[Openswan Users] success, openswan to sonicwall

Sat Dec 20 15:30:04 EST 2008

Hello,

I had posted here a short time ago seeking help with a connection to a
Sonicwall vpn appliance.  I'm happy to report that I've had some
success.  I thought I would post my config files here so others might
benefit.

Note that there is already at least one report in the list archives of a
successful connection to a Sonicwall:

http://lists.openswan.org/pipermail/users/2007-March/012092.html

My experience is similar to that reported above.  I am able to connect
to my company's Sonicwall and ping hosts in the private network, but I
do not receive a private ip address.  I think this is because openswan
does not interpret the Mode Config messages correctly, which are sent
immediately after XAUTH completes.  In any case, my connection still
succeeds because, under "Client Connections", the Sonicwall is set to
"DHCP Lease or Manual Configuration" -- "manual configuration" allows a
client to choose their own ip address.  This is mentioned in the post
referenced above.

I've found two other good sources of information about connecting to a
sonicwall:

http://www.sonicwall.com/downloads/SonicOS_Enhanced_to_Openswan_Using_GroupVPN_with_XAUTH.pdf
http://wiki.openswan.org/index.php/Openswan/SonicWall

I wasn't able to use the config files in either of the two documents
above directly.  One main difference is that I had to set
"nat_traversal=yes" in my ipsec.conf file.  Without this set, my
connection to the sonicwall would seem to complete correctly, but then I
was not able to ping any machines in the private network.

A fourth source of information that was (the most) helpful was the
connection log from sonicwall's vpn client running under windows.  In
this log, you will find the sonicwall identifier, which is required in
ipsec.conf and ipsec.secrets.

Here is my setup:

OS: Linux [Ubuntu 8.04 (Hardy Heron)]
Kernel: 2.6.24
Openswan version: 2.6.19 (downloaded and built from source)
ipsec stack:  NETKEY (i.e. the native 2.6 kernel ipsec stack)
my network topology:

me at linux (192.168.15.2)
|
my router (192.168.15.1)
|
cable modem (a.b.c.d)
|
:
: public internet
:
|
sonicwall (w.x.y.z)
|
private network (172.20.0.0/16)

### start ipsec.conf ###

version 2.0

config setup
         nat_traversal=yes
         OE=off
         protostack=netkey
         nhelpers=0

conn work
         type=tunnel
         auto=add
         aggrmode=yes
         ike=3des-sha1-modp1024
         esp=3des-sha1
         authby=secret
         keyingtries=0
         pfs=no
         auth=esp
         left=192.168.15.2
         leftnexthop=192.168.15.1
         leftsubnet=192.168.15.0/24
         leftid=192.168.15.2
         leftxauthclient=yes
         right=w.x.y.z
         rightsubnet=0.0.0.0/0
         rightid=@sonicwallidentifier
         rightxauthserver=yes

### end ipsec.conf ###

### start ipsec.secrets ###

192.168.15.2 @sonicwallidentifier : PSK "pskhexstring"

### end ipsec.secrets ###

With these settings, I am able to ssh into machines on the private
network.  However, things don't work perfectly.  I am having some
problems with "icmp fragmentation needed" errors, but I'll explain that
in another post.

cheers,

-James