I’m trying to setup a VPN using Strongswan over openSUSE 12.3 on my home machine to a Sonicwall 3060 at my office. I’ve done this in the past with Frees/wan and Openswan, but I’m having trouble getting Strongswan to work. If I understand charon.log correctly, phase 1 is succeeding and phase 2 is failing. I cannot find what I’ve done wrong and I was hoping a second look by someone else might turn up the answer. I have a home router that forwards UDP ports 500 and 4500 to my machine (192.168.1.8). I have confirmed that my machine and the Sonicwall are communicating. How can I get the Strongswan and Sonicwall 3060 phase 2 negotiation to succeed? Thanks in advance.
Here is the sanitized conifiguration…
Sonicwall Configuration
IP: sonicwall_ip (a routable public IP)
IKE using Preshared Secret
VPN Policy: WAN GroupVPN
Shared Secret: <secret>
dh group: group 2
encryption 3des
auth sha1
proto esp
encryption 3des
auth sha1
pfs no
ipsec.conf - strongSwan IPsec configuration file
basic configuration
config setup
#charondebug=all
#charondebug=“dmn 4, mgr 4, ike 4, chd 4, job 4, cfg 4, knl 4, net 4, asn 4, enc 4, tls 4, lib 4, tnc 4, imc 4, imv 4, pts 4”
conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
Add connections here.
conn sonicwall
type=tunnel
auto=add
ike=3des-sha1-modp1024
auth=esp
esp=3des-sha1
left=%defaultroute
leftfirewall=yes
right=sonicwall_ip
rightsubnet=10.25.0.0/21
ipsec.secrets
This file holds the RSA private keys or the PSK preshared secrets for
the IKE/IPsec authentication. See the ipsec.secrets(5) manual page.
: PSK “<secret>”
myusername : XAUTH “<password>”
strongswan.conf - strongSwan configuration file
charon {
# number of worker threads in charon
threads = 16
# send strongswan vendor ID?
# send_vendor_id = yes
plugins {
sql {
# loglevel to log into sql database
loglevel = -1
# URI to the database
# database = sqlite:///path/to/file.db
# database = mysql://user:password@localhost/database
}
}
filelog {
/var/log/charon.log {
# add a timestamp prefix
time_format = %b %e %T
# loggers to files also accept the append option to open files in
# append mode at startup (default is yes)
append = no
# the default loglevel for all daemon subsystems (defaults to 1).
default = 1
# flush each line to disk
flush_line = yes
}
}
}
pluto {
}
libstrongswan {
# set to no, the DH exponent size is optimized
# dh_exponent_ansi_x9_42 = no
}
>ipsec statusall
Status of IKE charon daemon (strongSwan 5.0.1, Linux 3.7.10-1.11-desktop, x86_64):
uptime: 18 minutes, since Jun 09 20:17:27 2013
malloc: sbrk 2703360, mmap 0, used 491488, free 2211872
worker threads: 4 of 16 idle, 11/1/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon curl soup ldap pkcs11 aes des blowfish sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default farp stroke smp updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp certexpire led duplicheck radattr addrblock unity
Listening IP addresses:
192.168.1.8
Connections:
sonicwall: %any…sonicwall_ip IKEv1
sonicwall: local: [192.168.1.8] uses pre-shared key authentication
sonicwall: remote: [sonicwall_ip] uses pre-shared key authentication
sonicwall: child: dynamic === 10.25.0.0/21 TUNNEL
Security Associations (0 up, 0 connecting):
none
Contents of charon.log
Jun 9 20:17:27 00[DMN] Starting IKE charon daemon (strongSwan 5.0.1, Linux 3.7.10-1.11-desktop, x86_64)
Jun 9 20:17:27 00[LIB] plugin ‘mysql’ failed to load: /usr/lib64/ipsec/plugins/libstrongswan-mysql.so: cannot open shared object file: No such file or directory
Jun 9 20:17:27 00[LIB] plugin ‘sqlite’ failed to load: /usr/lib64/ipsec/plugins/libstrongswan-sqlite.so: cannot open shared object file: No such file or directory
Jun 9 20:17:27 00[CFG] attr-sql plugin: database URI not set
Jun 9 20:17:27 00[LIB] plugin ‘attr-sql’: failed to load - attr_sql_plugin_create returned NULL
Jun 9 20:17:27 00[CFG] sql plugin: database URI not set
Jun 9 20:17:27 00[LIB] plugin ‘sql’: failed to load - sql_plugin_create returned NULL
Jun 9 20:17:27 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory
Jun 9 20:17:27 00[CFG] loaded 0 RADIUS server configurations
Jun 9 20:17:27 00[CFG] missing PDP server name, PDP disabled
Jun 9 20:17:27 00[CFG] HA config misses local/remote address
Jun 9 20:17:27 00[LIB] plugin ‘ha’: failed to load - ha_plugin_create returned NULL
Jun 9 20:17:27 00[CFG] coupling file path unspecified
Jun 9 20:17:27 00[LIB] plugin ‘coupling’: failed to load - coupling_plugin_create returned NULL
Jun 9 20:17:27 00[CFG] loading ca certificates from ‘/etc/ipsec.d/cacerts’
Jun 9 20:17:27 00[CFG] loading aa certificates from ‘/etc/ipsec.d/aacerts’
Jun 9 20:17:27 00[CFG] loading ocsp signer certificates from ‘/etc/ipsec.d/ocspcerts’
Jun 9 20:17:27 00[CFG] loading attribute certificates from ‘/etc/ipsec.d/acerts’
Jun 9 20:17:27 00[CFG] loading crls from ‘/etc/ipsec.d/crls’
Jun 9 20:17:27 00[CFG] loading secrets from ‘/etc/ipsec.secrets’
Jun 9 20:17:27 00[CFG] loaded IKE secret for %any
Jun 9 20:17:27 00[CFG] loaded EAP secret for myusername
Jun 9 20:17:27 00[TNC] loading IMCs from ‘/etc/tnc_config’
Jun 9 20:17:27 00[TNC] opening configuration file ‘/etc/tnc_config’ failed: No such file or directory
Jun 9 20:17:27 00[TNC] TNC recommendation policy is ‘default’
Jun 9 20:17:27 00[TNC] loading IMVs from ‘/etc/tnc_config’
Jun 9 20:17:27 00[TNC] opening configuration file ‘/etc/tnc_config’ failed: No such file or directory
Jun 9 20:17:27 00[DMN] loaded plugins: charon curl soup ldap pkcs11 aes des blowfish sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default farp stroke smp updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp certexpire led duplicheck radattr addrblock unity
Jun 9 20:17:27 00[LIB] dropped capabilities, running as uid 0, gid 0
Jun 9 20:17:27 00[JOB] spawning 16 worker threads
Jun 9 20:17:27 13[CFG] received stroke: add connection ‘sonicwall’
Jun 9 20:17:27 13[CFG] left nor right host is our side, assuming left=local
Jun 9 20:17:27 13[CFG] added configuration ‘sonicwall’
Jun 9 20:17:33 14[CFG] received stroke: initiate ‘sonicwall’
Jun 9 20:17:33 11[IKE] initiating Main Mode IKE_SA sonicwall[1] to sonicwall_ip
Jun 9 20:17:33 11[ENC] generating ID_PROT request 0 SA V V V ]
Jun 9 20:17:33 11[NET] sending packet: from 192.168.1.8[500] to sonicwall_ip[500]
Jun 9 20:17:33 12[NET] received packet: from sonicwall_ip[500] to 192.168.1.8[500]
Jun 9 20:17:33 12[ENC] parsed ID_PROT response 0 SA V V ]
Jun 9 20:17:33 12[ENC] received unknown vendor ID: 5b:36:2b:c8:20:f6:00:07
Jun 9 20:17:33 12[IKE] received NAT-T (RFC 3947) vendor ID
Jun 9 20:17:33 12[ENC] generating ID_PROT request 0 KE No NAT-D NAT-D ]
Jun 9 20:17:33 12[NET] sending packet: from 192.168.1.8[500] to sonicwall_ip[500]
Jun 9 20:17:33 13[NET] received packet: from sonicwall_ip[500] to 192.168.1.8[500]
Jun 9 20:17:33 13[ENC] parsed ID_PROT response 0 KE NAT-D NAT-D No V V V ]
Jun 9 20:17:33 13[IKE] local host is behind NAT, sending keep alives
Jun 9 20:17:33 13[ENC] generating ID_PROT request 0 ID HASH ]
Jun 9 20:17:33 13[NET] sending packet: from 192.168.1.8[4500] to sonicwall_ip[4500]
Jun 9 20:17:33 15[NET] received packet: from sonicwall_ip[4500] to 192.168.1.8[4500]
Jun 9 20:17:33 15[IKE] queueing TRANSACTION request as tasks still active
Jun 9 20:17:37 13[IKE] sending retransmit 1 of request message ID 0, seq 3
Jun 9 20:17:37 13[NET] sending packet: from 192.168.1.8[4500] to sonicwall_ip[4500]
Jun 9 20:17:37 15[NET] received packet: from sonicwall_ip[4500] to 192.168.1.8[4500]
Jun 9 20:17:37 15[ENC] payload type ID_V1 was not encrypted
Jun 9 20:17:37 15[ENC] could not decrypt payloads
Jun 9 20:17:37 15[IKE] integrity check failed
Jun 9 20:17:37 15[ENC] generating INFORMATIONAL_V1 request 1635380673 HASH N(INVAL_HASH) ]
Jun 9 20:17:37 15[NET] sending packet: from 192.168.1.8[4500] to sonicwall_ip[4500]
Jun 9 20:17:37 15[IKE] ID_PROT response with message ID 0 processing failed
Jun 9 20:17:44 11[IKE] sending retransmit 2 of request message ID 0, seq 3
Jun 9 20:17:44 11[NET] sending packet: from 192.168.1.8[4500] to sonicwall_ip[4500]
Jun 9 20:17:44 12[NET] received packet: from sonicwall_ip[4500] to 192.168.1.8[4500]
Jun 9 20:17:44 12[ENC] parsed INFORMATIONAL_V1 request 4066911944 N(INVAL_IKE_SPI) ]
Jun 9 20:17:44 12[ENC] ignoring unprotected INFORMATIONAL from sonicwall_ip
Jun 9 20:17:44 12[IKE] message verification failed
Jun 9 20:17:44 12[IKE] ignore malformed INFORMATIONAL request
Jun 9 20:17:44 12[IKE] INFORMATIONAL_V1 request with message ID 4066911944 processing failed
Jun 9 20:17:57 15[IKE] sending retransmit 3 of request message ID 0, seq 3
Jun 9 20:17:57 15[NET] sending packet: from 192.168.1.8[4500] to sonicwall_ip[4500]
Jun 9 20:17:57 11[NET] received packet: from sonicwall_ip[4500] to 192.168.1.8[4500]
Jun 9 20:17:57 11[ENC] parsed INFORMATIONAL_V1 request 2929114994 N(INVAL_IKE_SPI) ]
Jun 9 20:17:57 11[ENC] ignoring unprotected INFORMATIONAL from sonicwall_ip
Jun 9 20:17:57 11[IKE] message verification failed
Jun 9 20:17:57 11[IKE] ignore malformed INFORMATIONAL request
Jun 9 20:17:57 11[IKE] INFORMATIONAL_V1 request with message ID 2929114994 processing failed
Jun 9 20:18:17 13[IKE] sending keep alive to sonicwall_ip[4500]
Jun 9 20:18:20 15[IKE] sending retransmit 4 of request message ID 0, seq 3
Jun 9 20:18:20 15[NET] sending packet: from 192.168.1.8[4500] to sonicwall_ip[4500]
Jun 9 20:18:20 11[NET] received packet: from sonicwall_ip[4500] to 192.168.1.8[4500]
Jun 9 20:18:20 11[ENC] parsed INFORMATIONAL_V1 request 3424137635 N(INVAL_IKE_SPI) ]
Jun 9 20:18:20 11[ENC] ignoring unprotected INFORMATIONAL from sonicwall_ip
Jun 9 20:18:20 11[IKE] message verification failed
Jun 9 20:18:20 11[IKE] ignore malformed INFORMATIONAL request
Jun 9 20:18:20 11[IKE] INFORMATIONAL_V1 request with message ID 3424137635 processing failed
Jun 9 20:18:41 13[IKE] sending keep alive to sonicwall_ip[4500]
Jun 9 20:19:01 15[IKE] sending keep alive to sonicwall_ip[4500]
Jun 9 20:19:02 11[IKE] sending retransmit 5 of request message ID 0, seq 3
Jun 9 20:19:02 11[NET] sending packet: from 192.168.1.8[4500] to sonicwall_ip[4500]
Jun 9 20:19:02 12[NET] received packet: from sonicwall_ip[4500] to 192.168.1.8[4500]
Jun 9 20:19:02 12[ENC] parsed INFORMATIONAL_V1 request 3613100522 N(INVAL_IKE_SPI) ]
Jun 9 20:19:02 12[ENC] ignoring unprotected INFORMATIONAL from sonicwall_ip
Jun 9 20:19:02 12[IKE] message verification failed
Jun 9 20:19:02 12[IKE] ignore malformed INFORMATIONAL request
Jun 9 20:19:02 12[IKE] INFORMATIONAL_V1 request with message ID 3613100522 processing failed
Jun 9 20:19:23 15[IKE] sending keep alive to sonicwall_ip[4500]
Jun 9 20:19:43 11[IKE] sending keep alive to sonicwall_ip[4500]
Jun 9 20:20:03 12[IKE] sending keep alive to sonicwall_ip[4500]
Jun 9 20:20:18 13[IKE] giving up after 5 retransmits
Jun 9 20:20:18 13[IKE] establishing IKE_SA failed, peer not responding