<div dir="ltr">Hi there,<div><br></div><div>FIrst off, the ciphers used are old, I know that but can't change it.</div><div><br></div><div>I am trying to connect to a SonicWall VPN setup for global vpn clients.</div><div><br></div><div>I have compiled libreswan to support DH2.</div><div><br></div><div>Client is a laptop on my home network, behind a TP-LINK router (doing NAT) with a dynamically assigned IP on the WAN.</div><div><br></div><div>My config is the following:</div><div><br></div><div>conn sonic<br>        ikev2=no<br>        leftid=@GroupVPN<br>        leftxauthusername=alwyn<br>        ike=aes_cbc-sha;modp1024<br>        esp=aes_cbc-sha;modp1024<br>        right=<sonicwall IP address><br>        rightid=@C0EAE402FFB8<br>        initial-contact=yes<br>        # nat-ikev1=drafts<br>        # cisco_unity=yes<br>        aggrmode=yes<br>        authby=secret<br>        left=%defaultroute<br>        leftxauthclient=yes<br>        leftmodecfgclient=yes<br>        remote_peer_type=cisco<br>        rightxauthserver=yes<br>        rightmodecfgserver=yes<br>        salifetime=24h<br>        #ikelifetime=1h<br>        ikelifetime=24h<br>        dpdaction=restart<br>        dpdtimeout=60<br>        dpddelay=30<br>        auto=add<br>        rekey=no<br>        modecfgpull=yes<br>#       type=tunnel<br>#       pfs=yes<br></div><div><br></div><div>When I restart IPSEC, this is what the logs says:</div><div><br></div><div>Feb 25 09:09:03 alwyn-hp pluto[859886]: "sonic": added IKEv1 connection<br>Feb 25 09:09:03 alwyn-hp pluto[859886]: listening for IKE messages<br>Feb 25 09:09:03 alwyn-hp pluto[859886]: Kernel supports NIC esp-hw-offload<br>Feb 25 09:09:03 alwyn-hp pluto[859886]: adding UDP interface virbr1 <a href="http://192.168.39.1:500">192.168.39.1:500</a><br>Feb 25 09:09:03 alwyn-hp pluto[859886]: adding UDP interface virbr1 <a href="http://192.168.39.1:4500">192.168.39.1:4500</a><br>Feb 25 09:09:03 alwyn-hp pluto[859886]: adding UDP interface br-8e1865506143 <a href="http://172.19.0.1:500">172.19.0.1:500</a><br>Feb 25 09:09:03 alwyn-hp pluto[859886]: adding UDP interface br-8e1865506143 <a href="http://172.19.0.1:4500">172.19.0.1:4500</a><br>Feb 25 09:09:03 alwyn-hp pluto[859886]: adding UDP interface docker0 <a href="http://172.17.0.1:500">172.17.0.1:500</a><br>Feb 25 09:09:03 alwyn-hp pluto[859886]: adding UDP interface docker0 <a href="http://172.17.0.1:4500">172.17.0.1:4500</a><br>Feb 25 09:09:03 alwyn-hp pluto[859886]: adding UDP interface virbr0 <a href="http://192.168.122.1:500">192.168.122.1:500</a><br>Feb 25 09:09:03 alwyn-hp pluto[859886]: adding UDP interface virbr0 <a href="http://192.168.122.1:4500">192.168.122.1:4500</a><br>Feb 25 09:09:03 alwyn-hp pluto[859886]: adding UDP interface wlp3s0 <a href="http://192.168.0.140:500">192.168.0.140:500</a><br>Feb 25 09:09:03 alwyn-hp pluto[859886]: adding UDP interface wlp3s0 <a href="http://192.168.0.140:4500">192.168.0.140:4500</a><br>Feb 25 09:09:03 alwyn-hp pluto[859886]: adding UDP interface lo <a href="http://127.0.0.1:500">127.0.0.1:500</a><br>Feb 25 09:09:03 alwyn-hp pluto[859886]: adding UDP interface lo <a href="http://127.0.0.1:4500">127.0.0.1:4500</a><br>Feb 25 09:09:03 alwyn-hp pluto[859886]: adding UDP interface lo [::1]:500<br>Feb 25 09:09:03 alwyn-hp pluto[859886]: loading secrets from "/etc/ipsec.secrets"<br>Feb 25 09:09:03 alwyn-hp pluto[859886]: loading secrets from "/etc/ipsec.d/sonic.secrets"<br></div><div><br></div><div>wlp3s0 is my wifi interface.</div><div><br></div><div>When I do 'ipsec auto --up sonic"  I get the following log:<br><br>003 "tutuka" #1: IKEv1 Aggressive Mode with PSK is vulnerable to dictionary attacks and is cracked on large scale by TLA's<br>002 "tutuka" #1: initiating IKEv1 Aggressive Mode connection<br>110 "tutuka" #1: sent Aggressive Mode request<br>003 "tutuka" #1: ignoring unknown Vendor ID payload [5b 36 2b c8  20 f6 00 07]<br>002 "tutuka" #1: Peer ID is ID_FQDN: '@C0EAE402FFB8'<br>002 "tutuka" #1: Peer ID is ID_FQDN: '@C0EAE402FFB8'<br>004 "tutuka" #1: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA1 group=MODP1024}<br>003 "tutuka" #1: received and ignored notification payload: IPSEC_RESPONDER_LIFETIME<br>002 "tutuka" #1: XAUTH: Answering XAUTH challenge with user='alwyn'<br>004 "tutuka" #1: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA1 group=MODP1024}<br>003 "tutuka" #1: ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28<br>003 "tutuka" #1: received and ignored notification payload: IPSEC_INITIAL_CONTACT<br>002 "tutuka" #1: XAUTH: Successfully Authenticated<br>004 "tutuka" #1: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA1 group=MODP1024}<br>002 "tutuka" #1: modecfg: Sending IP request (MODECFG_I1)<br>003 "tutuka" #1: received Delete SA payload: self-deleting ISAKMP State #1<br>002 "tutuka" #1: deleting state (STATE_MODE_CFG_I1) aged 1.361573s and sending notification<br></div><div><br></div><div>My noob gut tells me I am supposed to get IP information sent, but I'm not even sure if I am done authenticating.</div><div><br></div><div>Any input welcome!</div><div><br></div><div>Regards,</div><div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature">Alwyn Schoeman<br></div></div></div></div>