<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>I am trying to establish a site-to-site VPN from strongSwan 5.9.2 to a SonicWALL device where strongSwan acts as an IKEv2 initiator. The tunnel comes up when swanctl.conf specifies a virtual ip address via a vips statement and the SonicWall has the remote network set to "Use IKEv2 Pool (Check this to support IKEv2 Config Payload)". The IP address (/32) is allocated to the strongSwan initiator, and the tunnel works as expected.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>However, I am trying to have a larger subnet behind the strongSwan initiator and thus use manual IP assignment. So, seemingly in accordance with the strongSwan Virtual IP guide, I removed the "vips" statement from swanctl.conf, added a "local_ts" statement to swanctl.conf and finally configured the SonicWALL device with a remote network specified by "Choose destination network from list" with the chosen address object matching the network specified on the strongSwan initiator in the local_ts statement. When I attempt to start this connection however, the connection never completes. strongSwan keeps retrying the connection while the SonicWALL shows the following error:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>IKEv2 Payload processing error<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>VPN Policy: <correct name of VPN policy><o:p></o:p></p><p class=MsoNormal>Type: CONFIG Payload<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Is strongSwan somehow still requesting an IP address via IKEv2 config payload? This sort of scenario seems relatively simple and works between two SonicWALL devices. Others on the web document success with the concept too, for example here:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>http://koo.fi/blog/2015/04/04/vpn-between-strongswan-and-sonicwall/<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>However, this example and all discussion of such scenarios I have found uses the legacy ipsec.conf config. Have I somehow misinterpreted how to implement this scenario using the modern swanctl.conf configuration?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thanks.<o:p></o:p></p></div></body></html>