[strongSwan] Site to Site with PSK Error
Chris Arnold
carnold at electrichendrix.com
Mon Apr 2 02:18:40 CEST 2012
Wooohoooo! i think i am making headway. I kept seeing, on the sonicwall side, VPN policy does not exist in the logs but i know that the policy did in fact exist. Come to find out, i had typed in the wrong public ip (.36 and should of been .63). Corrected that on the sonicwall and then stop/start strongSwan. Now i get this on the strongSwan side:
ipsec up teknerds
initiating IKE_SA teknerds[1] to sonicwall.publi.ip
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] sending packet: from 192.168.1.18[500] to sonicwall.publi.ip[500]
received packet: from sonicwall.publi.ip[500] to 192.168.1.18[500]
invalid X509 hash length (0) in certreq
CERTIFICATE_REQUEST payload verification failed
IKE_SA_INIT response with message ID 0 processing failed
retransmit 1 of request with message ID 0
weird, we are not doing certificates. We are using PSK.
Here is ipsec.conf:
config setup
plutodebug=all
charonstart=yes
plutostart=yes
nat_traversal=yes
conn %default
ikelifetime=28800s
keylife=20m
rekeymargin=3m
keyingtries=0
# Add connections here.
conn teknerds
type=tunnel
auto=add
auth=esp
pfs=no
authby=secret
left=192.168.1.18
leftid=@domain.com
leftsubnet=192.168.1.0/24
#leftnexthop=gateway ip address on roadwarrior side
right=sonicwall.publi.ip
rightsubnet=192.168.123.0/24
rightid=@00xxxxxxx
ike=3des-sha1-modp1024!
keyexchange=ikev2
esp=3des-sha1!
Logs from sonicwall:
04/01/2012 20:12:09.768 Info VPN IKE IKEv2 Responder: Send IKE_SA_INIT response sonicwall.publi.ip, 500 strongswan.pub.ip, 500 VPN Policy: ELC VPN;
19 04/01/2012 20:12:09.768 Info VPN IKE IKEv2 NAT device detected between negotiating peers strongswan.pub.ip, 500 sonicwall.publi.ip, 500 VPN Policy: ELC VPN; Peer gateway is behind a NAT device
20 04/01/2012 20:12:09.560 Info VPN IKE IKEv2 Accept IKE SA Proposal strongswan.pub.ip, 500 sonicwall.publi.ip, 500 VPN Policy: ELC VPN; 3DES; HMAC_SHA1_96; DH Group 2; IKEv2 InitSPI: 0x1b1ea10e46bd802b; IKEv2 RespSPI: 0xea5d86507c5bb4de
21 04/01/2012 20:12:09.560 Info VPN IKE IKEv2 Responder: Received IKE_SA_INIT request strongswan.pub.ip, 500 sonicwall.publi.ip, 500
22 04/01/2012 20:12:05.560 Warning VPN IKE IKEv2 Initiator: Negotiations failed. Invalid input state. strongswan.pub.ip, 500 75.177.187.225, 500 VPN Policy: ELC VPN; Unable to find a valid input state
23 04/01/2012 20:12:05.560 Info VPN IKE IKEv2 NAT device detected between negotiating peers strongswan.pub.ip, 500 sonicwall.publi.ip, 500 VPN Policy: ELC VPN; Local and Peer gateway are behind a NAT device
----- Original Message -----
From: "Chris Arnold" <carnold at electrichendrix.com>
To: users at lists.strongswan.org
Sent: Sunday, April 1, 2012 12:58:13 PM
Subject: Re: [strongSwan] Site to Site with PSK Error
Ok, I found where to make a ikev2 connection in the sonicwall (instead of aggressive mode, select ikev2). Kept everything else the same. Stop/start IPSec and issue IPSec up teknerds, received the same error on both sides. Let me revisit our current condition:
-Both sides are dhcp on wan
-Site to site using ikev2 PSK
-Crypto Suite is ESP: 3DES/HMAC SHA1 (IKEV2)
Doesn't appear to enter phase 1. On sonicwall side I see ikev2 responder: received ike_sa_init request
-ikev2 VPN policy not found (I verified both a VPN connection and a rule/policy that was auto added by the VPN).
-ikev2 payload processing error
On the strongswan side:
>>> initiating IKE_SA teknerds[1] to sonicwall.publi.ip
>>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>>> sending packet: from 192.168.1.18[500] to sonicwall.publi.ip[500]
>>> received packet: from sonicwall.publi.ip[500] to 192.168.1.18[500]
>>> parsed IKE_SA_INIT response 0 [ N(INVAL_SYN) ]
>>> received INVALID_SYNTAX notify error
Any ideas? The offer to teamviewer still stands (and would pay you to look at it).
Sent from my iPhone
On Apr 1, 2012, at 11:39 AM, Chris Arnold <carnold at electrichendrix.com> wrote:
> Hi Andreas,
> We have to have ikev2 due to a dhcp on the wan. I know this is going to sound stupid but I don't see where to specify ikev2 on the sonicwall. I would be happy to let you connect via teamviewer to see what I am seeing.
>
> Sent from my iPhone
>
> On Apr 1, 2012, at 9:39 AM, Andreas Steffen <andreas.steffen at strongswan.org> wrote:
>
>> Hello Chris,
>>
>> it seems to be that no IKEv2 connection is defined on the sonicwall
>> side, so the connection setup fails. In earlier posts you tried to
>> connect via IKEv1 which was partially successful. Try to setup an
>> IKEv2 connection on the sonicwall box.
>>
>> Regards
>>
>> Andreas
>>
>> On 04/01/2012 01:47 PM, Chris Arnold wrote:
>>> Thanks Andreas! Commenting out the load line now gets me further. Output from:
>>> ipsec up teknerds
>>> initiating IKE_SA teknerds[1] to sonicwall.publi.ip
>>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>>> sending packet: from 192.168.1.18[500] to sonicwall.publi.ip[500]
>>> received packet: from sonicwall.publi.ip[500] to 192.168.1.18[500]
>>> parsed IKE_SA_INIT response 0 [ N(INVAL_SYN) ]
>>> received INVALID_SYNTAX notify error
>>>
>>> Logs from sonicwall side:
>>> 04/01/2012 07:36:17.576 Warning VPN IKE IKEv2 Payload processing error strongswan.public.ip, 500 sonicwall.public.ip, 500 Type: SA Payload
>>> 5 04/01/2012 07:36:17.576 Warning VPN IKE IKEv2 VPN Policy not found strongswan.public.ip, 500 sonicwall.public.ip, 500 No VPN policy for peer gateway :strongswan.public.ip
>>> 6 04/01/2012 07:36:17.576 Info VPN IKE IKEv2 Responder: Received IKE_SA_INIT request strongswan.public.ip, 500 sonicwall.public.ip, 500
>>>
>>
>> ======================================================================
>> Andreas Steffen andreas.steffen at strongswan.org
>> strongSwan - the Linux VPN Solution! www.strongswan.org
>> Institute for Internet Technologies and Applications
>> University of Applied Sciences Rapperswil
>> CH-8640 Rapperswil (Switzerland)
>> ===========================================================[ITA-HSR]==
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
_______________________________________________
Users mailing list
Users at lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
More information about the Users
mailing list