Unable to connect from Linux (Ubuntu) to SonicWall VPN

Question

I am trying to connect to a SonicWall VPN using StrongSwan from Linux (Ubuntu). I can connect from a Windows Machine using the SonicWall Global VPN client, which uses a shared secret. Following are the instructions to connect using that client:mc21-colombia

In Linux I would use StrongSwan:

local> ipsec --version
Linux strongSwan U5.3.5/K4.4.0-72-generic
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland

My /etc/ipsec.conf is as follow

conn name-for-connection
    right=201.xxx.yyy.zzz,201.aaa.bbb.ccc
    rightsubnet=172.16.0.0/12
    rightid=@place_id
    left=%any
    xauth_identity=myuser
    keyexchange=ikev2
    authby=psk
    ike=aes256-sha1-modp2048
    esp=aes256-sha1-modp2048
    auto=start

And the /etc/ipsec.secret has the entries:

@place_id : PSK "Sh4r3d53cr37"

myuser : XAUTH "mYp455w0rd"

When running the command sudo ipsec up name-for-connection I get the following output:

initiating IKE_SA name-for-connection[3] to 201.xxx.yyy.zzz
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
sending packet: from 192.168.0.eee[500] to 201.xxx.yyy.zzz[500] (1460 bytes)
received packet: from 201.xxx.yyy.zzz[500] to 192.168.0.eee[500] (38 bytes)
parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
peer didn't accept DH group MODP_2048, it requested MODP_1024
initiating IKE_SA name-for-connection[3] to 201.xxx.yyy.zzz
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
sending packet: from 192.168.0.eee[500] to 201.xxx.yyy.zzz[500] (1332 bytes)
received packet: from 201.xxx.yyy.zzz[500] to 192.168.0.eee[500] (317 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ N(NATD_S_IP) N(NATD_D_IP) V ]
local host is behind NAT, sending keep alives
sending cert request for "C=NL, O=Example Company, CN=strongSwan Root CA"
no IDi configured, fall back on IP address
authentication of '192.168.0.eee' (myself) with pre-shared key
establishing CHILD_SA name-for-connection
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) ]
sending packet: from 192.168.0.eee[4500] to 201.xxx.yyy.zzz[4500] (372 bytes)
retransmit 1 of request with message ID 1
sending packet: from 192.168.0.eee[4500] to 201.xxx.yyy.zzz[4500] (372 bytes)
retransmit 2 of request with message ID 1
sending packet: from 192.168.0.eee[4500] to 201.xxx.yyy.zzz[4500] (372 bytes)
retransmit 3 of request with message ID 1
sending packet: from 192.168.0.eee[4500] to 201.xxx.yyy.zzz[4500] (372 bytes)
sending keep alive to 201.xxx.yyy.zzz[4500]
retransmit 4 of request with message ID 1
sending packet: from 192.168.0.eee[4500] to 201.xxx.yyy.zzz[4500] (372 bytes)
sending keep alive to 201.xxx.yyy.zzz[4500]
sending keep alive to 201.xxx.yyy.zzz[4500]
retransmit 5 of request with message ID 1
sending packet: from 192.168.0.eee[4500] to 201.xxx.yyy.zzz[4500] (372 bytes)
sending keep alive to 201.xxx.yyy.zzz[4500]
sending keep alive to 201.xxx.yyy.zzz[4500]
sending keep alive to 201.xxx.yyy.zzz[4500]
giving up after 5 retransmits
peer not responding, trying again (2/3)
establishing connection 'name-to-connection' failed

So, how can I debug this connection or how can establish it?

Did you get anywhere with this? – Auspex Aug 17 '17 at 14:03 — Auspex, Aug 17 '17 at 14:03

Joseph Huber · Answer 1 · 2017-10-25T11:51:18.657

First, there is a mismatch in your IKE settings. You are asking for modp2048, which is DH Group 14, but the SonicWall is requesting modp1024, which is DH Group 2.

You may also be affected by the following bug. StrongSwan 5.3.5 does not work with SonicWall IKEv1/XAuth firewalls:

https://wiki.strongswan.org/issues/1434

https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1608302

Although the bug is for IKEv1, since you are using XAUTH, it may affect you as well. The problem is due to a message sent by the firewall after the username is requested but before the password is requested. This bug was fixed in StrongSwan 5.5.0. Unfortunately, if you are using Ubuntu 16.04 LTS, there is no version of 5.5.0 built for Ubuntu 16.04 that I know of. There is a report you can find with google search where someone reported they had success locally building 5.5.x for Ubuntu 16.04.

Another approach is to use VirtualBox, set up a Windows guest, install the SonicWall GVPN client in the guest, and share the SonicWall VPN adapter connection back to your Ubuntu host. I am presently doing that. The setup is tricky, but once figured out, straightforward to do, and it works. If interested, I can post my method.

I am interested in your solution with virtualbox/Windows guest .... can you post your method ? — Yonsy Solis, Aug 02 '18 at 15:18
I stopped using the GVPN sharing shortly after posting this, as our IT department set up SSTP. Unfortunately, I later lost this setup when I upgraded computers, and never restored it. I wasn't happy with the SSTP performance, so ultimately, I uninstalled stongswan on 16.04 LTS, and built libreswan, which works fine with the SonicWall. Regarding the GVPN setup, if you google around, I think you can find how to share back connections between VirtualBox guests and hosts. — Joseph Huber, Aug 03 '18 at 16:15
Joseph do you have any pointers on getting it to work using libreswan? — Alwyn Schoeman, Feb 24 '21 at 15:40

Unable to connect from Linux (Ubuntu) to SonicWall VPN

1 Answers1