IKEv2 Site to Site Sonic Wall

joshua.arthur · November 8, 2018, 4:13pm

Having an issue creating a site-to-site VPN with a Sonic Wall TZ270 using IKEv2. I know it is definitely possible to use IKEv2 in VYOS 1.1.7 because we do currently have an active IKEv2 VPN to a Cisco device. I believe I have tinkered with everything I can think of. Just wondering if anyone has any suggestions or insight.

peer 198.98.14.30 {
authentication {
mode pre-shared-secret
pre-shared-secret REDACTED
}
connection-type respond
description REDACTED
ike-group ike-3desv2
ikev2-reauth inherit
local-address 192.67.68.72
tunnel 0 {
allow-nat-networks disable
allow-public-networks disable
esp-group ipsec-3des
local {
prefix 10.2.2.1/32
}
remote {
prefix 192.168.157.0/24
}
}
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group ipsec-3des
local {
prefix 10.2.2.2/32
}
remote {
prefix 192.168.157.0/24
}
}
}

 ike-group ike-3desv2 {
     dead-peer-detection {
         action restart
         interval 15
         timeout 45
     }
     ikev2-reauth no
     key-exchange ikev2
     lifetime 28800
     proposal 1 {
         dh-group 2
         encryption 3des
         hash sha1
     }
 }

ipsec {
esp-group ipsec-3des {
compression disable
lifetime 28800
mode tunnel
pfs disable
proposal 1 {
encryption 3des
hash sha1
}
}

EdThomas · November 8, 2018, 8:19pm

I’d check the log in the sonicwall device, to see what it’s complaining about.

It isn’t specific to IKEv2, but I have Ipsec connections to sonicwalls myself, the bit that gave me the most headache is the ID string in the authentication bit. Seems as if Sonicwall is very picky about that.

In my situation, in my VyOS config, I have:
authentication {
id vyos
remote-id sonic
}

In the Sonicwall config, under the General tab of the VPN config, under IKE Authentication:
Local IKE ID: [Domain Name] sonic
Peer IKE ID: [Domain Name] vyos

Choosing Domain Name from the pulldown there is important.

Anyway, that was the primary hangup I had connecting my VyOS to my Sonicwalls.

There is a bug in VyOS 1.1.7 with IKEv2 when using pfs in the ESP bit. But it looks like your pfs is disabled, so that should be fine.

joshua.arthur · November 8, 2018, 8:39pm

I appreciate you taking the time to respond. I have also noticed that the Sonic Wall and VYOS do not play well with IKE ID types. My end goal is to get 60 VPNs on an existing Sonic Wall over to VYOS, some of them use Firewall Identifiers for IKE which I guess is a USER_FQDN ID type and the only way I can get VYOS to detect as USER_FQDN vs just FQDN is to do [email protected] which is obviously not the format of the Firewall Identifiers hahaha. Sorry, I am mostly venting.

The IKEv2 issue is a bit more important that I figure out if possible because a lot of the VPNs are using it currently

agv · November 9, 2018, 7:45am

Did you check the log in the Sonicwall? What does it say?
Also how did you define the network objects sonicwall side? Did you use a /32 subnet or did you specify a single “Host address” for the 10.2.2.x/32 object?

joshua.arthur · November 9, 2018, 1:26pm

Thank you for your response agv.

The Address Objects on the Sonic Wall are /32s for each host. This creates 2 separate SAs as intended when it is working. I am using this in a test environment testing the different VPN types we are currently using to see what works natively in VYOS and what needs to be tweaked, so I know the traffic selector setup is good because it is a constant between my tests.

To answer your question, this is what I am getting in the Sonic Wall logs.

Message:
IKEv2 Received notify error payload
Notes:
Invalid Syntax

VYOS logging does not seem to be giving me any output at all. I do know I am getting UDP 500 traffic received on my external interface of VYOS though from the TZ205.

agv · November 9, 2018, 5:05pm

Ok about the address in /32 format.
On the vyos side what do you see using this command:

monitor vpn ipsec

One more question, the VPN goes up if you just switch to IKEv1 both sides (Main mode on Sonicwall)?