[strongSwan] strongSwan and SonicWall VPN Tunnel Interface

Mikko Kortelainen mikko.kortelainen at techelp.fi
Tue Mar 5 00:51:07 CET 2013


I am trying to set up a SonicWall "VPN Tunnel Interface" connection to
strongSwan.

I am able to negotiate phase 1, but phase 2 dies with an error like this:

*"cannot respond to IPsec SA request because no connection is known for
0.0.0.0/0===1.2.3.4[1.2.3.4]...5.6.7.8[5.6.7.8]===0.0.0.0/0"
*

(IPs obviously obfuscated)

So it seems the SonicWall is proposing all zeroes networks on both sides.
Otherwise it is a completely normal ipsec tunnel. I can actually negotiate
phase 2 as well if I put this in my ipsec.conf:


  leftsubnet=0.0.0.0/0
  rightsubnet=0.0.0.0/0


But after that, all connectivity is lost, because everything gets routed to
the tunnel, including traffic to the remote gateway, I guess.

So, I guess my question is this: is it possible to tell strongSwan not to
do anything with the routing tables after negotiating phase1+2
successfully? I would like to manage routing myself after that.

There would be multiple remote sites, with connectivity between them
through the strongSwan host. Some networks would have default routes to
 the Internet through the ipsec tunnels. This is the tricky bit. A couple
of endpoints have SonicWalls, and their "VPN Tunnel Interface" thingy seems
like the only sensible option for this, because only that allows routing
tables to be used to toss packets into ipsec tunnels.

Is this kind of setup possible with strongSwan?

I am using version 4.5.2 at the moment, with ikev1.

--
Mikko Kortelainen
mikko.kortelainen at techelp.fi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130305/e9ff5a4c/attachment.html>


More information about the Users mailing list