[strongSwan] Strongswan connection to Sonicwall Enhanced OS 4.x using IKEv2

Fri Sep 17 17:07:38 CEST 2010

Andreas - thanks for the help. The strict flag got me a little further.

I am beginning to think that SonicOS Enhanced 4.2 is not compatible with
 Strongswan. I am trying to set up a roadwarrior VPN scenario, using the
 Sonicwall GroupVPN policy. This does not support IKE v2, so I must use 
IKE v1. Since Strongswan doesn't support aggressive mode, I need to use 
main mode. Haven't had any luck with XAUTH, either. I'm also using 
preshared keys.

After spending several hours on this, I cannot even get past phase 1:

root at mercury:/home/jack# ipsec up test

002 "home" #1: initiating Main Mode

104 "home" #1: STATE_MAIN_I1: initiate

003 "home" #1: ignoring Vendor ID payload [5b362bc820f60007]

003 "home" #1: received Vendor ID payload [RFC 3947]

002 "home" #1: enabling possible NAT-traversal with method 3

106 "home" #1: STATE_MAIN_I2: sent MI2, expecting MR2

003 "home" #1: ignoring Vendor ID payload [404bf439522ca3f6]

003 "home" #1: received Vendor ID payload [XAUTH]

003 "home" #1: received Vendor ID payload [Dead Peer Detection]

003 "home" #1: NAT-Traversal: Result using RFC 3947: i am NATed

108 "home" #1: STATE_MAIN_I3: sent MI3, expecting MR3

003 "home" #1: ModeCfg message is unacceptable because it is for an incomplete ISAKMP SA (state=STATE_MAIN_I3)

010 "home" #1: STATE_MAIN_I3: retransmission; will wait 20s for response

I've got complete control over the Sonicwall, and all I see in the logs:

Received packet retransmission. Drop duplicate packet

Received unencrypted packet in crypto active state

Received notify: PAYLOAD_MALFORMED

I know the crypto settings match between the ipspec.config and the 
Sonicwall, and the preshared key is set properly in ipsec.secrets.

config setup

        plutodebug=all

        charonstart=yes

        plutostart=yes

        nat_traversal=yes

conn %default

        ikelifetime=60m

        keylife=20m

        rekeymargin=3m

        keyingtries=0

# Add connections here.

conn home

        type=tunnel

        auto=add

        authby=secret

        ike=3des-md5-modp1536

        esp=3des-md5

        pfs=no

        auth=esp

        keyexchange=ikev1

        left=aaa.bbb.ccc.ddd

        leftnexthop=gateway ip address on roadwarrior side

        leftsubnet=aaa.bbb.ccc.0/24

        leftid=aaa.bbb.ccc.ddd

        right=Sonicwall public address

        rightsubnet=xxx.yyy.zzz.0/24

        rightid=@Sonicwall Unique ID

N(INVAL_SYN) is sometimes returned if the peer does not recognize or
support all crypto proposals. Have you tried to restrict it to simple
ones as e.g.

  ike=aes128-sha1-modp2048!

Do not forget to set the strict flag '!' so that only this suite is
proposed.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100917/c7a9515b/attachment.html>