I am trying to connect to a SonicWall VPN using StrongSwan from Linux (Ubuntu). I can connect from a Windows Machine using the SonicWall Global VPN client, which uses a shared secret. Following are the instructions to connect using that client:mc21-colombia
In Linux I would use StrongSwan:
local> ipsec --version
Linux strongSwan U5.3.5/K4.4.0-72-generic
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
My /etc/ipsec.conf
is as follow
conn name-for-connection
right=201.xxx.yyy.zzz,201.aaa.bbb.ccc
rightsubnet=172.16.0.0/12
rightid=@place_id
left=%any
xauth_identity=myuser
keyexchange=ikev2
authby=psk
ike=aes256-sha1-modp2048
esp=aes256-sha1-modp2048
auto=start
And the /etc/ipsec.secret
has the entries:
@place_id : PSK "Sh4r3d53cr37"
myuser : XAUTH "mYp455w0rd"
When running the command sudo ipsec up name-for-connection
I get the following output:
initiating IKE_SA name-for-connection[3] to 201.xxx.yyy.zzz
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
sending packet: from 192.168.0.eee[500] to 201.xxx.yyy.zzz[500] (1460 bytes)
received packet: from 201.xxx.yyy.zzz[500] to 192.168.0.eee[500] (38 bytes)
parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
peer didn't accept DH group MODP_2048, it requested MODP_1024
initiating IKE_SA name-for-connection[3] to 201.xxx.yyy.zzz
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
sending packet: from 192.168.0.eee[500] to 201.xxx.yyy.zzz[500] (1332 bytes)
received packet: from 201.xxx.yyy.zzz[500] to 192.168.0.eee[500] (317 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ N(NATD_S_IP) N(NATD_D_IP) V ]
local host is behind NAT, sending keep alives
sending cert request for "C=NL, O=Example Company, CN=strongSwan Root CA"
no IDi configured, fall back on IP address
authentication of '192.168.0.eee' (myself) with pre-shared key
establishing CHILD_SA name-for-connection
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) ]
sending packet: from 192.168.0.eee[4500] to 201.xxx.yyy.zzz[4500] (372 bytes)
retransmit 1 of request with message ID 1
sending packet: from 192.168.0.eee[4500] to 201.xxx.yyy.zzz[4500] (372 bytes)
retransmit 2 of request with message ID 1
sending packet: from 192.168.0.eee[4500] to 201.xxx.yyy.zzz[4500] (372 bytes)
retransmit 3 of request with message ID 1
sending packet: from 192.168.0.eee[4500] to 201.xxx.yyy.zzz[4500] (372 bytes)
sending keep alive to 201.xxx.yyy.zzz[4500]
retransmit 4 of request with message ID 1
sending packet: from 192.168.0.eee[4500] to 201.xxx.yyy.zzz[4500] (372 bytes)
sending keep alive to 201.xxx.yyy.zzz[4500]
sending keep alive to 201.xxx.yyy.zzz[4500]
retransmit 5 of request with message ID 1
sending packet: from 192.168.0.eee[4500] to 201.xxx.yyy.zzz[4500] (372 bytes)
sending keep alive to 201.xxx.yyy.zzz[4500]
sending keep alive to 201.xxx.yyy.zzz[4500]
sending keep alive to 201.xxx.yyy.zzz[4500]
giving up after 5 retransmits
peer not responding, trying again (2/3)
establishing connection 'name-to-connection' failed
So, how can I debug this connection or how can establish it?
Best Answer
First, there is a mismatch in your IKE settings. You are asking for modp2048, which is DH Group 14, but the SonicWall is requesting modp1024, which is DH Group 2.
You may also be affected by the following bug. StrongSwan 5.3.5 does not work with SonicWall IKEv1/XAuth firewalls:
https://wiki.strongswan.org/issues/1434
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1608302
Although the bug is for IKEv1, since you are using XAUTH, it may affect you as well. The problem is due to a message sent by the firewall after the username is requested but before the password is requested. This bug was fixed in StrongSwan 5.5.0. Unfortunately, if you are using Ubuntu 16.04 LTS, there is no version of 5.5.0 built for Ubuntu 16.04 that I know of. There is a report you can find with google search where someone reported they had success locally building 5.5.x for Ubuntu 16.04.
Another approach is to use VirtualBox, set up a Windows guest, install the SonicWall GVPN client in the guest, and share the SonicWall VPN adapter connection back to your Ubuntu host. I am presently doing that. The setup is tricky, but once figured out, straightforward to do, and it works. If interested, I can post my method.