[strongSwan] Site to Site with PSK Error

Chris Arnold carnold at electrichendrix.com
Sun Apr 1 18:58:13 CEST 2012


Ok, I found where to make a ikev2 connection in the sonicwall (instead of aggressive mode, select ikev2). Kept everything else the same. Stop/start IPSec and issue IPSec up teknerds, received the same error on both sides. Let me revisit our current condition:
-Both sides are dhcp on wan
-Site to site using ikev2 PSK
-Crypto Suite is ESP: 3DES/HMAC SHA1 (IKEV2)
Doesn't appear to enter phase 1. On sonicwall side I see ikev2 responder: received ike_sa_init request
-ikev2 VPN policy not found (I verified both a VPN connection and a rule/policy that was auto added by the VPN).
-ikev2 payload processing error

On the strongswan side:
>>> initiating IKE_SA teknerds[1] to sonicwall.publi.ip
>>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>>> sending packet: from 192.168.1.18[500] to sonicwall.publi.ip[500]
>>> received packet: from sonicwall.publi.ip[500] to 192.168.1.18[500]
>>> parsed IKE_SA_INIT response 0 [ N(INVAL_SYN) ]
>>> received INVALID_SYNTAX notify error

Any ideas? The offer to teamviewer still stands (and would pay you to look at it).

Sent from my iPhone

On Apr 1, 2012, at 11:39 AM, Chris Arnold <carnold at electrichendrix.com> wrote:

> Hi Andreas,
> We have to have ikev2 due to a dhcp on the wan. I know this is going to sound stupid but I don't see where to specify ikev2 on the sonicwall. I would be happy to let you connect via teamviewer to see what I am seeing. 
> 
> Sent from my iPhone
> 
> On Apr 1, 2012, at 9:39 AM, Andreas Steffen <andreas.steffen at strongswan.org> wrote:
> 
>> Hello Chris,
>> 
>> it seems to be that no IKEv2 connection is defined on the sonicwall
>> side, so the connection setup fails. In earlier posts you tried to
>> connect via IKEv1 which was partially successful. Try to setup an
>> IKEv2 connection on the sonicwall box.
>> 
>> Regards
>> 
>> Andreas
>> 
>> On 04/01/2012 01:47 PM, Chris Arnold wrote:
>>> Thanks Andreas! Commenting out the load line now gets me further. Output from:
>>> ipsec up teknerds
>>> initiating IKE_SA teknerds[1] to sonicwall.publi.ip
>>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>>> sending packet: from 192.168.1.18[500] to sonicwall.publi.ip[500]
>>> received packet: from sonicwall.publi.ip[500] to 192.168.1.18[500]
>>> parsed IKE_SA_INIT response 0 [ N(INVAL_SYN) ]
>>> received INVALID_SYNTAX notify error
>>> 
>>> Logs from sonicwall side:
>>> 04/01/2012 07:36:17.576 Warning VPN IKE IKEv2 Payload processing error strongswan.public.ip, 500 sonicwall.public.ip, 500 Type: SA Payload   
>>> 5 04/01/2012 07:36:17.576 Warning VPN IKE IKEv2 VPN Policy not found strongswan.public.ip, 500 sonicwall.public.ip, 500 No VPN policy for peer gateway :strongswan.public.ip
>>> 6 04/01/2012 07:36:17.576 Info VPN IKE IKEv2 Responder: Received IKE_SA_INIT request strongswan.public.ip, 500 sonicwall.public.ip, 500 
>>> 
>> 
>> ======================================================================
>> Andreas Steffen                         andreas.steffen at strongswan.org
>> strongSwan - the Linux VPN Solution!                www.strongswan.org
>> Institute for Internet Technologies and Applications
>> University of Applied Sciences Rapperswil
>> CH-8640 Rapperswil (Switzerland)
>> ===========================================================[ITA-HSR]==
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users




More information about the Users mailing list