[strongSwan] IKEv2 Initiator for Site-to-site to SonicWALL

Sasha Jevtic sjevtic at virtualspectrum.net
Fri Oct 1 17:34:45 CEST 2021


I am trying to establish a site-to-site VPN from strongSwan 5.9.2 to a
SonicWALL device where strongSwan acts as an IKEv2 initiator.  The
tunnel comes up when swanctl.conf specifies a virtual ip address via a
vips statement and the SonicWall has the remote network set to "Use
IKEv2 Pool (Check this to support IKEv2 Config Payload)".  The IP
address (/32) is allocated to the strongSwan initiator, and the tunnel
works as expected.

 

However, I am trying to have a larger subnet behind the strongSwan
initiator and thus use manual IP assignment.  So, seemingly in
accordance with the strongSwan Virtual IP guide, I removed the "vips"
statement from swanctl.conf, added a "local_ts" statement to
swanctl.conf and finally configured the SonicWALL device with a remote
network specified by "Choose destination network from list" with the
chosen address object matching the network specified on the strongSwan
initiator in the local_ts statement.  When I attempt to start this
connection however, the connection never completes.  strongSwan keeps
retrying the connection while the SonicWALL shows the following error:

 

IKEv2 Payload processing error

 

VPN Policy: <correct name of VPN policy>

Type: CONFIG Payload

 

Is strongSwan somehow still requesting an IP address via IKEv2 config
payload?  This sort of scenario seems relatively simple and works
between two SonicWALL devices.  Others on the web document success with
the concept too, for example here:

 

http://koo.fi/blog/2015/04/04/vpn-between-strongswan-and-sonicwall/

 

However, this example and all discussion of such scenarios I have found
uses the legacy ipsec.conf config.  Have I somehow misinterpreted how to
implement this scenario using the modern swanctl.conf configuration?

 

Thanks.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20211001/6e827724/attachment.html>


More information about the Users mailing list