<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.10.3">
</HEAD>
<BODY>
Hello,<BR>
<BR>
I am having trouble getting a Openswan client connection to work from linux (Fedora Core 5 x86_64) to an SonicWALL VPN. The settings passed on by the administrator of that site is DES MD5 group 1. <BR>
<BR>
Going through the lists, I found out that DES is not supported by default in OpenSwan, so I have re-compiled the package by setting the USE_WEAKSTUFF?=true flag in the Makefile.inc and also corrected the line to WEAK_DEFS=-DUSE_VERYWEAK_DH1=1 -DUSE_1DES in the Makefile of Pluto. All compiles OK. I know that 3DES is better etc, but this is out of my control. I have to get it to work with the current setup.<BR>
<BR>
I am very very close to get it all to work, but there is a last hurdle that I can't get out of the way. Below the information. Would appreciate any help/tips/comments. Also can I enable some additional debugging to find out what I am missing?<BR>
<BR>
My settings are as follows (for security reasons I have marked the VPN ip number sections with nnn and changed the key password):<BR>
<BR>
sonicwall.conf<BR>
<BR>
conn sonicwall<BR>
left=%defaultroute<BR>
leftsubnet=192.168.1.0/24<BR>
leftid=192.168.1.13<BR>
right=66.nnn.nnn.nnn<BR>
rightsubnet=192.168.128.0/24<BR>
rightid=66.nnn.nnn.nnn<BR>
keyingtries=0<BR>
pfs=yes<BR>
aggrmode=no<BR>
auto=add<BR>
auth=esp<BR>
ike=des-md5-modp768<BR>
esp=des-md5<BR>
authby=secret<BR>
<BR>
<BR>
sonicwall.secrets<BR>
<BR>
192.168.1.13 66.nnn.nnn.nnn : PSK "abcdef"<BR>
<BR>
ipsec starts OK using /etc/rc.d/init.d/ipsec restart<BR>
<BR>
Then I try to get the connection up with:<BR>
<BR>
/usr/sbin/ipsec whack --name sonicwall --initiate<BR>
<BR>
output as follows:<BR>
<BR>
# /usr/sbin/ipsec whack --name sonicwall --initiate<BR>
002 "sonicwall" #1: initiating Main Mode<BR>
104 "sonicwall" #1: STATE_MAIN_I1: initiate<BR>
003 "sonicwall" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]<BR>
003 "sonicwall" #1: You should NOT use insecure IKE algorithms (OAKLEY_DES_CBC)!<BR>
002 "sonicwall" #1: enabling possible NAT-traversal with method draft-ietf-ipsec-nat-t-ike-02/03<BR>
002 "sonicwall" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2<BR>
106 "sonicwall" #1: STATE_MAIN_I2: sent MI2, expecting MR2<BR>
003 "sonicwall" #1: ignoring unknown Vendor ID payload [da8e937880010000]<BR>
003 "sonicwall" #1: ignoring unknown Vendor ID payload [404bf439522ca3f6]<BR>
003 "sonicwall" #1: received Vendor ID payload [XAUTH]<BR>
002 "sonicwall" #1: I did not send a certificate because I do not have one.<BR>
003 "sonicwall" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-00/01: i am NATed<BR>
002 "sonicwall" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3<BR>
108 "sonicwall" #1: STATE_MAIN_I3: sent MI3, expecting MR3<BR>
002 "sonicwall" #1: Main mode peer ID is ID_IPV4_ADDR: '66.nnn.nnn.nnn'<BR>
002 "sonicwall" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4<BR>
004 "sonicwall" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_des_cbc_64 prf=oakley_md5 group=modp768}<BR>
002 "sonicwall" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}<BR>
117 "sonicwall" #2: STATE_QUICK_I1: initiate<BR>
010 "sonicwall" #2: STATE_QUICK_I1: retransmission; will wait 20s for response<BR>
<BR>
The output of /usr/sbin/ipsec auto --status<BR>
<BR>
000 interface lo/lo ::1<BR>
000 interface lo/lo 127.0.0.1<BR>
000 interface lo/lo 127.0.0.1<BR>
000 interface eth0/eth0 192.168.1.13<BR>
000 interface eth0/eth0 192.168.1.13<BR>
000 %myid = (none)<BR>
000 debug none<BR>
000<BR>
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64<BR>
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192<BR>
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448<BR>
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0<BR>
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256<BR>
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256<BR>
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256<BR>
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128<BR>
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160<BR>
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256<BR>
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0<BR>
000<BR>
000 algorithm IKE encrypt: id=1, name=OAKLEY_DES_CBC, blocksize=8, keydeflen=64<BR>
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192<BR>
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128<BR>
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16<BR>
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20<BR>
000 algorithm IKE dh group: id=1, name=OAKLEY_GROUP_MODP768, bits=768<BR>
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024<BR>
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536<BR>
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048<BR>
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072<BR>
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096<BR>
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144<BR>
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192<BR>
000<BR>
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,4,64} trans={0,4,672} attrs={0,4,224}<BR>
000<BR>
000 "sonicwall": 192.168.1.0/24===192.168.1.13---192.168.1.1...66.nnn.nnn.nnn===192.168.128.0/24; unrouted; eroute owner: #0<BR>
000 "sonicwall": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;<BR>
000 "sonicwall": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0<BR>
000 "sonicwall": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: eth0;<BR>
000 "sonicwall": newest ISAKMP SA: #1; newest IPsec SA: #0;<BR>
000 "sonicwall": IKE algorithms wanted: 1_000-1-1, flags=-strict<BR>
000 "sonicwall": IKE algorithms found: 1_064-1_128-1,<BR>
000 "sonicwall": IKE algorithm newest: DES_CBC_64-MD5-MODP768<BR>
000 "sonicwall": ESP algorithms wanted: 2_000-1, flags=-strict<BR>
000 "sonicwall": ESP algorithms loaded: 2_000-1, flags=-strict<BR>
000<BR>
000 #4: "sonicwall":500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 40s; nodpd<BR>
000 #1: "sonicwall":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2499s; newest ISAKMP; nodpd<BR>
000<BR>
<BR>
<BR>
The output dumped in /var/log/secure:<BR>
<BR>
Sep 27 16:43:31 ams pluto[15124]: shutting down<BR>
Sep 27 16:43:31 ams pluto[15124]: forgetting secrets<BR>
Sep 27 16:43:31 ams pluto[15124]: "sonicwall": deleting connection<BR>
Sep 27 16:43:31 ams pluto[15124]: "sonicwall" #3: deleting state (STATE_QUICK_I1)<BR>
Sep 27 16:43:31 ams pluto[15124]: "sonicwall" #2: deleting state (STATE_QUICK_I1)<BR>
Sep 27 16:43:31 ams pluto[15124]: "sonicwall" #1: deleting state (STATE_MAIN_I4)<BR>
Sep 27 16:43:31 ams pluto[15124]: shutting down interface lo/lo ::1:500<BR>
Sep 27 16:43:31 ams pluto[15124]: shutting down interface lo/lo 127.0.0.1:4500<BR>
Sep 27 16:43:31 ams pluto[15124]: shutting down interface lo/lo 127.0.0.1:500<BR>
Sep 27 16:43:31 ams pluto[15124]: shutting down interface eth0/eth0 192.168.1.13:4500<BR>
Sep 27 16:43:31 ams pluto[15124]: shutting down interface eth0/eth0 192.168.1.13:500<BR>
Sep 27 16:43:33 ams ipsec__plutorun: Starting Pluto subsystem...<BR>
Sep 27 16:43:33 ams pluto[15319]: Starting Pluto (Openswan Version 2.4.4 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEz}FFFfgr_e)<BR>
Sep 27 16:43:33 ams pluto[15319]: Setting NAT-Traversal port-4500 floating to on<BR>
Sep 27 16:43:33 ams pluto[15319]: port floating activation criteria nat_t=1/port_fload=1<BR>
Sep 27 16:43:33 ams pluto[15319]: including NAT-Traversal patch (Version 0.6c)<BR>
Sep 27 16:43:34 ams pluto[15319]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)<BR>
Sep 27 16:43:34 ams pluto[15319]: starting up 1 cryptographic helpers<BR>
Sep 27 16:43:34 ams pluto[15319]: started helper pid=15320 (fd:6)<BR>
Sep 27 16:43:34 ams pluto[15319]: Using Linux 2.6 IPsec interface code on 2.6.17-1.2187_FC5<BR>
Sep 27 16:43:34 ams pluto[15319]: Could not change to directory '/etc/ipsec.d/cacerts'<BR>
Sep 27 16:43:34 ams pluto[15319]: Could not change to directory '/etc/ipsec.d/aacerts'<BR>
Sep 27 16:43:34 ams pluto[15319]: Could not change to directory '/etc/ipsec.d/ocspcerts'<BR>
Sep 27 16:43:34 ams pluto[15319]: Could not change to directory '/etc/ipsec.d/crls'<BR>
Sep 27 16:43:34 ams pluto[15319]: added connection description "sonicwall"<BR>
Sep 27 16:43:34 ams pluto[15319]: listening for IKE messages<BR>
Sep 27 16:43:34 ams pluto[15319]: adding interface eth0/eth0 192.168.1.13:500<BR>
Sep 27 16:43:34 ams pluto[15319]: adding interface eth0/eth0 192.168.1.13:4500<BR>
Sep 27 16:43:34 ams pluto[15319]: adding interface lo/lo 127.0.0.1:500<BR>
Sep 27 16:43:34 ams pluto[15319]: adding interface lo/lo 127.0.0.1:4500<BR>
Sep 27 16:43:34 ams pluto[15319]: adding interface lo/lo ::1:500<BR>
Sep 27 16:43:34 ams pluto[15319]: loading secrets from "/etc/ipsec.secrets"<BR>
Sep 27 16:43:34 ams pluto[15319]: loading secrets from "/etc/ipsec.d/hostkey.secrets"<BR>
Sep 27 16:43:34 ams pluto[15319]: loading secrets from "/etc/ipsec.d/sonicwall.secrets"<BR>
Sep 27 16:43:40 ams pluto[15319]: "sonicwall" #1: initiating Main Mode<BR>
Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]<BR>
Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: You should NOT use insecure IKE algorithms (OAKLEY_DES_CBC)!<BR>
Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: enabling possible NAT-traversal with method draft-ietf-ipsec-nat-t-ike-02/03<BR>
Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2<BR>
Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: STATE_MAIN_I2: sent MI2, expecting MR2<BR>
Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: ignoring unknown Vendor ID payload [da8e937880010000]<BR>
Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: ignoring unknown Vendor ID payload [404bf439522ca3f6]<BR>
Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: received Vendor ID payload [XAUTH]<BR>
Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: I did not send a certificate because I do not have one.<BR>
Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-00/01: i am NATed<BR>
Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3<BR>
Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: STATE_MAIN_I3: sent MI3, expecting MR3<BR>
Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: Main mode peer ID is ID_IPV4_ADDR: '66.nnn.nnn.nnn'<BR>
Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4<BR>
Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_des_cbc_64 prf=oakley_md5 group=modp768}<BR>
Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}<BR>
Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN<BR>
Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: received and ignored informational message<BR>
Sep 27 16:43:52 ams pluto[15319]: "sonicwall" #1: discarding duplicate packet; already STATE_MAIN_I4<BR>
Sep 27 16:44:11 ams pluto[15319]: "sonicwall" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN<BR>
Sep 27 16:44:11 ams pluto[15319]: "sonicwall" #1: received and ignored informational message<BR>
Sep 27 16:44:51 ams pluto[15319]: "sonicwall" #2: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal<BR>
Sep 27 16:44:51 ams pluto[15319]: "sonicwall" #2: starting keying attempt 2 of an unlimited number, but releasing whack<BR>
Sep 27 16:44:51 ams pluto[15319]: "sonicwall" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #2 {using isakmp#1}<BR>
Sep 27 16:44:52 ams pluto[15319]: "sonicwall" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN<BR>
Sep 27 16:44:52 ams pluto[15319]: "sonicwall" #1: received and ignored informational message<BR>
<BR>
Thanks in advance for any response,<BR>
<BR>
Bas.<BR>
<BR>
</BODY>
</HTML>