[strongSwan] Strongswan connection to Sonicwall Enhanced OS 4.x using IKEv2

Andreas Steffen andreas.steffen at strongswan.org
Fri Sep 17 20:38:04 CEST 2010


Hello Jack,

 > 003 "home" #1: ModeCfg message is unacceptable because it is for an
 > incomplete ISAKMP SA (state=STATE_MAIN_I3)

try

leftsourceip=%config

which will request a virtual IP via ModeConfig.

Regards

Andreas

P.S. We quite successfully interoperated with SonicWall at the
      2008 IKEv2 Interoperability Workshop in San Antonio, TX.

On 09/17/2010 05:07 PM, Jack Omalley wrote:
>
> Andreas - thanks for the help. The strict flag got me a little further.
>
> I am beginning to think that SonicOS Enhanced 4.2 is not compatible with
> Strongswan. I am trying to set up a roadwarrior VPN scenario, using the
> Sonicwall GroupVPN policy. This does not support IKE v2, so I must use
> IKE v1. Since Strongswan doesn't support aggressive mode, I need to use
> main mode. Haven't had any luck with XAUTH, either. I'm also using
> preshared keys.
>
> After spending several hours on this, I cannot even get past phase 1:
>
> root at mercury:/home/jack# ipsec up test
> 002 "home" #1: initiating Main Mode
> 104 "home" #1: STATE_MAIN_I1: initiate
> 003 "home" #1: ignoring Vendor ID payload [5b362bc820f60007]
> 003 "home" #1: received Vendor ID payload [RFC 3947]
> 002 "home" #1: enabling possible NAT-traversal with method 3
> 106 "home" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> 003 "home" #1: ignoring Vendor ID payload [404bf439522ca3f6]
> 003 "home" #1: received Vendor ID payload [XAUTH]
> 003 "home" #1: received Vendor ID payload [Dead Peer Detection]
> 003 "home" #1: NAT-Traversal: Result using RFC 3947: i am NATed
> 108 "home" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> 003 "home" #1: ModeCfg message is unacceptable because it is for an
> incomplete ISAKMP SA (state=STATE_MAIN_I3)
> 010 "home" #1: STATE_MAIN_I3: retransmission; will wait 20s for response
>
> I've got complete control over the Sonicwall, and all I see in the logs:
>
> Received packet retransmission. Drop duplicate packet
> Received unencrypted packet in crypto active state
> Received notify: PAYLOAD_MALFORMED
>
> I know the crypto settings match between the ipspec.config and the
> Sonicwall, and the preshared key is set properly in ipsec.secrets.
>
> config setup
> plutodebug=all
> charonstart=yes
> plutostart=yes
> nat_traversal=yes
>
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=0
>
> # Add connections here.
> conn home
> type=tunnel
> auto=add
> authby=secret
> ike=3des-md5-modp1536
> esp=3des-md5
> pfs=no
> auth=esp
> keyexchange=ikev1
> left=aaa.bbb.ccc.ddd
> leftnexthop=gateway ip address on roadwarrior side
> leftsubnet=aaa.bbb.ccc.0/24
> leftid=aaa.bbb.ccc.ddd
> right=Sonicwall public address
> rightsubnet=xxx.yyy.zzz.0/24
> rightid=@Sonicwall Unique ID
>
>
>     N(INVAL_SYN) is sometimes returned if the peer does not recognize or
>     support all crypto proposals. Have you tried to restrict it to simple
>     ones as e.g.
>
>     ike=aes128-sha1-modp2048!
>
>     Do not forget to set the strict flag '!' so that only this suite is
>     proposed.

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list