> Socket in priority 0 ptype main</div><div>Src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a></div><div> Socket out priority 0 ptype main</div><div>Src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a></div><div> Socket in priority 0 ptype main</div><div>Src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a></div><div> Socket out priority 0 ptype main</div><div>Src :: / 0 dst :: / 0</div><div> Socket in priority 0 ptype main</div><div>Src :: / 0 dst :: / 0</div><div> Socket out priority 0 ptype main</div><div>Src :: / 0 dst :: / 0</div><div> Socket in priority 0 ptype main</div><div>Src :: / 0 dst :: / 0</div><div> Socket out priority 0 ptype main</div><div><br></div><div>That when I lift the vpn forcing the correct routes appear.</div><div>Also what I do not know if it is normal since the debian that I have installed strongswan did not reach any subnet of any vpn raised. I do not know if this is normal.</div></div><div><br></div><div>Thank you!</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2017-03-19 10:38 GMT+01:00 Faycal BEKHTI <span dir="ltr"><<a href="mailto:f.bekhti@paris-turf.com" target="_blank">f.bekhti@paris-turf.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<p dir="auto" style="text-align:left;margin-top:25px;margin-bottom:25px;font-family:sans-serif;font-size:11pt;color:black;background-color:white">
Hello ,</p>
<p dir="auto" style="text-align:left;margin-top:25px;margin-bottom:25px;font-family:sans-serif;font-size:11pt;color:black;background-color:white">
In sonicwall , activate keep a live in advanced tab , in ipsec.conf put auto=start<br>
</p>
<p dir="auto" style="text-align:left;margin-top:25px;margin-bottom:25px;font-family:sans-serif;font-size:11pt;color:black;background-color:white">
<a href="https://support.sonicwall.com/kb/sw13753" target="_blank">https://support.sonicwall.com/<wbr>kb/sw13753</a> </p>
<p dir="auto" style="text-align:left;margin-top:25px;margin-bottom:25px;font-family:sans-serif;font-size:11pt;color:black;background-color:white">
</p>
<p dir="auto" style="text-align:left;margin-top:25px;margin-bottom:25px;font-family:sans-serif;font-size:11pt;color:black;background-color:white">
Télécharger <a href="https://aka.ms/ghei36" target="_blank">Outlook pour Android</a></p>
<br>
<p></p>
<hr style="display:inline-block;width:98%">
<div id="m_2827124066695723616divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Users <<a href="mailto:users-bounces@lists.strongswan.org" target="_blank">users-bounces@lists.<wbr>strongswan.org</a>> on behalf of Jordi Casanellas <<a href="mailto:matalaaranya@gmail.com" target="_blank">matalaaranya@gmail.com</a>><br>
<b>Sent:</b> Friday, March 17, 2017 8:10:57 AM<br>
<b>To:</b> <a href="mailto:users@lists.strongswan.org" target="_blank">users@lists.strongswan.org</a><br>
<b>Subject:</b> [strongSwan] Two problems with cisco and sonicwall.</font>
<div> </div>
</div><div><div class="h5">
<div>
<div dir="auto">Hello,
<div dir="auto"><br>
</div>
<div dir="auto">I'm have a strongswan configured to connect sonicwall. The tunnel its ok and work perfectly but 8h disconect and not renegociate, but in sonicwall click in button renegociate and work perfectly. Can you help me?.</div>
<div dir="auto"><br>
</div>
<div dir="auto">With cisco asa i'm have a another problem only up tunnel, create ping on cisco to strongswan. </div>
<div dir="auto"><br>
</div>
<div dir="auto">In my strongswan not working ping to any subnet vpn. </div>
<div dir="auto"><br>
</div>
<div dir="auto">Thank you! </div>
</div>
</div>
</div></div></div>
</blockquote></div><br></div>