I'm trying to establish a site-to-site IPsec VPN between an EC2 instance running StrongSwan and a SonicWALL firewall. I've tried a lot of different configurations, but currently I have this at the EC2 side:
conn A-B
authby=secret
auto=start
type=tunnel
aggressive=yes
left=172.31.x.x # Private IP address of server A (EC2 instance)
leftid=a_vpn
leftsubnet=172.31.x.0/20
right=200.y.y.y # Public IP address of server B (SonicWALL)
rightid=b_vpn
rightsubnet=10.z.z.0/22
ike=aes256-sha256-modp1024!
keyexchange=ikev1
ikelifetime=28800s
esp=aes256-sha256!
keylife=28800s
SonicWALL is using these configs:
SonicWALL configs (1)
SonicWALL configs (2)
Whenever I try to start StrongSwan at EC2 instance, I get these logs:
charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.5, Linux 5.15.0-1028-aws, x86_64)
charon: 00[LIB] providers loaded by OpenSSL: legacy default
charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
charon: 00[CFG] loaded IKE secret for a_vpn b_vpn
charon: 00[LIB] loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
charon: 00[JOB] spawning 16 worker threads
charon: 05[CFG] received stroke: add connection 'A-B'
charon: 05[CFG] added configuration 'A-B'
charon: 07[CFG] received stroke: initiate 'A-B'
charon: 07[IKE] initiating Aggressive Mode IKE_SA A-B[1] to 200.y.y.y
charon: 07[ENC] generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
charon: 07[NET] sending packet: from 172.31.x.x[500] to 200.y.y.y[500] (363 bytes)
charon: 09[NET] received packet: from 200.y.y.y[500] to 172.31.x.x[500] (104 bytes)
charon: 09[ENC] parsed INFORMATIONAL_V1 request 0 [ N(INVAL_ID) ]
charon: 09[IKE] received INVALID_ID_INFORMATION error notify
Note that invalid id messages at the last two lines.
And from time to time, SonicWALL tries to connect, producing (at EC2 instance) these logs:
charon: 11[NET] received packet: from 200.y.y.y[500] to 172.31.x.x[500] (407 bytes)
charon: 11[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V V ]
charon: 11[IKE] received Sonicwall a vendor ID
charon: 11[IKE] received Sonicwall 7 vendor ID
charon: 11[IKE] received NAT-T (RFC 3947) vendor ID
charon: 11[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
charon: 11[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
charon: 11[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
charon: 11[IKE] received Sonicwall b vendor ID
charon: 11[IKE] received DPD vendor ID
charon: 11[IKE] received XAuth vendor ID
charon: 11[IKE] 200.y.y.y is initiating a Aggressive Mode IKE_SA
charon: 11[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
charon: 11[CFG] looking for pre-shared key peer configs matching 172.31.x.x...200.y.y.y[b_vpn]
charon: 11[IKE] no peer config found
charon: 11[ENC] generating INFORMATIONAL_V1 request 3974808228 [ N(AUTH_FAILED) ]
charon: 11[NET] sending packet: from 172.31.x.x[500] to 200.y.y.y[500] (56 bytes)
Based on these logs, I can only suppose the problem is that EC2's private IP is somehow not bound to its id (which would be a_vpn), which prevents its authentication.
So, I don't know what should I do. Can anyone suggest me some different configuration or any tips on how should I resolve this? Thanks in advance.
