[strongSwan] Strongswan connection to Sonicwall Enhanced OS 4.x using IKEv2
jo57291 at yahoo.com
Fri Sep 17 17:07:38 CEST 2010
Andreas - thanks for the help. The strict flag got me a little further.
I am beginning to think that SonicOS Enhanced 4.2 is not compatible with
Strongswan. I am trying to set up a roadwarrior VPN scenario, using the
Sonicwall GroupVPN policy. This does not support IKE v2, so I must use
IKE v1. Since Strongswan doesn't support aggressive mode, I need to use
main mode. Haven't had any luck with XAUTH, either. I'm also using
After spending several hours on this, I cannot even get past phase 1:
root at mercury:/home/jack# ipsec up test
002 "home" #1: initiating Main Mode
104 "home" #1: STATE_MAIN_I1: initiate
003 "home" #1: ignoring Vendor ID payload [5b362bc820f60007]
003 "home" #1: received Vendor ID payload [RFC 3947]
002 "home" #1: enabling possible NAT-traversal with method 3
106 "home" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "home" #1: ignoring Vendor ID payload [404bf439522ca3f6]
003 "home" #1: received Vendor ID payload [XAUTH]
003 "home" #1: received Vendor ID payload [Dead Peer Detection]
003 "home" #1: NAT-Traversal: Result using RFC 3947: i am NATed
108 "home" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "home" #1: ModeCfg message is unacceptable because it is for an incomplete ISAKMP SA (state=STATE_MAIN_I3)
010 "home" #1: STATE_MAIN_I3: retransmission; will wait 20s for response
I've got complete control over the Sonicwall, and all I see in the logs:
Received packet retransmission. Drop duplicate packet
Received unencrypted packet in crypto active state
Received notify: PAYLOAD_MALFORMED
I know the crypto settings match between the ipspec.config and the
Sonicwall, and the preshared key is set properly in ipsec.secrets.
# Add connections here.
leftnexthop=gateway ip address on roadwarrior side
right=Sonicwall public address
rightid=@Sonicwall Unique ID
N(INVAL_SYN) is sometimes returned if the peer does not recognize or
support all crypto proposals. Have you tried to restrict it to simple
ones as e.g.
Do not forget to set the strict flag '!' so that only this suite is
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users