[strongSwan] Connection to Sonicwall Pro 3060

Michael Hieb michael.hieb at celoso.net
Sat Jul 31 23:29:42 CEST 2010


I need help getting a linux laptop to connect to office VPN running on
Sonicwall Pro 3060. Apologies in advance if I have missed something in
the manual or public domain, I really don't know how to take this
further to determine what settings are required. Any clue appreciated. I

I have confirmed the required settings with office sysadmin who
recommends running a windows client (I am on linux - no wndows machine).
I have setup strongswan as follows:

sombra:~ # ipsec --version
Linux strongSwan U4.3.4/K2.6.31.12-0.2-default
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.

sombra:~ # cat /etc/ipsec.conf
config setup
       plutodebug=all
       crlcheckinterval=10m
       strictcrlpolicy=yes

conn %default
     ikelifetime=60m
     keylife=20m
     rekeymargin=3m
     keyingtries=1

conn office
     keyexchange=ikev1
     type=tunnel
     left=%defaultroute
     leftfirewall=yes
     right=vpn.office.com
     rightid="@0006B10CCE90"
     auto=add
     auth=esp
     esp=3des-md5
     ike=3des-md5-modp1024
     pfs=no
     authby=secret

With IKEv1 I get the following:

sombra:~ # ipsec start
Starting strongSwan 4.3.4 IPsec [starter]...
sombra:~ # ipsec up cairn
002 "cairn" #1: initiating Main Mode
104 "cairn" #1: STATE_MAIN_I1: initiate
003 "cairn" #1: ignoring Vendor ID payload [5b362bc820f60006]
106 "cairn" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "cairn" #1: ignoring Vendor ID payload [404bf439522ca3f6]
003 "cairn" #1: received Vendor ID payload [XAUTH]
003 "cairn" #1: received Vendor ID payload [Dead Peer Detection]
108 "cairn" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "cairn" #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
002 "cairn" #1: Peer ID is ID_FQDN: '@0006B10CCE90'
002 "cairn" #1: ISAKMP SA established
004 "cairn" #1: STATE_MAIN_I4: ISAKMP SA established
002 "cairn" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
112 "cairn" #2: STATE_QUICK_I1: initiate
010 "cairn" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
010 "cairn" #2: STATE_QUICK_I1: retransmission; will wait 40s for response
^C

With IKEv2 I get the following:
sombra:~ # ipsec start
Starting strongSwan 4.3.4 IPsec [starter]...
sombra:~ # ipsec up office-ikev2
initiating IKE_SA office-ikev2[1] to xx.xxx.xxx.x
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.1.100[500] to xx.xxx.xxx.x[500]
received packet: from xx.xxx.xxx.x[500] to 192.168.1.100[500]
parsed IKE_SA_INIT response 0 [ N(INVAL_SYN) ]
received INVALID_SYNTAX notify error







More information about the Users mailing list