[Openswan Users] Openswan to Sonicwall solved

Aaron Kincer kincera at gmail.com
Thu Mar 22 00:37:52 EDT 2007 

I posted here what seems like long ago about not being able to get Openswan
talking to a Sonicwall 2040 running SonicOS Enhanced. I just got it working.
I'm sorry to say the explanation may not help many since this is distro
specific. But hopefully you can draw inspiration from it.

Firewall
----------
Sonicwall 2040
SonicOS Enhanced 3.2.0.3-54e

WAN GroupVPN
---------------------
(General)

IKE using Preshared Secret

(Proposals)

[IKE Phase 1]
Group 5
AES-128
SHA1
3600
[IPSec Phase 2]
ESP
AES-128
SHA1
[PFS]
Disabled

(Advanced)

[Advanced Settings}
NetBIOS Disabled
Multicast Disabled
Default Gateway: 0.0.0.0
[Client Authentication]
Disabled

[User/Password Caching]
NEVER
[Client Connections]
DHCP Lease or Manual Configuration
All Secured Gateways
Set Default Route as this Gateway Enabled
Apply VPN Access List Disabled
Require Global Security Client Disabled
[Client Initial Provisioning]
Use Default Key Disabled

VPN Advanced Settings
------------------------------

IKE Dead Peer Detection Enabled
NAT Traversal Enabled
Clean up Active Tunnels Enabled
(All others disabled)

Client
--------

Ubuntu 7.04 Feisty (Herd 5)
Openswan appears to be 2.4.6
IPSec Patches Applied
Racoon installed (not sure if this is needed)

/etc/ipsec.conf
-------------------

config setup
        interfaces="ipsec0=eth0"
        nat_traversal=yes
        nhelpers=0


conn sonicwall
        type=tunnel
        left=my.eth0.ip.address
        leftnexthop=my.home.router.inside.ip
        leftsubnet=my.home.network.subnet/24
        leftid=@GroupVPN
        right=my.sonicwall.public.ip
        rightsubnet=my.sonicwall.private.subnet/24
        rightid=@my.sonicwall.unique.id
        keyingtries=0
        pfs=no
        aggrmode=no
        auto=add
        auth=esp
        ike=aes128-sha1
        esp=aes128-sha1
        authby=secret
        xauth=no
        keyexchange=ike

/etc/ipsec.secrets
-----------------------

: PSK "my.shared.secret"

connection command
----------------------------

sudo ipsec whack --name sonicwall --listen --initiate


Notes
--------

*DHCP doesn't work. I wish it did. Does anyone know how to get it working?
Yes, it is enabled on the Sonicwall.
*Not surprisingly, trafic is not being passed to a remote network connected
to this Sonicwall via another Sonicwall since there is no routes in between
and I am not getting a private DHCP address for the remote network.
*There may be more optimal settings, this is only a representation of how I
got it working.
*I removed the @GroupVPN and @my.sonicwall.unique.id from my
ipsec.secretsfile because I was getting a strange error. I had a typo
in my rightid and
using this setting helped discover that. It should still work if they are
added back in.

Good luck!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070322/eec52f71/attachment.html

More information about the Users mailing list