I'm trying to connect to a Sonicwall TZ170, and I haven't determined if something is wrong with the sonicwall or if I just don't understand ipsec and my racoon.conf and spd entries are not set up right.
Phase 1 succeeds no problem. But during phase 2 the sonicwall responds with no proposal chosen if I use
a.b.c.d/32 as my local ID (a.b.c.d. is my public IP). All the other stuff (encryption=3des, authentication=hmac_sha1, pfs=none) match just fine.
If I change my local ID to 0.0.0.0/0, then phase 2 works! But it's no good because then the sonicwall sends me all this traffic that's not even destined for me, and I'm not talking about just broadcast packets either. That's great if I want to spy on what everyone at work is doing, but it slows my Internet down significantly, so it's not a good long-term solution.
So what am I missing here? Am I supposed to be using 0.0.0.0/0 as my local ID, and the sonicwall is just dumb for sending me extra traffic. Or am I supposed to use a.b.c.d/32 and the sonicwall is dumb for rejecting me?
I was thinking, oh, well it's obvious because the sonicwall probably doesn't have a policy for a.b.c.d/32. But I can't really ask the sonicwall administrator to create a policy just for me. How does it work fine for everyone else like road-warriors and such? Everyone else that uses windows can connect with sonicwall's vpn client no problem. I wish I knew what the sonicwall vpn client was putting as the local ID, then I would get a clue.
Actually, I hacked their client and found out. It puts 0.0.0.0/0 UDP as the local ID and 192.168.0.0/16 UDP as the remote ID. I believe that creates a policy that lasts just long enough to get a "virtual IP address". I don't even know if ipsec on linux can do the whole "virtual IP address" thing, but I don't believe I need it since I have a public IP. What negotiations happens after that I don't know.
I already posted on the sonicwall forums and no one answered. I think it's because no one there is smart enough to know what I'm talking about. Heck, I hardly know what I'm talking about. But you guys might :)