IPSec Sonicwall interoperability



  • Hello,

    I am trying to maintain an IPSec tunnel between my pfsense 2.2 box (running build from Sun Oct 26 06:20:02 CDT 2014), and a Sonicwall NSA 3600 device, with a need to support multiple subnets from both the source and destination networks. I have tried ikev1 and ikev2, with limited success on ikev1 to a single subnet, and no success on even the first phase of ikev2.

    Before going too much deeper. Has anyone successfully setup an IPSec tunnel between pfsense 2.2 (strongswan 5.2.0), and a sonicwall device? I have flexibility to change the parameters on the sonicwall, but not the device itself.

    Let me know what configuration has worked for others? Sluething the Strongswan forums, this appears to be supported with cisco_unity = yes and the i_dont_care_about_security_and_use_aggressive_mode_psk=yes strongswan.conf options, both of which are set in the latest pfsense builds.

    Let me know what configurations you have seen work,

    Thanks,

    -Karl



  • @karl23:

    Sluething the Strongswan forums, this appears to be supported with cisco_unity = yes and the i_dont_care_about_security_and_use_aggressive_mode_psk=yes strongswan.conf options, both of which are set in the latest pfsense builds.

    Yes, cisco_unity is set in the conf file, but the unity plugin is not yet included in pfSense builds.  Try testing again if/when that plugin is included.

    I do use the aggressive psk mode (aka weakswan) in a roadwarrior setup, but haven't tested multiple subnets.



  • Thanks - that explains why unity didn't immediately fix the problems I am seeing.

    Could you also enable charon.accept_unencrypted_mainmode_messages ? This is a sonicwall specific quirk as noted in the documentation here https://wiki.strongswan.org/projects/strongswan/wiki/StrongswanConf



  • @karl23:

    Could you also enable charon.accept_unencrypted_mainmode_messages ? This is a sonicwall specific quirk as noted in the documentation here https://wiki.strongswan.org/projects/strongswan/wiki/StrongswanConf

    That's an too insecure and narrow an option to have enabled by default.  But it's a conf file option, not a build-time option; so if you determine that you need it, just set it in your strongswan.conf file by hand.



  • @karl23:

    Thanks - that explains why unity didn't immediately fix the problems I am seeing.

    Could you also enable charon.accept_unencrypted_mainmode_messages ? This is a sonicwall specific quirk as noted in the documentation here https://wiki.strongswan.org/projects/strongswan/wiki/StrongswanConf

    On new snapshots there is an IPsec setting for enabling this.