Strongswan to Sonicwall 3060 phase 2 negotiation fails...

I’m trying to setup a VPN using Strongswan over openSUSE 12.3 on my home machine to a Sonicwall 3060 at my office. I’ve done this in the past with Frees/wan and Openswan, but I’m having trouble getting Strongswan to work. If I understand charon.log correctly, phase 1 is succeeding and phase 2 is failing. I cannot find what I’ve done wrong and I was hoping a second look by someone else might turn up the answer. I have a home router that forwards UDP ports 500 and 4500 to my machine (192.168.1.8). I have confirmed that my machine and the Sonicwall are communicating. How can I get the Strongswan and Sonicwall 3060 phase 2 negotiation to succeed? Thanks in advance.

Here is the sanitized conifiguration…

Sonicwall Configuration

IP: sonicwall_ip (a routable public IP)

IKE using Preshared Secret
VPN Policy: WAN GroupVPN
Shared Secret: <secret>

dh group: group 2
encryption 3des
auth sha1

proto esp
encryption 3des
auth sha1

pfs no


ipsec.conf - strongSwan IPsec configuration file

basic configuration

config setup
#charondebug=all
#charondebug=“dmn 4, mgr 4, ike 4, chd 4, job 4, cfg 4, knl 4, net 4, asn 4, enc 4, tls 4, lib 4, tnc 4, imc 4, imv 4, pts 4”

conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret

Add connections here.

conn sonicwall
type=tunnel
auto=add
ike=3des-sha1-modp1024
auth=esp
esp=3des-sha1
left=%defaultroute
leftfirewall=yes
right=sonicwall_ip
rightsubnet=10.25.0.0/21


ipsec.secrets

This file holds the RSA private keys or the PSK preshared secrets for

the IKE/IPsec authentication. See the ipsec.secrets(5) manual page.

: PSK “<secret>”
myusername : XAUTH “<password>”


strongswan.conf - strongSwan configuration file

charon {

# number of worker threads in charon
threads = 16

# send strongswan vendor ID?
# send_vendor_id = yes

plugins {

    sql {
        # loglevel to log into sql database
        loglevel = -1

        # URI to the database
        # database = sqlite:///path/to/file.db
        # database = mysql://user:password@localhost/database
    }
}

filelog {

        /var/log/charon.log {

                # add a timestamp prefix
                time_format = %b %e %T

                # loggers to files also accept the append option to open files in
                # append mode at startup (default is yes)
                append = no

                # the default loglevel for all daemon subsystems (defaults to 1).
                default = 1

                # flush each line to disk
                flush_line = yes
        }
}

}

pluto {

}

libstrongswan {

#  set to no, the DH exponent size is optimized
#  dh_exponent_ansi_x9_42 = no

}


>ipsec statusall

Status of IKE charon daemon (strongSwan 5.0.1, Linux 3.7.10-1.11-desktop, x86_64):
uptime: 18 minutes, since Jun 09 20:17:27 2013
malloc: sbrk 2703360, mmap 0, used 491488, free 2211872
worker threads: 4 of 16 idle, 11/1/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon curl soup ldap pkcs11 aes des blowfish sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default farp stroke smp updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp certexpire led duplicheck radattr addrblock unity
Listening IP addresses:
192.168.1.8
Connections:
sonicwall: %any…sonicwall_ip IKEv1
sonicwall: local: [192.168.1.8] uses pre-shared key authentication
sonicwall: remote: [sonicwall_ip] uses pre-shared key authentication
sonicwall: child: dynamic === 10.25.0.0/21 TUNNEL
Security Associations (0 up, 0 connecting):
none


Contents of charon.log

Jun 9 20:17:27 00[DMN] Starting IKE charon daemon (strongSwan 5.0.1, Linux 3.7.10-1.11-desktop, x86_64)
Jun 9 20:17:27 00[LIB] plugin ‘mysql’ failed to load: /usr/lib64/ipsec/plugins/libstrongswan-mysql.so: cannot open shared object file: No such file or directory
Jun 9 20:17:27 00[LIB] plugin ‘sqlite’ failed to load: /usr/lib64/ipsec/plugins/libstrongswan-sqlite.so: cannot open shared object file: No such file or directory
Jun 9 20:17:27 00[CFG] attr-sql plugin: database URI not set
Jun 9 20:17:27 00[LIB] plugin ‘attr-sql’: failed to load - attr_sql_plugin_create returned NULL
Jun 9 20:17:27 00[CFG] sql plugin: database URI not set
Jun 9 20:17:27 00[LIB] plugin ‘sql’: failed to load - sql_plugin_create returned NULL
Jun 9 20:17:27 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory
Jun 9 20:17:27 00[CFG] loaded 0 RADIUS server configurations
Jun 9 20:17:27 00[CFG] missing PDP server name, PDP disabled
Jun 9 20:17:27 00[CFG] HA config misses local/remote address
Jun 9 20:17:27 00[LIB] plugin ‘ha’: failed to load - ha_plugin_create returned NULL
Jun 9 20:17:27 00[CFG] coupling file path unspecified
Jun 9 20:17:27 00[LIB] plugin ‘coupling’: failed to load - coupling_plugin_create returned NULL
Jun 9 20:17:27 00[CFG] loading ca certificates from ‘/etc/ipsec.d/cacerts’
Jun 9 20:17:27 00[CFG] loading aa certificates from ‘/etc/ipsec.d/aacerts’
Jun 9 20:17:27 00[CFG] loading ocsp signer certificates from ‘/etc/ipsec.d/ocspcerts’
Jun 9 20:17:27 00[CFG] loading attribute certificates from ‘/etc/ipsec.d/acerts’
Jun 9 20:17:27 00[CFG] loading crls from ‘/etc/ipsec.d/crls’
Jun 9 20:17:27 00[CFG] loading secrets from ‘/etc/ipsec.secrets’
Jun 9 20:17:27 00[CFG] loaded IKE secret for %any
Jun 9 20:17:27 00[CFG] loaded EAP secret for myusername
Jun 9 20:17:27 00[TNC] loading IMCs from ‘/etc/tnc_config’
Jun 9 20:17:27 00[TNC] opening configuration file ‘/etc/tnc_config’ failed: No such file or directory
Jun 9 20:17:27 00[TNC] TNC recommendation policy is ‘default’
Jun 9 20:17:27 00[TNC] loading IMVs from ‘/etc/tnc_config’
Jun 9 20:17:27 00[TNC] opening configuration file ‘/etc/tnc_config’ failed: No such file or directory
Jun 9 20:17:27 00[DMN] loaded plugins: charon curl soup ldap pkcs11 aes des blowfish sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default farp stroke smp updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp certexpire led duplicheck radattr addrblock unity
Jun 9 20:17:27 00[LIB] dropped capabilities, running as uid 0, gid 0
Jun 9 20:17:27 00[JOB] spawning 16 worker threads
Jun 9 20:17:27 13[CFG] received stroke: add connection ‘sonicwall’
Jun 9 20:17:27 13[CFG] left nor right host is our side, assuming left=local
Jun 9 20:17:27 13[CFG] added configuration ‘sonicwall’
Jun 9 20:17:33 14[CFG] received stroke: initiate ‘sonicwall’
Jun 9 20:17:33 11[IKE] initiating Main Mode IKE_SA sonicwall[1] to sonicwall_ip
Jun 9 20:17:33 11[ENC] generating ID_PROT request 0 SA V V V ]
Jun 9 20:17:33 11[NET] sending packet: from 192.168.1.8[500] to sonicwall_ip[500]
Jun 9 20:17:33 12[NET] received packet: from sonicwall_ip[500] to 192.168.1.8[500]
Jun 9 20:17:33 12[ENC] parsed ID_PROT response 0 SA V V ]
Jun 9 20:17:33 12[ENC] received unknown vendor ID: 5b:36:2b:c8:20:f6:00:07
Jun 9 20:17:33 12[IKE] received NAT-T (RFC 3947) vendor ID
Jun 9 20:17:33 12[ENC] generating ID_PROT request 0 KE No NAT-D NAT-D ]
Jun 9 20:17:33 12[NET] sending packet: from 192.168.1.8[500] to sonicwall_ip[500]
Jun 9 20:17:33 13[NET] received packet: from sonicwall_ip[500] to 192.168.1.8[500]
Jun 9 20:17:33 13[ENC] parsed ID_PROT response 0 KE NAT-D NAT-D No V V V ]
Jun 9 20:17:33 13[IKE] local host is behind NAT, sending keep alives
Jun 9 20:17:33 13[ENC] generating ID_PROT request 0 ID HASH ]
Jun 9 20:17:33 13[NET] sending packet: from 192.168.1.8[4500] to sonicwall_ip[4500]
Jun 9 20:17:33 15[NET] received packet: from sonicwall_ip[4500] to 192.168.1.8[4500]
Jun 9 20:17:33 15[IKE] queueing TRANSACTION request as tasks still active
Jun 9 20:17:37 13[IKE] sending retransmit 1 of request message ID 0, seq 3
Jun 9 20:17:37 13[NET] sending packet: from 192.168.1.8[4500] to sonicwall_ip[4500]
Jun 9 20:17:37 15[NET] received packet: from sonicwall_ip[4500] to 192.168.1.8[4500]
Jun 9 20:17:37 15[ENC] payload type ID_V1 was not encrypted
Jun 9 20:17:37 15[ENC] could not decrypt payloads
Jun 9 20:17:37 15[IKE] integrity check failed
Jun 9 20:17:37 15[ENC] generating INFORMATIONAL_V1 request 1635380673 HASH N(INVAL_HASH) ]
Jun 9 20:17:37 15[NET] sending packet: from 192.168.1.8[4500] to sonicwall_ip[4500]
Jun 9 20:17:37 15[IKE] ID_PROT response with message ID 0 processing failed
Jun 9 20:17:44 11[IKE] sending retransmit 2 of request message ID 0, seq 3
Jun 9 20:17:44 11[NET] sending packet: from 192.168.1.8[4500] to sonicwall_ip[4500]
Jun 9 20:17:44 12[NET] received packet: from sonicwall_ip[4500] to 192.168.1.8[4500]
Jun 9 20:17:44 12[ENC] parsed INFORMATIONAL_V1 request 4066911944 N(INVAL_IKE_SPI) ]
Jun 9 20:17:44 12[ENC] ignoring unprotected INFORMATIONAL from sonicwall_ip
Jun 9 20:17:44 12[IKE] message verification failed
Jun 9 20:17:44 12[IKE] ignore malformed INFORMATIONAL request
Jun 9 20:17:44 12[IKE] INFORMATIONAL_V1 request with message ID 4066911944 processing failed
Jun 9 20:17:57 15[IKE] sending retransmit 3 of request message ID 0, seq 3
Jun 9 20:17:57 15[NET] sending packet: from 192.168.1.8[4500] to sonicwall_ip[4500]
Jun 9 20:17:57 11[NET] received packet: from sonicwall_ip[4500] to 192.168.1.8[4500]
Jun 9 20:17:57 11[ENC] parsed INFORMATIONAL_V1 request 2929114994 N(INVAL_IKE_SPI) ]
Jun 9 20:17:57 11[ENC] ignoring unprotected INFORMATIONAL from sonicwall_ip
Jun 9 20:17:57 11[IKE] message verification failed
Jun 9 20:17:57 11[IKE] ignore malformed INFORMATIONAL request
Jun 9 20:17:57 11[IKE] INFORMATIONAL_V1 request with message ID 2929114994 processing failed
Jun 9 20:18:17 13[IKE] sending keep alive to sonicwall_ip[4500]
Jun 9 20:18:20 15[IKE] sending retransmit 4 of request message ID 0, seq 3
Jun 9 20:18:20 15[NET] sending packet: from 192.168.1.8[4500] to sonicwall_ip[4500]
Jun 9 20:18:20 11[NET] received packet: from sonicwall_ip[4500] to 192.168.1.8[4500]
Jun 9 20:18:20 11[ENC] parsed INFORMATIONAL_V1 request 3424137635 N(INVAL_IKE_SPI) ]
Jun 9 20:18:20 11[ENC] ignoring unprotected INFORMATIONAL from sonicwall_ip
Jun 9 20:18:20 11[IKE] message verification failed
Jun 9 20:18:20 11[IKE] ignore malformed INFORMATIONAL request
Jun 9 20:18:20 11[IKE] INFORMATIONAL_V1 request with message ID 3424137635 processing failed
Jun 9 20:18:41 13[IKE] sending keep alive to sonicwall_ip[4500]
Jun 9 20:19:01 15[IKE] sending keep alive to sonicwall_ip[4500]
Jun 9 20:19:02 11[IKE] sending retransmit 5 of request message ID 0, seq 3
Jun 9 20:19:02 11[NET] sending packet: from 192.168.1.8[4500] to sonicwall_ip[4500]
Jun 9 20:19:02 12[NET] received packet: from sonicwall_ip[4500] to 192.168.1.8[4500]
Jun 9 20:19:02 12[ENC] parsed INFORMATIONAL_V1 request 3613100522 N(INVAL_IKE_SPI) ]
Jun 9 20:19:02 12[ENC] ignoring unprotected INFORMATIONAL from sonicwall_ip
Jun 9 20:19:02 12[IKE] message verification failed
Jun 9 20:19:02 12[IKE] ignore malformed INFORMATIONAL request
Jun 9 20:19:02 12[IKE] INFORMATIONAL_V1 request with message ID 3613100522 processing failed
Jun 9 20:19:23 15[IKE] sending keep alive to sonicwall_ip[4500]
Jun 9 20:19:43 11[IKE] sending keep alive to sonicwall_ip[4500]
Jun 9 20:20:03 12[IKE] sending keep alive to sonicwall_ip[4500]
Jun 9 20:20:18 13[IKE] giving up after 5 retransmits
Jun 9 20:20:18 13[IKE] establishing IKE_SA failed, peer not responding

On 06/10/2013 04:36 AM, j m morgan wrote:
> I’m trying to setup a VPN using Strongswan over openSUSE 12.3

to be clear, is this a new install of 12.3 and it has never
worked…or did it work for a while and then after some update it
stopped working?

(i ask because i see the kernel in use (3.7.10-1.11) was distributed
around the end of May…have you been trying since then to repair a
previously working VPN?)


dd
http://tinyurl.com/DD-Caveat

I had it running on an older version of openSUSE. This is a new completely new install and my first experience with Strongswan…

I’ve contacted Sonicwall support and sent them a copy of the log. I’ll post their response when I receive it.

Do you need to install Strongswan separately ? I think (not sure about this) network manager has some plugin for it. Could you please try to set up the VPN using network manager ?

openSUSE 12.3: Chapter 25. Using NetworkManager
openSUSE 12.3: Chapter 25. Using NetworkManager

After a long delay, I am back to troubleshooting this problem. First, a correction, the firewall is a Sonicwall NSA 3500. Since I last posted, I’ve moved to openSUSE 13.1. Unfortunately, the problem persists. Sonicwall support, though giving it an honest effort, was not able to offer any assistance. They can’t even explain the error message that is appearing in the firewall logs: VPN Policy: IKEV2_DEFAULT_POLICY; Policy for remote id WAN GroupVPN not found.

Here is what appears in /var/log/messages:

2014-06-09T20:39:24.388961-05:00 <user> charon: 05[IKE] initiating IKE_SA sonicwall[1] to xxx.xxx.xxx.xxx
2014-06-09T20:39:24.389666-05:00 <user> charon: 05[ENC] generating IKE_SA_INIT request 0 SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
2014-06-09T20:39:24.392943-05:00 <user> charon: 05[NET] sending packet: from 192.168.1.4[500] to xxx.xxx.xxx.xxx[500] (1000 bytes)
2014-06-09T20:39:24.393800-05:00 <user> charon: 04[NET] error writing to socket: Invalid argument

What do these error messages mean?