[Swan] SonicWALL
zc2
zc2expert at gmail.com
Sat Feb 15 00:12:20 UTC 2020
Hi Paul, thank you for a fast response!
On 2/14/2020 6:32 PM, Paul Wouters wrote:
> On Fri, 14 Feb 2020, zc2 wrote:
>
>> I am trying to connect to my office's SonicWall TZ300 firewall. The
>> Phase1 completes, but the Phase2 fails with the message in the
>> sonicwall's log:
>> "IKE Responder: WAN GroupVPN Policy does not allow static IP for
>> Virtual Adapter."
>
> Seems like a configuration issue on the sonicwall, and not something
> that can be fixed on the libreswan config side ?
I did not see what could be changed. I even asked sonicwall tech
support, but they were not able to help.
>
>> I tried to set left=%any, but then libreswan throws the following
>> error on
>> # ipsec whack --name sonicwall --initiate
>
> %any is for incoming, %defaultroute is for outgoing.
Got it, not a point to try.
>
>> My ipsec.conf:
>> conn sonicwall
>> auto=add
>> # left=%any
>> left=%defaultroute
>> leftid=@GroupVPN
>> leftsubnet=192.168.1.2/32
>> leftxauthclient=yes
>> right=<sonicwallPublicIP>
>> rightid=@<sonicwallID>
>> rightsubnet=10.0.0.0/24
>> keyingtries=0
>> aggressive=yes
>> authby=secret
>> ike=3des-sha1;modp1536
>> pfs=yes
>> phase2alg=3des-sha1;modp1536
>> ikelifetime=8h
>
> This config looks okay perhaps add leftmodecfgclient=yes as well?
I tried to add that and now the sonicwall log does not have that "IKE
Responder: WAN GroupVPN Policy does not allow static IP for Virtual
Adapter." anymore,
but libreswan outputs to the console:
004 "sonicwall" #1: STATE_XAUTH_I1: XAUTH client - possibly awaiting
CFG_set {auth=PRESHARED_KEY cipher=AES_CBC_128 integ=HMAC_SHA2_256
group=MODP2048}
010 "sonicwall" #1: STATE_XAUTH_I1: retransmission; will wait 0.5
seconds for response
010 "sonicwall" #1: STATE_XAUTH_I1: retransmission; will wait 1 seconds
for response
........
031 "sonicwall" #1: STATE_XAUTH_I1: 60 second timeout exceeded after 7
retransmits. No response (or no acceptable response) to our IKEv1 message
000 "sonicwall" #1: starting keying attempt 2 of at most 1, but
releasing whack
Please advise.
>
> note that using 3des, sha1 and modp1536 is from around the 1995 era, and
> really should be upgraded. If your sonicwall can do better, you should
> really switch to aes-sha2;modp2048
Thank you, I've raised the proposal to AES128-SHA256;Group 14
>
> Paul
More information about the Swan
mailing list