[strongSwan] Connection to Sonicwall Pro 3060

Sun Aug 1 21:15:18 CEST 2010

Hi,

you don't define any leftid, so that by default the IPv4 address of
the strongSwan box is used. It might be that Sonicwall expects a
leftid of type FQDN.

Regards

Andreas

On 07/31/2010 11:29 PM, Michael Hieb wrote:
> I need help getting a linux laptop to connect to office VPN running on
> Sonicwall Pro 3060. Apologies in advance if I have missed something in
> the manual or public domain, I really don't know how to take this
> further to determine what settings are required. Any clue appreciated. I
> 
> I have confirmed the required settings with office sysadmin who
> recommends running a windows client (I am on linux - no wndows machine).
> I have setup strongswan as follows:
> 
> sombra:~ # ipsec --version
> Linux strongSwan U4.3.4/K2.6.31.12-0.2-default
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil, Switzerland
> See 'ipsec --copyright' for copyright information.
> 
> sombra:~ # cat /etc/ipsec.conf
> config setup
>        plutodebug=all
>        crlcheckinterval=10m
>        strictcrlpolicy=yes
> 
> conn %default
>      ikelifetime=60m
>      keylife=20m
>      rekeymargin=3m
>      keyingtries=1
> 
> conn office
>      keyexchange=ikev1
>      type=tunnel
>      left=%defaultroute
>      leftfirewall=yes
>      right=vpn.office.com
>      rightid="@0006B10CCE90"
>      auto=add
>      auth=esp
>      esp=3des-md5
>      ike=3des-md5-modp1024
>      pfs=no
>      authby=secret
> 
> With IKEv1 I get the following:
> 
> sombra:~ # ipsec start
> Starting strongSwan 4.3.4 IPsec [starter]...
> sombra:~ # ipsec up cairn
> 002 "cairn" #1: initiating Main Mode
> 104 "cairn" #1: STATE_MAIN_I1: initiate
> 003 "cairn" #1: ignoring Vendor ID payload [5b362bc820f60006]
> 106 "cairn" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> 003 "cairn" #1: ignoring Vendor ID payload [404bf439522ca3f6]
> 003 "cairn" #1: received Vendor ID payload [XAUTH]
> 003 "cairn" #1: received Vendor ID payload [Dead Peer Detection]
> 108 "cairn" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> 003 "cairn" #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
> 002 "cairn" #1: Peer ID is ID_FQDN: '@0006B10CCE90'
> 002 "cairn" #1: ISAKMP SA established
> 004 "cairn" #1: STATE_MAIN_I4: ISAKMP SA established
> 002 "cairn" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
> 112 "cairn" #2: STATE_QUICK_I1: initiate
> 010 "cairn" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
> 010 "cairn" #2: STATE_QUICK_I1: retransmission; will wait 40s for response
> ^C
> 
> With IKEv2 I get the following:
> sombra:~ # ipsec start
> Starting strongSwan 4.3.4 IPsec [starter]...
> sombra:~ # ipsec up office-ikev2
> initiating IKE_SA office-ikev2[1] to xx.xxx.xxx.x
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> sending packet: from 192.168.1.100[500] to xx.xxx.xxx.x[500]
> received packet: from xx.xxx.xxx.x[500] to 192.168.1.100[500]
> parsed IKE_SA_INIT response 0 [ N(INVAL_SYN) ]
> received INVALID_SYNTAX notify error
> 
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==