[Swan] ikev2 and win7

[Bob Miller]

Hi List,

I have been deploying users with the new ikev2 setup, things are working 
pretty good.

I have one question; this firewall has a net-to-net tunnel between 
itself and a sonicwall device, and I am wondering how to get traffic 
from the ikev2 road warriors into that tunnel.  I have been playing with 
iptables, but I am starting to get the feeling that isn't the answer. 
It seems to be more of a routing issue, but I kind of expect that with 
leftsubnet=0.0.0.0/0 it should be able to route to regular internet and 
any tunnel.  I looked through the ipsec.conf page, and it seems 
leftsubnets would be the answer, but when I tried that the conn loaded 
but I could not connect.  Am I overlooking something in the docs 
somewhere?  do I need to have some extra config on the sonic wall to 
make this work?  Can someone point me at what I need to read?

And for the benefit of the next person scratching their head and 
searching google on this log entry:

invalid last pad octet: 0x 8
ikev2_parent_inI2outR2_tail returned STF_FAIL

In our case, some thing was wrong with the certificate.  not sure what, 
as best as I can tell the cert was created the same as the working ones, 
but nevertheless it was necessary to recreate the cert to make it work.

This also showed up here and there with apparently the same root cause:

protocol ID of IKEv2 Delete Payload has an unknown value: 0
"rw-ikev2"[2] 199.247.183.223 #15: malformed payload in packet
"rw-ikev2"[2] 199.247.183.223 #15: sending unencrypted notification 
v2N_INVALID_SYNTAX to 199.247.183.223:1349

>> Does this solve the problem, as xauth does, of multiple clients
>> connecting from behind the same router?
>
> Yes, but you will need newer than 3.12 code for that. We should have
> a developer release out for 3.13 in a day or two. Or you can try your
> luck at the github master branch.

My luck has been pretty good till now, I think better to leave it that 
way.  Looking forward to the new release though...

>
> Paul