Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Has anyone gotten GVC (Global VPN Client, NOT Net Extender!!!!) to work with strongSwan?

I only run Linux in the office. I am trying to help a client/friend with their system, and need remote access to his network. He does not need access in to my computer, and I only plan to use one computer to access his network. He runs the GVC version (ipsec) of the SonicWall VPN.


I have managed to get the Shared Secret to 'work', but now I (think I) need to send my username and password. Here's the syslog entries (slightly modified, removing a bit of identifying info) from the apparently successful connection attempt:

Mar 18 16:16:49 rusty-Alienware-17-R4 charon: 04[CFG] received stroke: add connection 'paris-to-vr'

Mar 18 16:16:49 rusty-Alienware-17-R4 charon: 04[CFG] added configuration 'paris-to-vr'

Mar 18 16:16:49 rusty-Alienware-17-R4 charon: 06[CFG] received stroke: initiate 'paris-to-vr'

Mar 18 16:16:49 rusty-Alienware-17-R4 charon: 06[IKE] initiating IKE_SA paris-to-vr[1] to vvv.vvv.vvv.vvv

Mar 18 16:16:49 rusty-Alienware-17-R4 charon: 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]

Mar 18 16:16:49 rusty-Alienware-17-R4 charon: 06[NET] sending packet: from 192.168.1.33[500] to vvv.vvv.vvv.vvv[500] (336 bytes)

Mar 18 16:16:53 rusty-Alienware-17-R4 charon: 07[IKE] retransmit 1 of request with message ID 0

Mar 18 16:16:53 rusty-Alienware-17-R4 charon: 07[NET] sending packet: from 192.168.1.33[500] to vvv.vvv.vvv.vvv[500] (336 bytes)

Mar 18 16:17:00 rusty-Alienware-17-R4 charon: 10[IKE] retransmit 2 of request with message ID 0

Mar 18 16:17:00 rusty-Alienware-17-R4 charon: 10[NET] sending packet: from 192.168.1.33[500] to vvv.vvv.vvv.vvv[500] (336 bytes)

Mar 18 16:17:01 rusty-Alienware-17-R4 CRON[248808]: (root) CMD (  cd / && run-parts --report /etc/cron.hourly)

Mar 18 16:17:13 rusty-Alienware-17-R4 charon: 16[IKE] retransmit 3 of request with message ID 0

Mar 18 16:17:13 rusty-Alienware-17-R4 charon: 16[NET] sending packet: from 192.168.1.33[500] to vvv.vvv.vvv.vvv[500] (336 bytes)

Mar 18 16:17:36 rusty-Alienware-17-R4 charon: 15[IKE] retransmit 4 of request with message ID 0

Mar 18 16:17:36 rusty-Alienware-17-R4 charon: 15[NET] sending packet: from 192.168.1.33[500] to vvv.vvv.vvv.vvv[500] (336 bytes)

Mar 18 16:18:18 rusty-Alienware-17-R4 charon: 03[IKE] retransmit 5 of request with message ID 0

Mar 18 16:18:18 rusty-Alienware-17-R4 charon: 03[NET] sending packet: from 192.168.1.33[500] to vvv.vvv.vvv.vvv500] (336 bytes)

<comment - I'm guessing this is where I shut down ipsec right at this point below>

Mar 18 16:18:42 rusty-Alienware-17-R4 charon: 00[DMN] signal of type SIGINT received. Shutting down

Mar 18 16:18:42 rusty-Alienware-17-R4 charon: 00[IKE] destroying IKE_SA in state CONNECTING without notification


(I removed the startup info, can submit if anyone needs it)

while it was in the 'sending packet' phase above, I asked the computer:

Sat Mar 18 16:16:10 RustyC ~/VirtualBox VMs $ sudo ipsec status

[sudo] password for rusty:            

Security Associations (0 up, 1 connecting):

paris-to-vr[1]: CONNECTING, 192.168.1.33[%any]...vvv.vvv.vvv.vvv[%any]

Sat Mar 18 16:17:17 RustyC ~/VirtualBox VMs $


Which implies I'm not fully 'up' yet.


Can someone point me to the next step(s)? I'm guessing maybe l2p? I tried adding 'rightauth2=xauth-generic and xauth_identity=MyUserName to my ipsec.conf and didn't see any obvious changes to the syslog between the 2 attempts. (my ipsec.secrets file says:

remote_vr_ip %any : PSK <mykey>

MyUserName : XAUTH <myPassword>


So, what am I missing? Thanks!

(Notes - besides the first paragraph's info, I don't care if my local computer is ONLY able to access his network when the VPN is up. So I just need my local PC on his LAN so I can access 2 different computers on it.)

Category: VPN Client
Reply
Tagged:

Answers

  • rustycar54rustycar54 Newbie ✭

    I also tried using the Mac instructions in https://www.sonicwall.com/support/knowledge-base/l2tp-vpn-configuration-on-mac-os-x/170505942152169/ and all I get there is failure to connect (NOTE - I am only the user, I can't change the server configs). I'm wondering where the user name gets put into the environment for the Mac attempt...


    Should I also say that I cannot connect to the Global VPN server from a windows GVC? Probably. I can't. When I hit 'enable' it asks for my username and password, which I then enter. As I remember, it went to 'connected' for a moment and then 'disabled'. If I enter BAD username/password pair, I get a different reaction ('invalid password', or something like that).


    Other things I probably should have mentioned before:

    Linux is Linux Mint 20.2, up to date as of last month.

    Mac is running OS X El Capitan 10.11.6

    And I just discovered a nice little error message at the bottom of my Windows GVC attempt:

    <date/time etc> The downloaded policy configuration contains no destination networks.

    <date/time etc> The policy downloaded from the firewall is invalid or incomplete. Contact your network administrator.


    Gag, wish I'd seen that 20 hours ago! ;-)


    I've initiated a discussion with my 'network administrator' about this. Will report back if that is the only thing keeping my windows, Linux, AND Mac attempts from working....

  • PochoPocho Newbie ✭

    I have configured strongwan in a ubuntu 20.04 to connect to the WAN group VPN and worked correctly with the info below. You may have to modify it a bit for your case but should help hopefully

    On sonicwall side after configuring WAN Group VPN normally, enable "Enable IKE Mode Configuration" under advanced tab and assign and address object which is what will be use to provide IPs to the clients
    
    Using Ubuntu 20.04 with Strongwan (came with it by default) 
    
    /etc/Ipsec.conf
    
    conn my-sonicwall
    	aggressive=yes
    	right=SONICWALL_WAN_IP
    # IKEv1 only supports 1 subnet
    	rightsubnet=SUBNET ON FIREWALL SIDE OR (0.0.0.0/0)
    # with aggressive=yes rightid must be the Unique firewall identifier on
    # the Sonicwall as defined in VPN base settings
    	rightid=SONICWALL_UNIQUE_ID
    	left=%defaultroute
    	leftsourceip=%modeconfig
    # Sonicwall Config:
    # Enabled: Require authentication of VPN clients by XAUTH
    	xauth_identity=SONICWALL_USERNAME
    # Sonicwall WAN GroupVPN is IKEv1
    	keyexchange=ikev1
    	leftauth=psk
    	leftauth2=xauth
    	rightauth=psk
    # Phase 1
    # Sonicwall Config:
    # DH Group: Group 14
    # Encryption: AES-256
    # Authentication: SHA-512
    # Life time: 9000 seconds
    	ike=aes256-sha512-modp2048
    	ikelifetime=9000s
    # Phase 2
    # Sonicwall Config:
    # Protocol: ESP
    # Encryption: AES-256
    # Authentication: SHA-512
    # Life time: 6000 seconds
    	esp=aes256-sha512
    
    auto=add
    
    
    /etc/ipsec.secrets
    ---------------------
    SONICWALL_WAN_IP %any : PSK "MY_PRESHARED_KEY"
    SONICWALL_USERNAME : XAUTH "MY_SONICWALL_PASSWORD"
    
    
    In /etc/strongswan.d/charon.conf need to enable this setting:
    accept_unencrypted_mainmode_messages = yes
    
Sign In or Register to comment.