I'm trying to establish a site-to-site IPsec VPN between an EC2 instance running StrongSwan and a SonicWALL firewall. I've tried a lot of different configurations, but currently I have this at the EC2 side:
conn A-B
authby=secret
auto=start
type=tunnel
aggressive=yes
left=172.31.x.x # Private IP address of server A (EC2 instance)
leftid=a_vpn
leftsubnet=172.31.x.0/20
right=200.y.y.y # Public IP address of server B (SonicWALL)
rightid=b_vpn
rightsubnet=10.z.z.0/22
ike=aes256-sha256-modp1024!
keyexchange=ikev1
ikelifetime=28800s
esp=aes256-sha256!
keylife=28800s
SonicWALL is using these configs: SonicWALL configs (1) SonicWALL configs (2)
Whenever I try to start StrongSwan at EC2 instance, I get these logs:
charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.5, Linux 5.15.0-1028-aws, x86_64) charon: 00[LIB] providers loaded by OpenSSL: legacy default charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' charon: 00[CFG] loading crls from '/etc/ipsec.d/crls' charon: 00[CFG] loading secrets from '/etc/ipsec.secrets' charon: 00[CFG] loaded IKE secret for a_vpn b_vpn charon: 00[LIB] loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters charon: 00[LIB] dropped capabilities, running as uid 0, gid 0 charon: 00[JOB] spawning 16 worker threads charon: 05[CFG] received stroke: add connection 'A-B' charon: 05[CFG] added configuration 'A-B' charon: 07[CFG] received stroke: initiate 'A-B' charon: 07[IKE] initiating Aggressive Mode IKE_SA A-B[1] to 200.y.y.y charon: 07[ENC] generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ] charon: 07[NET] sending packet: from 172.31.x.x[500] to 200.y.y.y[500] (363 bytes) charon: 09[NET] received packet: from 200.y.y.y[500] to 172.31.x.x[500] (104 bytes) charon: 09[ENC] parsed INFORMATIONAL_V1 request 0 [ N(INVAL_ID) ] charon: 09[IKE] received INVALID_ID_INFORMATION error notify
Note that invalid id messages at the last two lines.
And from time to time, SonicWALL tries to connect, producing (at EC2 instance) these logs:
charon: 11[NET] received packet: from 200.y.y.y[500] to 172.31.x.x[500] (407 bytes) charon: 11[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V ] charon: 11[IKE] received Sonicwall a vendor ID charon: 11[IKE] received Sonicwall 7 vendor ID charon: 11[IKE] received NAT-T (RFC 3947) vendor ID charon: 11[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID charon: 11[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID charon: 11[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID charon: 11[IKE] received Sonicwall b vendor ID charon: 11[IKE] received DPD vendor ID charon: 11[IKE] received XAuth vendor ID charon: 11[IKE] 200.y.y.y is initiating a Aggressive Mode IKE_SA charon: 11[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024 charon: 11[CFG] looking for pre-shared key peer configs matching 172.31.x.x...200.y.y.y[b_vpn] charon: 11[IKE] no peer config found charon: 11[ENC] generating INFORMATIONAL_V1 request 3974808228 [ N(AUTH_FAILED) ] charon: 11[NET] sending packet: from 172.31.x.x[500] to 200.y.y.y[500] (56 bytes)
Based on these logs, I can only suppose the problem is that EC2's private IP is somehow not bound to its id (which would be a_vpn), which prevents its authentication.
So, I don't know what should I do. Can anyone suggest me some different configuration or any tips on how should I resolve this? Thanks in advance.
