I am trying to connect to a SonicWall VPN using StrongSwan from Linux (Ubuntu). I can connect from a Windows Machine using the SonicWall Global VPN client, which uses a shared secret. Following are the instructions to connect using that client:mc21-colombia
In Linux I would use StrongSwan:
local> ipsec --version
Linux strongSwan U5.3.5/K4.4.0-72-generic
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
My /etc/ipsec.conf
is as follow
conn name-for-connection
right=201.xxx.yyy.zzz,201.aaa.bbb.ccc
rightsubnet=172.16.0.0/12
rightid=@place_id
left=%any
xauth_identity=myuser
keyexchange=ikev2
authby=psk
ike=aes256-sha1-modp2048
esp=aes256-sha1-modp2048
auto=start
And the /etc/ipsec.secret
has the entries:
@place_id : PSK "Sh4r3d53cr37"
myuser : XAUTH "mYp455w0rd"
When running the command sudo ipsec up name-for-connection
I get the following output:
initiating IKE_SA name-for-connection[3] to 201.xxx.yyy.zzz
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
sending packet: from 192.168.0.eee[500] to 201.xxx.yyy.zzz[500] (1460 bytes)
received packet: from 201.xxx.yyy.zzz[500] to 192.168.0.eee[500] (38 bytes)
parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
peer didn't accept DH group MODP_2048, it requested MODP_1024
initiating IKE_SA name-for-connection[3] to 201.xxx.yyy.zzz
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
sending packet: from 192.168.0.eee[500] to 201.xxx.yyy.zzz[500] (1332 bytes)
received packet: from 201.xxx.yyy.zzz[500] to 192.168.0.eee[500] (317 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ N(NATD_S_IP) N(NATD_D_IP) V ]
local host is behind NAT, sending keep alives
sending cert request for "C=NL, O=Example Company, CN=strongSwan Root CA"
no IDi configured, fall back on IP address
authentication of '192.168.0.eee' (myself) with pre-shared key
establishing CHILD_SA name-for-connection
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) ]
sending packet: from 192.168.0.eee[4500] to 201.xxx.yyy.zzz[4500] (372 bytes)
retransmit 1 of request with message ID 1
sending packet: from 192.168.0.eee[4500] to 201.xxx.yyy.zzz[4500] (372 bytes)
retransmit 2 of request with message ID 1
sending packet: from 192.168.0.eee[4500] to 201.xxx.yyy.zzz[4500] (372 bytes)
retransmit 3 of request with message ID 1
sending packet: from 192.168.0.eee[4500] to 201.xxx.yyy.zzz[4500] (372 bytes)
sending keep alive to 201.xxx.yyy.zzz[4500]
retransmit 4 of request with message ID 1
sending packet: from 192.168.0.eee[4500] to 201.xxx.yyy.zzz[4500] (372 bytes)
sending keep alive to 201.xxx.yyy.zzz[4500]
sending keep alive to 201.xxx.yyy.zzz[4500]
retransmit 5 of request with message ID 1
sending packet: from 192.168.0.eee[4500] to 201.xxx.yyy.zzz[4500] (372 bytes)
sending keep alive to 201.xxx.yyy.zzz[4500]
sending keep alive to 201.xxx.yyy.zzz[4500]
sending keep alive to 201.xxx.yyy.zzz[4500]
giving up after 5 retransmits
peer not responding, trying again (2/3)
establishing connection 'name-to-connection' failed
So, how can I debug this connection or how can establish it?