[Swan] SonicWALL

Paul Wouters paul at nohats.ca
Fri Feb 14 23:32:49 UTC 2020

On Fri, 14 Feb 2020, zc2 wrote:

> I am trying to connect to my office's SonicWall TZ300 firewall. The Phase1 
> completes, but the Phase2 fails with the message in the sonicwall's log:
> "IKE Responder: WAN GroupVPN Policy does not allow static IP for Virtual 
> Adapter."

Seems like a configuration issue on the sonicwall, and not something
that can be fixed on the libreswan config side ?

> I tried to set left=%any, but then libreswan throws the following error on
> # ipsec whack --name sonicwall --initiate

%any is for incoming, %defaultroute is for outgoing.

> My ipsec.conf:
> conn sonicwall
>         auto=add
> #        left=%any
>         left=%defaultroute
>         leftid=@GroupVPN
>         leftsubnet=
>         leftxauthclient=yes
>         right=<sonicwallPublicIP>
>         rightid=@<sonicwallID>
>         rightsubnet=
>         keyingtries=0
>         aggressive=yes
>         authby=secret
>         ike=3des-sha1;modp1536
>         pfs=yes
>         phase2alg=3des-sha1;modp1536
>         ikelifetime=8h

This config looks okay perhaps add leftmodecfgclient=yes as well?

note that using 3des, sha1 and modp1536 is from around the 1995 era, and
really should be upgraded. If your sonicwall can do better, you should
really switch to aes-sha2;modp2048


More information about the Swan mailing list