Discussion:
Strongswan connection to Sonicwall Enhanced OS 4.x using IKEv2
Jack Omalley
2010-09-14 20:50:07 UTC
Permalink
Has anyone gotten Strongswan to connect (using IKEv2) to a Sonicwall running Enhanced OS 4.x? I have spent several hours on this, and have gotten nowhere.

I've got a stripped down config in a test environment, and when I try to make a connection, I get


***@mercury:/home/user1# ipsec up home
initiating IKE_SA home[1] to xx.xx.xx.xxx
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.5.209[500] to xx.xx.xx.xxxx[500]
received packet: from xx.xx.xx.xxx[500] to 192.168.5.209[500]
parsed IKE_SA_INIT response 0 [ N(INVAL_SYN) ]
received INVALID_SYNTAX notify error
***@mercury:/home/user1#
Andreas Steffen
2010-09-15 06:32:29 UTC
Permalink
Hello Jack,

N(INVAL_SYN) is sometimes returned if the peer does not recognize or
support all crypto proposals. Have you tried to restrict it to simple
ones as e.g.

ike=aes128-sha1-modp2048!

Do not forget to set the strict flag '!' so that only this suite is
proposed.

Regards

Andreas
Post by Jack Omalley
Has anyone gotten Strongswan to connect (using IKEv2) to a Sonicwall
running Enhanced OS 4.x? I have spent several hours on this, and have
gotten nowhere.
I've got a stripped down config in a test environment, and when I try to
make a connection, I get
initiating IKE_SA home[1] to xx.xx.xx.xxx
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.5.209[500] to xx.xx.xx.xxxx[500]
received packet: from xx.xx.xx.xxx[500] to 192.168.5.209[500]
parsed IKE_SA_INIT response 0 [ N(INVAL_SYN) ]
received INVALID_SYNTAX notify error
======================================================================
Andreas Steffen andreas.steffen-***@public.gmane.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
Jack Omalley
2010-09-17 15:07:38 UTC
Permalink
Andreas - thanks for the help. The strict flag got me a little further.



I am beginning to think that SonicOS Enhanced 4.2 is not compatible with
Strongswan. I am trying to set up a roadwarrior VPN scenario, using the
Sonicwall GroupVPN policy. This does not support IKE v2, so I must use
IKE v1. Since Strongswan doesn't support aggressive mode, I need to use
main mode. Haven't had any luck with XAUTH, either. I'm also using
preshared keys.



After spending several hours on this, I cannot even get past phase 1:



***@mercury:/home/jack# ipsec up test

002 "home" #1: initiating Main Mode

104 "home" #1: STATE_MAIN_I1: initiate

003 "home" #1: ignoring Vendor ID payload [5b362bc820f60007]

003 "home" #1: received Vendor ID payload [RFC 3947]

002 "home" #1: enabling possible NAT-traversal with method 3

106 "home" #1: STATE_MAIN_I2: sent MI2, expecting MR2

003 "home" #1: ignoring Vendor ID payload [404bf439522ca3f6]

003 "home" #1: received Vendor ID payload [XAUTH]

003 "home" #1: received Vendor ID payload [Dead Peer Detection]

003 "home" #1: NAT-Traversal: Result using RFC 3947: i am NATed

108 "home" #1: STATE_MAIN_I3: sent MI3, expecting MR3

003 "home" #1: ModeCfg message is unacceptable because it is for an incomplete ISAKMP SA (state=STATE_MAIN_I3)

010 "home" #1: STATE_MAIN_I3: retransmission; will wait 20s for response



I've got complete control over the Sonicwall, and all I see in the logs:



Received packet retransmission. Drop duplicate packet

Received unencrypted packet in crypto active state

Received notify: PAYLOAD_MALFORMED



I know the crypto settings match between the ipspec.config and the
Sonicwall, and the preshared key is set properly in ipsec.secrets.



config setup

        plutodebug=all

        charonstart=yes

        plutostart=yes

        nat_traversal=yes





conn %default

        ikelifetime=60m

        keylife=20m

        rekeymargin=3m

        keyingtries=0



# Add connections here.

conn home

        type=tunnel

        auto=add

        authby=secret

        ike=3des-md5-modp1536

        esp=3des-md5

        pfs=no

        auth=esp

        keyexchange=ikev1

        left=aaa.bbb.ccc.ddd


        leftnexthop=gateway ip address on roadwarrior side

        leftsubnet=aaa.bbb.ccc.0/24

        leftid=aaa.bbb.ccc.ddd

        right=Sonicwall public address

        rightsubnet=xxx.yyy.zzz.0/24

        rightid=@Sonicwall Unique ID

N(INVAL_SYN) is sometimes returned if the peer does not recognize or
support all crypto proposals. Have you tried to restrict it to simple
ones as e.g.

  ike=aes128-sha1-modp2048!

Do not forget to set the strict flag '!' so that only this suite is
proposed.
Andreas Steffen
2010-09-17 18:38:04 UTC
Permalink
Hello Jack,
Post by Jack Omalley
003 "home" #1: ModeCfg message is unacceptable because it is for an
incomplete ISAKMP SA (state=STATE_MAIN_I3)
try

leftsourceip=%config

which will request a virtual IP via ModeConfig.

Regards

Andreas

P.S. We quite successfully interoperated with SonicWall at the
2008 IKEv2 Interoperability Workshop in San Antonio, TX.
Post by Jack Omalley
Andreas - thanks for the help. The strict flag got me a little further.
I am beginning to think that SonicOS Enhanced 4.2 is not compatible with
Strongswan. I am trying to set up a roadwarrior VPN scenario, using the
Sonicwall GroupVPN policy. This does not support IKE v2, so I must use
IKE v1. Since Strongswan doesn't support aggressive mode, I need to use
main mode. Haven't had any luck with XAUTH, either. I'm also using
preshared keys.
002 "home" #1: initiating Main Mode
104 "home" #1: STATE_MAIN_I1: initiate
003 "home" #1: ignoring Vendor ID payload [5b362bc820f60007]
003 "home" #1: received Vendor ID payload [RFC 3947]
002 "home" #1: enabling possible NAT-traversal with method 3
106 "home" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "home" #1: ignoring Vendor ID payload [404bf439522ca3f6]
003 "home" #1: received Vendor ID payload [XAUTH]
003 "home" #1: received Vendor ID payload [Dead Peer Detection]
003 "home" #1: NAT-Traversal: Result using RFC 3947: i am NATed
108 "home" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "home" #1: ModeCfg message is unacceptable because it is for an
incomplete ISAKMP SA (state=STATE_MAIN_I3)
010 "home" #1: STATE_MAIN_I3: retransmission; will wait 20s for response
Received packet retransmission. Drop duplicate packet
Received unencrypted packet in crypto active state
Received notify: PAYLOAD_MALFORMED
I know the crypto settings match between the ipspec.config and the
Sonicwall, and the preshared key is set properly in ipsec.secrets.
config setup
plutodebug=all
charonstart=yes
plutostart=yes
nat_traversal=yes
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=0
# Add connections here.
conn home
type=tunnel
auto=add
authby=secret
ike=3des-md5-modp1536
esp=3des-md5
pfs=no
auth=esp
keyexchange=ikev1
left=aaa.bbb.ccc.ddd
leftnexthop=gateway ip address on roadwarrior side
leftsubnet=aaa.bbb.ccc.0/24
leftid=aaa.bbb.ccc.ddd
right=Sonicwall public address
rightsubnet=xxx.yyy.zzz.0/24
N(INVAL_SYN) is sometimes returned if the peer does not recognize or
support all crypto proposals. Have you tried to restrict it to simple
ones as e.g.
ike=aes128-sha1-modp2048!
Do not forget to set the strict flag '!' so that only this suite is
proposed.
======================================================================
Andreas Steffen andreas.steffen-***@public.gmane.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
Loading...