VPN between StrongSwan and SonicWall

5.00 avg. rating (95% score) - 1 vote

Here’s how to create a site-to-site VPN between StrongSwan and SonicWall. This has been tested with Ubuntu 14.04 and StrongSwan 5.1.2, and SonicWall with SonicOS 5.9 at the other end.

Network Topology

In this example, we will route traffic between two networks that are located at different sites. Our example network topology looks like this:

Network topology

The VPN tunnel will encrypt all traffic between the endpoints. The green networks will be routed to each other through the encrypted tunnel.

StrongSwan

Install

Configure

Two files need editing: /etc/ipsec.conf and /etc/ipsec.secrets. The first one is the configuration file, and the second one contains the pre-shared key the endpoints will use to authenticate each other.

/etc/ipsec.conf:

We use IKEv2 for key exchange, with AES-256 for encryption and SHA-1 for hashing. A 2048-bit key means Diffie-Hellman group 14. Authentication is done using a pre-shared key. The connection will be started automatically at start.

 /etc/ipsec.secrets:

There should be one line per connection in that file. The format, when using pre-shared keys, is this:

Please set your password to a random string.

Start IPsec Service

To start the service:

To make it start at boot:

To see the status, run:

However, you need to configure the other endpoint first before you will see an active connection and a security association.

SonicWall

Go to VPN > Settings. Add a new VPN connection.

VPN Connection > General

The “Shared Secret” field should contain the same random string you put into the /etc/ipsec.secrets file.

VPN - General

VPN Connection > Network

The remote network zone should be a “VPN” zone.

VPN - Remote

VPN Connection > Proposals

For the proposal we must match the parameters in /etc/ipsec.conf.

VPN - Proposal

VPN Connection > Advanced

In the advanced tab I enabled keep-alive.

VPN - Advanced

Firewall Rules

Also, remember to add firewall rules to allow traffic to flow between networks in SonicWall. Also do the same if you have Iptables in use on the StrongSwan server.

Check Status

At this point, the SonicWall should show a green dot on the VPN policy line you created. If not, check the SonicWall log for error messages.

You should also be able to see an active security association on the StrongSwan host with:

You can control your tunnel(s) with these commands:

See log files /var/log/auth.log and /var/log/syslog for log messages.

 

One thought on “VPN between StrongSwan and SonicWall”

  1. Hello,

    Is this a host to host vpn or site to site? Because from my server which contains strongswan now. I can ping to the other subnet as well. But I am not able to do it from some other device.

Leave a Reply