[Swan] SonicWALL

zc2 zc2expert at gmail.com
Sat Feb 15 00:12:20 UTC 2020 

Hi Paul, thank you for a fast response!

On 2/14/2020 6:32 PM, Paul Wouters wrote:
> On Fri, 14 Feb 2020, zc2 wrote:
>
>> I am trying to connect to my office's SonicWall TZ300 firewall. The 
>> Phase1 completes, but the Phase2 fails with the message in the 
>> sonicwall's log:
>> "IKE Responder: WAN GroupVPN Policy does not allow static IP for 
>> Virtual Adapter."
>
> Seems like a configuration issue on the sonicwall, and not something
> that can be fixed on the libreswan config side ?
I did not see what could be changed. I even asked sonicwall tech 
support, but they were not able to help.

>
>> I tried to set left=%any, but then libreswan throws the following 
>> error on
>> # ipsec whack --name sonicwall --initiate
>
> %any is for incoming, %defaultroute is for outgoing.
Got it, not a point to try.

>
>> My ipsec.conf:
>> conn sonicwall
>>         auto=add
>> #        left=%any
>>         left=%defaultroute
>>         leftid=@GroupVPN
>>         leftsubnet=192.168.1.2/32
>>         leftxauthclient=yes
>>         right=<sonicwallPublicIP>
>>         rightid=@<sonicwallID>
>>         rightsubnet=10.0.0.0/24
>>         keyingtries=0
>>         aggressive=yes
>>         authby=secret
>>         ike=3des-sha1;modp1536
>>         pfs=yes
>>         phase2alg=3des-sha1;modp1536
>>         ikelifetime=8h
>
> This config looks okay perhaps add leftmodecfgclient=yes as well?
I tried to add that and now the sonicwall log does not have that "IKE 
Responder: WAN GroupVPN Policy does not allow static IP for Virtual 
Adapter." anymore,
but libreswan outputs to the console:

004 "sonicwall" #1: STATE_XAUTH_I1: XAUTH client - possibly awaiting 
CFG_set {auth=PRESHARED_KEY cipher=AES_CBC_128 integ=HMAC_SHA2_256 
group=MODP2048}
010 "sonicwall" #1: STATE_XAUTH_I1: retransmission; will wait 0.5 
seconds for response
010 "sonicwall" #1: STATE_XAUTH_I1: retransmission; will wait 1 seconds 
for response
........
031 "sonicwall" #1: STATE_XAUTH_I1: 60 second timeout exceeded after 7 
retransmits.  No response (or no acceptable response) to our IKEv1 message
000 "sonicwall" #1: starting keying attempt 2 of at most 1, but 
releasing whack

Please advise.

>
> note that using 3des, sha1 and modp1536 is from around the 1995 era, and
> really should be upgraded. If your sonicwall can do better, you should
> really switch to aes-sha2;modp2048
Thank you, I've raised the proposal to AES128-SHA256;Group 14

>
> Paul

More information about the Swan mailing list