<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Alwyn,</p>
<p>Our SonicWall had a hardware failure several months ago and we
are now using something else. Below was my last working
configuration using libreswan to connect to the SonicWall. This
was with Ubuntu 16.04. Of course, your SonicWall settings would
need to match what I was using. I started the vpn from command
line, and this setup would prompt for username and password.<br>
</p>
<p>From /etc/ipsec.conf<br>
</p>
<p>conn JOE<br>
type=tunnel<br>
authby=secret<br>
left=%defaultroute<br>
leftid=@GroupVPN<br>
leftxauthclient=yes<br>
#leftmodecfgclient=yes # new for 3.29<br>
#modecfgpull=yes # new for 3.29<br>
right=www.xxx.yyy.zzz #sonic wall public IP<br>
rightsubnet=10.0.15.0/24<br>
rightxauthserver=yes<br>
#rightmodecfgserver=yes # new for 3.29<br>
rightid=@MYNet<br>
keyingtries=%forever<br>
pfs=no <br>
auto=add<br>
#auth=esp<br>
phase2alg=3des-md5;modp1024<br>
ike=3des-md5;modp1024 <br>
aggressive=yes<br>
#aggrmode=yes # new for 3.29<br>
#ike_frag=yes # new for 3.29<br>
</p>
<p><br>
</p>
<p>From /etc/ipsec.secrets</p>
<p>@GroupVPN @MYNet : PSK "123YOURSECRETHERE456"</p>
<p><br>
</p>
<div class="moz-signature">Joe Huber<br>
<a class="moz-txt-link-abbreviated"
href="mailto:huber.joseph@tx.rr.com">huber.joseph@tx.rr.com</a><br>
<br>
</div>
<div class="moz-cite-prefix">On 2/25/21 8:12 AM, Alwyn Schoeman
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAB1wGQongvKDjmUiRLab_Gdq6_5WteL8wyRJ195d2Oh4XkuoSQ@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Hi there,
<div><br>
</div>
<div>FIrst off, the ciphers used are old, I know that but can't
change it.</div>
<div><br>
</div>
<div>I am trying to connect to a SonicWall VPN setup for global
vpn clients.</div>
<div><br>
</div>
<div>I have compiled libreswan to support DH2.</div>
<div><br>
</div>
<div>Client is a laptop on my home network, behind a TP-LINK
router (doing NAT) with a dynamically assigned IP on the WAN.</div>
<div><br>
</div>
<div>My config is the following:</div>
<div><br>
</div>
<div>conn sonic<br>
ikev2=no<br>
leftid=@GroupVPN<br>
leftxauthusername=alwyn<br>
ike=aes_cbc-sha;modp1024<br>
esp=aes_cbc-sha;modp1024<br>
right=<sonicwall IP address><br>
rightid=@C0EAE402FFB8<br>
initial-contact=yes<br>
# nat-ikev1=drafts<br>
# cisco_unity=yes<br>
aggrmode=yes<br>
authby=secret<br>
left=%defaultroute<br>
leftxauthclient=yes<br>
leftmodecfgclient=yes<br>
remote_peer_type=cisco<br>
rightxauthserver=yes<br>
rightmodecfgserver=yes<br>
salifetime=24h<br>
#ikelifetime=1h<br>
ikelifetime=24h<br>
dpdaction=restart<br>
dpdtimeout=60<br>
dpddelay=30<br>
auto=add<br>
rekey=no<br>
modecfgpull=yes<br>
# type=tunnel<br>
# pfs=yes<br>
</div>
<div><br>
</div>
<div>When I restart IPSEC, this is what the logs says:</div>
<div><br>
</div>
<div>Feb 25 09:09:03 alwyn-hp pluto[859886]: "sonic": added
IKEv1 connection<br>
Feb 25 09:09:03 alwyn-hp pluto[859886]: listening for IKE
messages<br>
Feb 25 09:09:03 alwyn-hp pluto[859886]: Kernel supports NIC
esp-hw-offload<br>
Feb 25 09:09:03 alwyn-hp pluto[859886]: adding UDP interface
virbr1 <a href="http://192.168.39.1:500"
moz-do-not-send="true">192.168.39.1:500</a><br>
Feb 25 09:09:03 alwyn-hp pluto[859886]: adding UDP interface
virbr1 <a href="http://192.168.39.1:4500"
moz-do-not-send="true">192.168.39.1:4500</a><br>
Feb 25 09:09:03 alwyn-hp pluto[859886]: adding UDP interface
br-8e1865506143 <a href="http://172.19.0.1:500"
moz-do-not-send="true">172.19.0.1:500</a><br>
Feb 25 09:09:03 alwyn-hp pluto[859886]: adding UDP interface
br-8e1865506143 <a href="http://172.19.0.1:4500"
moz-do-not-send="true">172.19.0.1:4500</a><br>
Feb 25 09:09:03 alwyn-hp pluto[859886]: adding UDP interface
docker0 <a href="http://172.17.0.1:500"
moz-do-not-send="true">172.17.0.1:500</a><br>
Feb 25 09:09:03 alwyn-hp pluto[859886]: adding UDP interface
docker0 <a href="http://172.17.0.1:4500"
moz-do-not-send="true">172.17.0.1:4500</a><br>
Feb 25 09:09:03 alwyn-hp pluto[859886]: adding UDP interface
virbr0 <a href="http://192.168.122.1:500"
moz-do-not-send="true">192.168.122.1:500</a><br>
Feb 25 09:09:03 alwyn-hp pluto[859886]: adding UDP interface
virbr0 <a href="http://192.168.122.1:4500"
moz-do-not-send="true">192.168.122.1:4500</a><br>
Feb 25 09:09:03 alwyn-hp pluto[859886]: adding UDP interface
wlp3s0 <a href="http://192.168.0.140:500"
moz-do-not-send="true">192.168.0.140:500</a><br>
Feb 25 09:09:03 alwyn-hp pluto[859886]: adding UDP interface
wlp3s0 <a href="http://192.168.0.140:4500"
moz-do-not-send="true">192.168.0.140:4500</a><br>
Feb 25 09:09:03 alwyn-hp pluto[859886]: adding UDP interface
lo <a href="http://127.0.0.1:500" moz-do-not-send="true">127.0.0.1:500</a><br>
Feb 25 09:09:03 alwyn-hp pluto[859886]: adding UDP interface
lo <a href="http://127.0.0.1:4500" moz-do-not-send="true">127.0.0.1:4500</a><br>
Feb 25 09:09:03 alwyn-hp pluto[859886]: adding UDP interface
lo [::1]:500<br>
Feb 25 09:09:03 alwyn-hp pluto[859886]: loading secrets from
"/etc/ipsec.secrets"<br>
Feb 25 09:09:03 alwyn-hp pluto[859886]: loading secrets from
"/etc/ipsec.d/sonic.secrets"<br>
</div>
<div><br>
</div>
<div>wlp3s0 is my wifi interface.</div>
<div><br>
</div>
<div>When I do 'ipsec auto --up sonic" I get the following log:<br>
<br>
003 "tutuka" #1: IKEv1 Aggressive Mode with PSK is vulnerable
to dictionary attacks and is cracked on large scale by TLA's<br>
002 "tutuka" #1: initiating IKEv1 Aggressive Mode connection<br>
110 "tutuka" #1: sent Aggressive Mode request<br>
003 "tutuka" #1: ignoring unknown Vendor ID payload [5b 36 2b
c8 20 f6 00 07]<br>
002 "tutuka" #1: Peer ID is ID_FQDN: '@C0EAE402FFB8'<br>
002 "tutuka" #1: Peer ID is ID_FQDN: '@C0EAE402FFB8'<br>
004 "tutuka" #1: IKE SA established {auth=PRESHARED_KEY
cipher=AES_CBC_256 integ=HMAC_SHA1 group=MODP1024}<br>
003 "tutuka" #1: received and ignored notification payload:
IPSEC_RESPONDER_LIFETIME<br>
002 "tutuka" #1: XAUTH: Answering XAUTH challenge with
user='alwyn'<br>
004 "tutuka" #1: XAUTH client - possibly awaiting CFG_set
{auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA1
group=MODP1024}<br>
003 "tutuka" #1: ignoring informational payload
IPSEC_INITIAL_CONTACT, msgid=00000000, length=28<br>
003 "tutuka" #1: received and ignored notification payload:
IPSEC_INITIAL_CONTACT<br>
002 "tutuka" #1: XAUTH: Successfully Authenticated<br>
004 "tutuka" #1: XAUTH client - possibly awaiting CFG_set
{auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA1
group=MODP1024}<br>
002 "tutuka" #1: modecfg: Sending IP request (MODECFG_I1)<br>
003 "tutuka" #1: received Delete SA payload: self-deleting
ISAKMP State #1<br>
002 "tutuka" #1: deleting state (STATE_MODE_CFG_I1) aged
1.361573s and sending notification<br>
</div>
<div><br>
</div>
<div>My noob gut tells me I am supposed to get IP information
sent, but I'm not even sure if I am done authenticating.</div>
<div><br>
</div>
<div>Any input welcome!</div>
<div><br>
</div>
<div>Regards,</div>
<div>
<div>
<div dir="ltr" class="gmail_signature"
data-smartmail="gmail_signature">Alwyn Schoeman<br>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Swan mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Swan@lists.libreswan.org">Swan@lists.libreswan.org</a>
<a class="moz-txt-link-freetext" href="https://lists.libreswan.org/mailman/listinfo/swan">https://lists.libreswan.org/mailman/listinfo/swan</a>
</pre>
</blockquote>
</body>
</html>