[strongSwan] Site to Site with PSK Error

Chris Arnold carnold at electrichendrix.com
Mon Apr 2 02:18:40 CEST 2012 

Wooohoooo! i think i am making headway. I kept seeing, on the sonicwall side, VPN policy does not exist in the logs but i know that the policy did in fact exist. Come to find out, i had typed in the wrong public ip (.36 and should of been .63). Corrected that on the sonicwall and then stop/start strongSwan. Now i get this on the strongSwan side:
ipsec up teknerds                                                                                                                                                                 
initiating IKE_SA teknerds[1] to sonicwall.publi.ip                                                                                                                                        
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]                                                                                                sending packet: from 192.168.1.18[500] to sonicwall.publi.ip[500]                                                                                                                             
received packet: from sonicwall.publi.ip[500] to 192.168.1.18[500]                                                                                                                            
invalid X509 hash length (0) in certreq                                                                                                                                                   
CERTIFICATE_REQUEST payload verification failed                                                                                                                                           
IKE_SA_INIT response with message ID 0 processing failed
retransmit 1 of request with message ID 0

weird, we are not doing certificates. We are using PSK.

Here is ipsec.conf:
config setup
        plutodebug=all
        charonstart=yes
        plutostart=yes
        nat_traversal=yes


conn %default
        ikelifetime=28800s
        keylife=20m
        rekeymargin=3m
        keyingtries=0

# Add connections here.

conn teknerds
        type=tunnel
        auto=add
	auth=esp
	pfs=no
        authby=secret
        left=192.168.1.18
	leftid=@domain.com
	leftsubnet=192.168.1.0/24
	#leftnexthop=gateway ip address on roadwarrior side
	right=sonicwall.publi.ip
        rightsubnet=192.168.123.0/24
        rightid=@00xxxxxxx
	ike=3des-sha1-modp1024!
        keyexchange=ikev2
	esp=3des-sha1! 

Logs from sonicwall:
04/01/2012 20:12:09.768 Info VPN IKE IKEv2 Responder: Send IKE_SA_INIT response sonicwall.publi.ip, 500 strongswan.pub.ip, 500 VPN Policy: ELC VPN;    
19 04/01/2012 20:12:09.768 Info VPN IKE IKEv2 NAT device detected between negotiating peers strongswan.pub.ip, 500 sonicwall.publi.ip, 500 VPN Policy: ELC VPN; Peer gateway is behind a NAT device   
20 04/01/2012 20:12:09.560 Info VPN IKE IKEv2 Accept IKE SA Proposal strongswan.pub.ip, 500 sonicwall.publi.ip, 500 VPN Policy: ELC VPN; 3DES; HMAC_SHA1_96; DH Group 2; IKEv2 InitSPI: 0x1b1ea10e46bd802b; IKEv2 RespSPI: 0xea5d86507c5bb4de   
21 04/01/2012 20:12:09.560 Info VPN IKE IKEv2 Responder: Received IKE_SA_INIT request strongswan.pub.ip, 500 sonicwall.publi.ip, 500    
22 04/01/2012 20:12:05.560 Warning VPN IKE IKEv2 Initiator: Negotiations failed. Invalid input state. strongswan.pub.ip, 500 75.177.187.225, 500 VPN Policy: ELC VPN; Unable to find a valid input state   
23 04/01/2012 20:12:05.560 Info VPN IKE IKEv2 NAT device detected between negotiating peers strongswan.pub.ip, 500 sonicwall.publi.ip, 500 VPN Policy: ELC VPN; Local and Peer gateway are behind a NAT device 


----- Original Message -----
From: "Chris Arnold" <carnold at electrichendrix.com>
To: users at lists.strongswan.org
Sent: Sunday, April 1, 2012 12:58:13 PM
Subject: Re: [strongSwan] Site to Site with PSK Error

Ok, I found where to make a ikev2 connection in the sonicwall (instead of aggressive mode, select ikev2). Kept everything else the same. Stop/start IPSec and issue IPSec up teknerds, received the same error on both sides. Let me revisit our current condition:
-Both sides are dhcp on wan
-Site to site using ikev2 PSK
-Crypto Suite is ESP: 3DES/HMAC SHA1 (IKEV2)
Doesn't appear to enter phase 1. On sonicwall side I see ikev2 responder: received ike_sa_init request
-ikev2 VPN policy not found (I verified both a VPN connection and a rule/policy that was auto added by the VPN).
-ikev2 payload processing error

On the strongswan side:
>>> initiating IKE_SA teknerds[1] to sonicwall.publi.ip
>>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>>> sending packet: from 192.168.1.18[500] to sonicwall.publi.ip[500]
>>> received packet: from sonicwall.publi.ip[500] to 192.168.1.18[500]
>>> parsed IKE_SA_INIT response 0 [ N(INVAL_SYN) ]
>>> received INVALID_SYNTAX notify error

Any ideas? The offer to teamviewer still stands (and would pay you to look at it).

Sent from my iPhone

On Apr 1, 2012, at 11:39 AM, Chris Arnold <carnold at electrichendrix.com> wrote:

> Hi Andreas,
> We have to have ikev2 due to a dhcp on the wan. I know this is going to sound stupid but I don't see where to specify ikev2 on the sonicwall. I would be happy to let you connect via teamviewer to see what I am seeing. 
> 
> Sent from my iPhone
> 
> On Apr 1, 2012, at 9:39 AM, Andreas Steffen <andreas.steffen at strongswan.org> wrote:
> 
>> Hello Chris,
>> 
>> it seems to be that no IKEv2 connection is defined on the sonicwall
>> side, so the connection setup fails. In earlier posts you tried to
>> connect via IKEv1 which was partially successful. Try to setup an
>> IKEv2 connection on the sonicwall box.
>> 
>> Regards
>> 
>> Andreas
>> 
>> On 04/01/2012 01:47 PM, Chris Arnold wrote:
>>> Thanks Andreas! Commenting out the load line now gets me further. Output from:
>>> ipsec up teknerds
>>> initiating IKE_SA teknerds[1] to sonicwall.publi.ip
>>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>>> sending packet: from 192.168.1.18[500] to sonicwall.publi.ip[500]
>>> received packet: from sonicwall.publi.ip[500] to 192.168.1.18[500]
>>> parsed IKE_SA_INIT response 0 [ N(INVAL_SYN) ]
>>> received INVALID_SYNTAX notify error
>>> 
>>> Logs from sonicwall side:
>>> 04/01/2012 07:36:17.576 Warning VPN IKE IKEv2 Payload processing error strongswan.public.ip, 500 sonicwall.public.ip, 500 Type: SA Payload   
>>> 5 04/01/2012 07:36:17.576 Warning VPN IKE IKEv2 VPN Policy not found strongswan.public.ip, 500 sonicwall.public.ip, 500 No VPN policy for peer gateway :strongswan.public.ip
>>> 6 04/01/2012 07:36:17.576 Info VPN IKE IKEv2 Responder: Received IKE_SA_INIT request strongswan.public.ip, 500 sonicwall.public.ip, 500 
>>> 
>> 
>> ======================================================================
>> Andreas Steffen                         andreas.steffen at strongswan.org
>> strongSwan - the Linux VPN Solution!                www.strongswan.org
>> Institute for Internet Technologies and Applications
>> University of Applied Sciences Rapperswil
>> CH-8640 Rapperswil (Switzerland)
>> ===========================================================[ITA-HSR]==
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

_______________________________________________
Users mailing list
Users at lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list