[strongSwan] sonicwall with main mode

Alejandro Valcarcel - ODEC avalcarcel at odec.es
Thu Feb 26 14:22:13 CET 2015 

Hello,

in this scenario:

vpn server: ike psk + xauth, sonicwall tz210 SonicOS Enhanced 5.9.0.7-17o

vpn client: CentOS 6

​​
​​
​​
[root at localhost strongswan]# strongswan statusall
Status of IKE charon daemon (strongSwan 5.2.0, Linux
2.6.32-504.8.1.el6.x86_64, x86_64):
  uptime: 39 minutes, since Feb 26 04:28:14 2015
  malloc: sbrk 405504, mmap 0, used 313104, free 92400
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 0
  loaded plugins: charon curl aes des rc2 sha1 sha2 md4 md5 random nonce
x509 revocation constraints acert pubkey pkcs1 pkcs8 pgp dnskey sshkey pem
fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default farp
stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls
eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp


in file /etc/strongswan/strongswan.d/charon.conf added this lines:
   accept_unencrypted_mainmode_messages = yes
   initiator_only = yes

conn vlc
auto=add
type=tunnel
#aggressive=yes
keyexchange=ikev1
#
# configuramos la parte local
#
left=%defaultroute
leftsourceip=%config
leftauth=psk
leftid=GroupVPN
leftauth2=xauth
xauth=client
xauth_identity=user
leftfirewall=yes
#
# configuramos la parte remota
#
right=host.domain.name
rightid=001122334455667788
rightsubnet="192.168.4.0/24"
rightauth=psk
#
# configuramos las proposiciones
#
keyingtries=1
ike=3des-sha1-modp1024
ikelifetime=28800s
esp=3des-sha1
lifetime=28800s


​
[root at localhost strongswan]#
​ ​
strongswan up vlc
initiating Main Mode IKE_SA vlc[2] to 62.43.189.77
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 192.168.197.133[500] to 62.43.189.77[500] (188 bytes)
received packet: from 62.43.189.77[500] to 192.168.197.133[500] (112 bytes)
parsed ID_PROT response 0 [ SA V V ]
received unknown vendor ID: 5b:36:2b:c8:20:f6:00:08
received NAT-T (RFC 3947) vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 192.168.197.133[500] to 62.43.189.77[500] (244 bytes)
received packet: from 62.43.189.77[500] to 192.168.197.133[500] (276 bytes)
parsed ID_PROT response 0 [ KE NAT-D NAT-D No V V V ]
received unknown vendor ID: 40:4b:f4:39:52:2c:a3:f6
received XAuth vendor ID
received DPD vendor ID
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH ]
sending packet: from 192.168.197.133[4500] to 62.43.189.77[4500] (76 bytes)
received packet: from 62.43.189.77[4500] to 192.168.197.133[4500] (76 bytes)
queueing TRANSACTION request as tasks still active
sending retransmit 1 of request message ID 0, seq 3
sending packet: from 192.168.197.133[4500] to 62.43.189.77[4500] (76 bytes)
received packet: from 62.43.189.77[4500] to 192.168.197.133[4500] (64 bytes)
parsed ID_PROT response 0 [ ID HASH ]
*IDir '62.43.189.77' does not match to '001122334455667788*'
deleting IKE_SA vlc[2] between
192.168.197.133[GroupVPN]...62.43.189.77[%any]
sending DELETE for IKE_SA vlc[2]
generating INFORMATIONAL_V1 request 3927973628 [ HASH D ]
sending packet: from 192.168.197.133[4500] to 62.43.189.77[4500] (84 bytes)
connection 'vlc' established successfully



I have established the connection ok with aggresive mode.
But, now I'm trying to configure the connection with main mode and get this:
*IDir '62.43.189.77' does not match to '001122334455667788*'

Please I need help to identify what I'm doing wrong.

Thanks.


--
Alejandro Valcarcel Garcia
Responsable de sistemas y comunicaciones
ODEC - Construimos Soluciones

avalcarcel at odec.es - http://www.odec.es - Calle Vicent Macip, 1 (46701)
Gandia SPAIN - T: +34 962 860 466 ext 1292 - M: +34 699 679 435
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150226/a1b24d2b/attachment.html>

More information about the Users mailing list