I’ve got a Sonicwall Pro (firmware 6.1.2) that already has the GroupVPN SA configured for OS 9 clients using PGP as the VPN client (PGP requires MD5 instead of SHA1).
I set up my own SA for use with VaporSec. The remote network in the VaporSec SA was defined specifically for the VaporSec client I was using. The config was similar to that in the Flying Racoons 3 screenshot, except that I don’t get an option to change the DH group on my Sonicwall.
The Sonicwall reported that the Phase 1 IKE wasn’t getting a response fron the client.
The system log from the client reported the following:
A.A.A.A = IP address assigned to my machine by my ISP
B.B.B.B = IP address of the Sonicwall
racoon: INFO: isakmp.c:1681:isakmp_post_acquire(): IPsec-SA request for B.B.B.B queued due to no phase1 found.
racoon: INFO: isakmp.c:795:isakmp_ph1begin_i(): initiate new phase 1 negotiation: A.A.A.A[500]<=>B.B.B.B[500]
racoon: INFO: isakmp.c:800:isakmp_ph1begin_i(): begin Identity Protection mode.
racoon: ERROR: ipsec_doi.c:2968:ipsecdoi_checkid1(): Expecting IP address type in main mode, but User_FQDN.
racoon: ERROR: isakmp_ident.c:620:ident_i4recv(): invalid ID payload.
racoon: ERROR: isakmp.c:1773:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP B.B.B.B->A.A.A.A
I’m assuming there’s a misconfiguration, but I can’t figure out what is going wrong. Any help you can give is greatly appreciated.
By the log it looks as though VaporSec is setting up Racoon to perform a main mode IKE negotiation, but the SonicWALL’s asecurity association(SA) for this client is set up with an IPSec gateway of 0.0.0.0 and is therefore expecting an aggressive mode IKE negotiation.
Main mode cannot be used when the IP address of one side is not known in advance, which is often the case with individual clients. Aggressive mode must be used, and the user_fqdn offered by the client must match the name of the SA it is connecting to on the SonicWALL.
For all Sonicwall users out there – make sure you have the latest firmware. VaporSec has been much more friendy with our SonicWall since the firmware upgrade.