<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.10.3">
</HEAD>
<BODY>
On Wed, 2006-09-27 at 12:07 +0200, Francesco Peeters wrote:
<BLOCKQUOTE TYPE=CITE>
<PRE>
<FONT COLOR="#000000">On Wed, September 27, 2006 11:54, Bas Driessen wrote:</FONT>
<FONT COLOR="#000000">> On Wed, 2006-09-27 at 10:35 +0200, Francesco Peeters wrote:</FONT>
<FONT COLOR="#000000">></FONT>
<FONT COLOR="#000000">>> On Wed, September 27, 2006 09:40, Bas Driessen wrote:</FONT>
<FONT COLOR="#000000">>> > On Wed, 2006-09-27 at 08:58 +0200, Francesco Peeters wrote:</FONT>
<FONT COLOR="#000000">>> <SNIP></FONT>
<FONT COLOR="#000000">>> >> You'd also need to have the SNWL logs to knoe why it doesn't complete</FONT>
<FONT COLOR="#000000">>> >> phase 2</FONT>
<FONT COLOR="#000000">>> >></FONT>
<FONT COLOR="#000000">>> >> Also you'll need more info on the SNWL side, including what version</FONT>
<FONT COLOR="#000000">>> of</FONT>
<FONT COLOR="#000000">>> >> OS</FONT>
<FONT COLOR="#000000">>> >> they are using</FONT>
<FONT COLOR="#000000">>> >></FONT>
<FONT COLOR="#000000">>> >> Lastly, if they have a halfway decent version, you will *not* be able</FONT>
<FONT COLOR="#000000">>> to</FONT>
<FONT COLOR="#000000">>> >> use the GroupVPN SA, as that will require the SNWL VPN Client!...</FONT>
<FONT COLOR="#000000">>> >></FONT>
<FONT COLOR="#000000">>> ></FONT>
<FONT COLOR="#000000">>> > Thanks Francesco. Will request the log files from the administrator.</FONT>
<FONT COLOR="#000000">>> ></FONT>
<FONT COLOR="#000000">>> > Can you please clarify GroupVPN SA versus VPN Client? All I need is a</FONT>
<FONT COLOR="#000000">>> > VPN client connection. If there is a different package that is easy to</FONT>
<FONT COLOR="#000000">>> > set up on Linux, that is the thing I want.</FONT>
<FONT COLOR="#000000">>> ></FONT>
<FONT COLOR="#000000">>> > Bas.</FONT>
<FONT COLOR="#000000">>> ></FONT>
<FONT COLOR="#000000">>> > ___</FONT>
<FONT COLOR="#000000">>> In more recent firmwares, the GroupVPN is set up for use with the</FONT>
<FONT COLOR="#000000">>> SonicWALL Global VPN Client (GVC).</FONT>
<FONT COLOR="#000000">>></FONT>
<FONT COLOR="#000000">>> AFAIK, the GroupVPN can *only* be used with the GVC, due to stuff like</FONT>
<FONT COLOR="#000000">>> Client Enforcing and Profile Distribution mechanisms in the SNWL box,</FONT>
<FONT COLOR="#000000">>> unless all the enhanced GVC features are turned off in the box, and even</FONT>
<FONT COLOR="#000000">>> then I'm not sure whether it'll work...</FONT>
<FONT COLOR="#000000">>></FONT>
<FONT COLOR="#000000">>> Older versions (And that excludes anything that runs SonicOS) will be</FONT>
<FONT COLOR="#000000">>> able</FONT>
<FONT COLOR="#000000">>> to use the GroupVPN, but you'll need to have a firmware that predates</FONT>
<FONT COLOR="#000000">>> the</FONT>
<FONT COLOR="#000000">>> GVC!</FONT>
<FONT COLOR="#000000">>></FONT>
<FONT COLOR="#000000">>> AFAIK the GVC is only available for Windows and Windows Mobile...</FONT>
<FONT COLOR="#000000">>></FONT>
<FONT COLOR="#000000">>> In newer firmware you will need to use a separate 'box to box' vpn SA...</FONT>
<FONT COLOR="#000000">>></FONT>
<FONT COLOR="#000000">></FONT>
<FONT COLOR="#000000">> Thanks Francesco. On the sonicwall.com web site, there are documents as</FONT>
<FONT COLOR="#000000">> follows:</FONT>
<FONT COLOR="#000000">></FONT>
<FONT COLOR="#000000">> <A HREF="http://www.sonicwall.com/support/pdfs/technotes/SonicOS_Enhanced_to_Openswan_Using_GroupVPN_with_XAUTH.pdf">http://www.sonicwall.com/support/pdfs/technotes/SonicOS_Enhanced_to_Openswan_Using_GroupVPN_with_XAUTH.pdf</A></FONT>
<FONT COLOR="#000000">> <A HREF="http://www.sonicwall.com/support/pdfs/technotes/SonicOS_Enhanced_to_Openswan_Using_Main_Mode_IKE_with_PreShared_key.pdf">http://www.sonicwall.com/support/pdfs/technotes/SonicOS_Enhanced_to_Openswan_Using_Main_Mode_IKE_with_PreShared_key.pdf</A></FONT>
<FONT COLOR="#000000">> <A HREF="http://www.sonicwall.com/support/pdfs/technotes/SonicOS_Enhanced_to_Openswan_Using_Aggressive_Mode_IKE_with_PreShared_key.pdf">http://www.sonicwall.com/support/pdfs/technotes/SonicOS_Enhanced_to_Openswan_Using_Aggressive_Mode_IKE_with_PreShared_key.pdf</A></FONT>
<FONT COLOR="#000000">></FONT>
<FONT COLOR="#000000">> This indicates to me that OpenSwan can be used using GroupVPN, Main Mode</FONT>
<FONT COLOR="#000000">> and Agressive Mode. Also since I am so close of having a VPN connecting</FONT>
<FONT COLOR="#000000">> using OpenSwan (as in my original posting), I do believe that a</FONT>
<FONT COLOR="#000000">> connection is possible with OpenSwan. Will gather the info from the</FONT>
<FONT COLOR="#000000">> other side and hopefully that generates some new ideas.</FONT>
<FONT COLOR="#000000">></FONT>
<FONT COLOR="#000000">> Bas.</FONT>
<FONT COLOR="#000000">></FONT>
<FONT COLOR="#000000">></FONT>
<FONT COLOR="#000000">OK, so apparently GroupVPN has changed sufficiently to allow other clients</FONT>
<FONT COLOR="#000000">to connect since I last tried...</FONT>
<FONT COLOR="#000000">Good!</FONT>
<FONT COLOR="#000000">You'll still need the details from the SNWL side though ;-)</FONT>
<FONT COLOR="#000000">I think however you'll need to change the left and right id's</FONT>
<FONT COLOR="#000000">The SonicWALL uses the ID's to match the SA's, and for GroupVPN you cannot</FONT>
<FONT COLOR="#000000">alter the ID's.</FONT>
<FONT COLOR="#000000">Bij default the SonicWALL uses the MAC address of it's main interface</FONT>
<FONT COLOR="#000000">(also the box's serial#) as local ID and the SA name (GroupVPN) as the</FONT>
<FONT COLOR="#000000">remote ID.</FONT>
<FONT COLOR="#000000">Hence the entries:</FONT>
<FONT COLOR="#000000">leftid=@GroupVPN (ie the name of the SA)</FONT>
<FONT COLOR="#000000">rightid=@0006B1..... (The MAC Address and Serial# of the SNWL)</FONT>
<FONT COLOR="#000000">The actual SA name may actually be different (like 'GroupVPN WAN') as they</FONT>
<FONT COLOR="#000000">made a split a while back for the GroupVPN, so you can have different SA's</FONT>
<FONT COLOR="#000000">for clients from WAN, LAN, WLAN, etc.</FONT>
<FONT COLOR="#000000">The Technote is a year old, so it may not have been adjusted for that fact...</FONT>
<FONT COLOR="#000000">(Again: You'll need the SNWL details to be able to determine that!)</FONT>
</PRE>
</BLOCKQUOTE>
<BR>
My understanding is that the leftid is just a name that I can use as id for my local computer. So the name should not be important right? I can use leftid=@home or leftid=@abcdef as long as it matches the entry in the .secrets file. Regarding the rightid, if in MAIN Mode, this should be the ip number of the VPN, if in AGGRESSIVE mode I do get an error back where it comes back with an id (let's say) @Destination (changed this name for obvious security reasons). If I set this as rightid and use aggressive mode, it stops at the same place in Phase 2. Therefore, I don't believe the left/right id or MAIN versus AGGRESSIVE is the issue, but since I am not a VPN expert, I can be wrong.<BR>
<BR>
Bas.<BR>
<BR>
</BODY>
</HTML>