Trying to VPN into SonicWall from Ubuntu 17.04

bvz · 08-11-2017, 12:12 AM

I am trying to establish a connection to my Employer's VPN (running on a Sonicwall). I am running Ubuntu 17.04.

But the process is failing somewhere and I really have no idea how to debug it properly. I am a graphic designer by trade, and so a lot of the terminology I am coming across in trying to solve this issue is difficult for me to understand.

Here is what I have so far:

The connection uses a pre shared key.

The info I have from my Employer is as follows:

Code:

IKE (Phase 1) Proposal:
DH Group: Group 2
Encryption: AES-256
Authentication: SHA1
Life Time 9seconds): 43200

Ipsec (Phase 2) Proposal
Protocol: ESP
Encryption: AES-256
Authentication: SHA1
Enable Perfect Forward Secrecy: Off
Life Time (seconds): 43200

I have strongswan installed:

Code:

bvz@t5500-Linux:/etc$ ipsec --version
Linux strongSwan U5.5.1/K4.10.0-30-generic
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.

Here is my ipsec.conf file:

Code:

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        # strictcrlpolicy=yes
        # uniqueids = no

# Add connections here.

# Sample VPN connections

#conn sample-self-signed
#      leftsubnet=10.1.0.0/16
#      leftcert=selfCert.der
#      leftsendcert=never
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightcert=peerCert.der
#      auto=start

#conn sample-with-ca-cert
#      leftsubnet=10.1.0.0/16
#      leftcert=myCert.pem
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightid="C=CH, O=Linux strongSwan CN=peer name"
#      auto=start

conn Employer
        authby=psk
        auto=add
        type=tunnel
        esp=aes256-sha1-modp1024
        ike=aes256-sha1-modp1024
        keyexchange=ikev1
        left=192.168.42.91
        leftid=192.168.42.91
        right=NN.NN.NN.N
        rightid=NN.NN.NN.N

Here is my ipsec.secrets file:

Code:

#This file holds shared secrets or RSA private keys for authentication.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.

: PSK <THE_SHARED_KEY>

Here is the output of the ipsec up command:

Code:

bvz@t5500-Linux:~$ sudo ipsec up Employer
initiating Main Mode IKE_SA Employer[1] to NN.NN.NN.N
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 192.168.42.91[500] to NN.NN.NN.N[500] (240 bytes)
received packet: from NN.NN.NN.N[500] to 192.168.42.91[500] (116 bytes)
parsed ID_PROT response 0 [ SA V V ]
received unknown vendor ID: 5b:36:2b:c8:20:f6:00:07
received NAT-T (RFC 3947) vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 192.168.42.91[500] to NN.NN.NN.N[500] (244 bytes)
received packet: from NN.NN.NN.N[500] to 192.168.42.91[500] (276 bytes)
parsed ID_PROT response 0 [ KE NAT-D NAT-D No V V V ]
received unknown vendor ID: 40:4b:f4:39:52:2c:a3:f6
received XAuth vendor ID
received DPD vendor ID
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 192.168.42.91[4500] to NN.NN.NN.N[4500] (108 bytes)
received packet: from NN.NN.NN.N[4500] to 192.168.42.91[4500] (76 bytes)
queueing TRANSACTION request as tasks still active
sending retransmit 1 of request message ID 0, seq 3
sending packet: from 192.168.42.91[4500] to NN.NN.NN.N[4500] (108 bytes)
received packet: from NN.NN.NN.N[4500] to 192.168.42.91[4500] (64 bytes)
payload type ID_V1 was not encrypted
could not decrypt payloads
integrity check failed
generating INFORMATIONAL_V1 request 3360496049 [ HASH N(INVAL_HASH) ]
sending packet: from 192.168.42.91[4500] to NN.NN.NN.N[4500] (76 bytes)
ID_PROT response with message ID 0 processing failed
sending retransmit 2 of request message ID 0, seq 3
sending packet: from 192.168.42.91[4500] to NN.NN.NN.N[4500] (108 bytes)
received packet: from NN.NN.NN.N[4500] to 192.168.42.91[4500] (204 bytes)
parsed INFORMATIONAL_V1 request 1360054657 [ N(INVAL_IKE_SPI) ]
ignoring unprotected INFORMATIONAL from NN.NN.NN.N
message verification failed
ignore malformed INFORMATIONAL request
INFORMATIONAL_V1 request with message ID 1360054657 processing failed
sending retransmit 3 of request message ID 0, seq 3
sending packet: from 192.168.42.91[4500] to NN.NN.NN.N[4500] (108 bytes)
received packet: from NN.NN.NN.N[4500] to 192.168.42.91[4500] (204 bytes)
parsed INFORMATIONAL_V1 request 4082597799 [ N(INVAL_IKE_SPI) ]
ignoring unprotected INFORMATIONAL from NN.NN.NN.N
message verification failed
ignore malformed INFORMATIONAL request
INFORMATIONAL_V1 request with message ID 4082597799 processing failed
sending keep alive to NN.NN.NN.N[4500]
sending retransmit 4 of request message ID 0, seq 3
sending packet: from 192.168.42.91[4500] to NN.NN.NN.N[4500] (108 bytes)
received packet: from NN.NN.NN.N[4500] to 192.168.42.91[4500] (204 bytes)
parsed INFORMATIONAL_V1 request 620371603 [ N(INVAL_IKE_SPI) ]
ignoring unprotected INFORMATIONAL from NN.NN.NN.N
message verification failed
ignore malformed INFORMATIONAL request
INFORMATIONAL_V1 request with message ID 620371603 processing failed
sending keep alive to NN.NN.NN.N[4500]

I am not a sys admin or networking guy. This is as far as I have gotten after about 6 days trying to understand the strongswan docs. Unfortunately, since I have no background in this it is very hard to understand what I am doing wrong (or even how to figure out the error messages above). Is it passing phase 1 but failing on phase 2? Is this an IKEv1 or IKEv2 system? I am guessing it is an IKEv1, but I am not sure. The IT guy at work is just barely keeping his head above water - we are a tiny tiny company and he does not know much about the sonicwall beyond just hitting a few buttons to set it up. Googling "payload type ID_V1 was not encrypted" does not give me much in the way of understanding where in the process it is failing.

Any help whatsoever would be GREATLY appreciated. Even if it is just a nudge in the right direction that will let me focus where to research next. I am really stuck here. Thanks so much!

Edit:

Here is the output of ike-scan

Code:

bvz@t5500-Linux:~$ sudo ike-scan NN.NN.NN.N
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
NN.NN.NN.N	Main Mode Handshake returned HDR=(CKY-R=9c62492336d96d3c) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) VID=5b362bc820f60007

Ending ike-scan 1.9: 1 hosts scanned in 0.031 seconds (32.08 hosts/sec).  1 returned handshake; 0 returned notify

And here is the output of ipsec statusall

Code:

bvz@t5500-Linux:/etc$ sudo ipsec statusall
[sudo] password for bvz: 
Status of IKE charon daemon (strongSwan 5.5.1, Linux 4.10.0-30-generic, x86_64):
  uptime: 16 minutes, since Aug 10 23:09:27 2017
  malloc: sbrk 2433024, mmap 0, used 400576, free 2032448
  worker threads: 10 of 16 idle, 6/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon test-vectors aesni aes rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac ccm gcm attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic
Listening IP addresses:
  192.168.42.91
Connections:
     Employer:  192.168.42.91...NN.NN.NN.N  IKEv1
     Employer:   local:  [192.168.42.91] uses pre-shared key authentication
     Employer:   remote: [NN.NN.NN.N] uses pre-shared key authentication
     Employer:   child:  dynamic === dynamic TUNNEL
Security Associations (0 up, 1 connecting):
     Employer[1]: CONNECTING, 192.168.42.91[192.168.42.91]...NN.NN.NN.N[%any]
     Employer[1]: IKEv1 SPIs: ff7bf965a496d853_i* 59052d323272dc9e_r
     Employer[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
     Employer[1]: Tasks queued: QUICK_MODE 
     Employer[1]: Tasks active: ISAKMP_VENDOR MAIN_MODE

AwesomeMachine · 08-11-2017, 04:03 AM

If the admin doesn't even have time to set up the vpn, no one is ever going to be able to connect. That's not something you would learn from the Linux docs. Giving a lay person this:

Code:

IKE (Phase 1) Proposal:
DH Group: Group 2
Encryption: AES-256
Authentication: SHA1
Life Time 9seconds): 43200

Ipsec (Phase 2) Proposal
Protocol: ESP
Encryption: AES-256
Authentication: SHA1
Enable Perfect Forward Secrecy: Off
Life Time (seconds): 43200

and expecting him to just figure it out is a little naive.

bvz · 08-11-2017, 11:43 AM

Thanks for the reply!

Actually, the VPN is already set up and working for Mac clients. He was able to give me the connection info for OSX which works perfectly on my Mac. But the Mac only has a few fields to fill in (IP address of the sonic wall, pre shared key). Apparently the rest of it is either pre baked in OSX or it figures it out by itself on the fly. (I have tried to extract the correct info from my Mac by watching it's logs, but even with the advanced debugging turned on there it didn't really give me anything that I was able to find useful in the ppp.log).

The additional info that I added above was stuff he was able to give me after we sat at his desk together trying to figure out how to log in. I was able to learn a tiny bit about IKE and realized from my logs that I was failing during the proposal phase. That is when I got that extra info (and I appear to be further along in the process now) but I seem to be stuck again.

I'm hoping that somebody might recognize what the error message is trying to tell me and point me in the right direction to solve the next step or two.

AwesomeMachine · 08-11-2017, 07:15 PM

It might be easier to set up in network-manager. It does a lot of details for you.

bvz · 08-11-2017, 11:29 PM

I actually had started with that and didn't get anywhere. But that said after a few days of digging into this maybe returning to the network manager is the best way to go.

I have been having issues with my 17.04 install suddenly crapping out on me every 20 minutes or so (files all just suddenly disappear, directories are still navagable but the files are all "gone". A reboot gets me back in black). So I am going to do a fresh install of 16.04 LTS and see if that works any better. I will restart from scratch with Network Manager there and see if it gets any better.

Also, after some more digging around with my IT guy (who is a great guy, just overwhelmed with things to get done) I think we figured out that the Sonicwall is actually running IKEv2 and not IKEv1 like I thought. So that should give me some more clues as to what I need to do.

I will report back here with any progress (or lack thereof).

I REALLY appreciate the help so far.

bvz · 09-16-2017, 01:41 AM

Ok, it has been a while all with absolutely no luck.

I have a fresh install of CentOS 7 now. My hard drive was crapping out every 10-20 minutes, but once I plugged it into a different SATA port suddenly it is super stable (even before I switched to CentOS).

I am back trying to get VPN to work. The most frustrating part is that I have no idea where it is failing. I am using Gnome and trying to enter everything into the Network window.

It has a section for Phase 1 and 2 Algorithms. I've tried leaving them blank. I've put in: aes256-sha1;modp1024 in both sections. All to no avail.

I know that the sonicwall server at work is set up like this:

Code:

Phase 1:

DH Group: Group 2
Encryption: aes-256
Authentication: SHA1

Phase 2 is:

Protocol: ESP
Encryption: aes-256
authentication: sha1

The problem I am running into (other than still not being able to connect) is that I have no idea how to debug this. CentOS is using libreswan so my ipsec up command is apparently useless. So I have no idea if it is bailing because of the advanced protocol settings or something else.

I tried running ipsec barf, but nothing in there seems to help me diagnose this.

The output of ipsec verify is:

Code:

Verifying installed system and configuration files

Version check and ipsec on-path                   	[OK]
Libreswan 3.20 (netkey) on 3.10.0-693.2.2.el7.x86_64
Checking for IPsec support in kernel              	[OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects              	[NOT DISABLED]

  Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will act on or cause sending of bogus ICMP redirects!

         ICMP default/accept_redirects            	[NOT DISABLED]

  Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will act on or cause sending of bogus ICMP redirects!

         XFRM larval drop                         	[OK]
Pluto ipsec.conf syntax                           	[OK]
Two or more interfaces found, checking IP forwarding	[OK]
Checking rp_filter                                	[ENABLED]
 /proc/sys/net/ipv4/conf/all/rp_filter            	[ENABLED]
 /proc/sys/net/ipv4/conf/default/rp_filter        	[ENABLED]
 /proc/sys/net/ipv4/conf/ip_vti0/rp_filter        	[ENABLED]
 /proc/sys/net/ipv4/conf/virbr0/rp_filter         	[ENABLED]
 /proc/sys/net/ipv4/conf/virbr0-nic/rp_filter     	[ENABLED]
  rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running                    	[FAILED]
Checking 'ip' command                             	[OK]
Checking 'iptables' command                       	[OK]
Checking 'prelink' command does not interfere with FIPS	[OK]
Checking for obsolete ipsec.conf options          	[OBSOLETE KEYWORD]
warning: could not open include filename: '/etc/ipsec.d/*.conf'

ipsec verify: encountered 15 errors - see 'man ipsec_verify' for help

I have no idea how to interpret this and the man page is not helpful.

Can anyone direct me to some log somewhere (or something) that will let me figure out at what stage in the process that it is failing?

Thanks.

vwtech · 09-19-2017, 12:17 PM

To answer you question:

These point to kernel parameters that are an issue:

Quote:

Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will act on or cause sending of bogus ICMP redirects!

Quote:

/proc/sys/net/ipv4/conf/all/rp_filter [ENABLED]

You could disable them by add a line to /etc/sysctl.conf like:
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.rp_filter = 0

Once you look at the directory structure the format of the directive will make since.
Run #sysctl -p to enact the changes.

Recommend (initially at least):
I would use the GUI to configure your VPN connection (as long as it non point to point). Once settings are confirmed etc you can configure via CLI if necessary -> https://access.redhat.com/documentat..._Networks.html.

daviding · 10-14-2017, 09:44 PM

You may or may not have a similar problem to my attempts to configure L2TP over IPSec on Ubuntu 17.04. I found a solution, posted at https://ingbrief.wordpress.com/2017/...untu-l2tp-vpn/

I don't have this working with either Kubuntu 17.04 (reported at https://bugs.kde.org/show_bug.cgi?id=385745 ), nor with Deepin Linux (reported at http://feedback.deepin.org/feedback/detail/8109 ). If you could suggest some configuration file that I could edit manually, directly, maybe I could work around not having the fields to fill in on the Advanced configuration panel.

bvz · 10-21-2017, 02:50 AM

Thanks for the tips.

I had to abandon my attempts for a while because I had to get work done. I just used my Mac to VPN in to work and shared that to my Linux box.

I'm going to give it another shot now that I have finished my project. That said, I have also switched to CentOS 7 from Ubuntu (it runs more of my 3D software directly). But it seems to have similar issues so it might mean a similar solution.

If I get it running I will post back here... but don't hold your breath. I beat my head against the wall for days previously without success. At some point I may just give up and hire someone to come in and fix it.

bvz · 10-21-2017, 02:05 PM

I realize that this thread was way way too broad. Nobody could be expected to dig through all of it, so I have started a new thread that will hopefully just have very short, targeted questions.

That thread is here:

https://www.linuxquestions.org/quest...04#post5772404

Thanks to everyone who helped so far.