<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.12.1">
</HEAD>
<BODY>
On Thu, 2006-11-23 at 07:47 +0100, Paul Wouters wrote:
<BLOCKQUOTE TYPE=CITE>
<PRE>
<FONT COLOR="#000000">On Thu, 23 Nov 2006, Bas Driessen wrote:</FONT>
<FONT COLOR="#000000">> I have a Linux Desktop PC that I need to connect to a SonicWALL VPN. The</FONT>
<FONT COLOR="#000000">> linux PC has an ip number of 192.168.1.13 and is connected to the</FONT>
<FONT COLOR="#000000">> Internet via gateway 192.168.1.1. The VPN server where I need to connect</FONT>
<FONT COLOR="#000000">> to has an IP number of 66.nnn.nnn.nnn (for obvious security reasons I am</FONT>
<FONT COLOR="#000000">> using nnn here) and this connects to subnet 192.168.128.0/24. So in</FONT>
<FONT COLOR="#000000">> fact, I am just trying to create a VPN client to server connection.</FONT>
<FONT COLOR="#000000">> The details that I got from the system admin who maintains the VPN is</FONT>
<FONT COLOR="#000000">> that it is using the following:</FONT>
<FONT COLOR="#000000">></FONT>
<FONT COLOR="#000000">> - SonicWALL VPN</FONT>
<FONT COLOR="#000000">> - ESP 3DES HMAC MD5 (IKE)</FONT>
<FONT COLOR="#000000">> - XAUTH authentication is not required.</FONT>
<FONT COLOR="#000000">Did you get a PSK as well?</FONT>
<FONT COLOR="#000000">> conn sonicwall</FONT>
<FONT COLOR="#000000">> type=tunnel</FONT>
<FONT COLOR="#000000">> auto=add</FONT>
<FONT COLOR="#000000">> auth=esp</FONT>
<FONT COLOR="#000000">> pfs=yes</FONT>
<FONT COLOR="#000000">> authby=secret</FONT>
<FONT COLOR="#000000">> keyingtries=1</FONT>
<FONT COLOR="#000000">> left=192.168.1.13</FONT>
<FONT COLOR="#000000">> leftsubnet=192.168.1.13/32</FONT>
<FONT COLOR="#000000">That's very likely wrong. Leave out leftsubnet=</FONT>
<FONT COLOR="#000000">> right=66.nnn.nnn.nnn</FONT>
<FONT COLOR="#000000">> rightsubnet=192.168.128.0/24</FONT>
<FONT COLOR="#000000">> rightid=66.nnn.nnn.nnn</FONT>
<FONT COLOR="#000000">> esp=3des-md5</FONT>
<FONT COLOR="#000000">> keyexchange=ike</FONT>
<FONT COLOR="#000000">> ike=3des-md5</FONT>
<FONT COLOR="#000000">Looks ok</FONT>
<FONT COLOR="#000000">> /etc/ipsec.d/sonicwall.secrets</FONT>
<FONT COLOR="#000000">></FONT>
<FONT COLOR="#000000">> 192.168.1.13 66.nnn.nnn.nnn : PSK "somesecretkeyphrase"</FONT>
<FONT COLOR="#000000">and here too.</FONT>
<FONT COLOR="#000000">> When starting the ipsec service (/etc/rc.d/init.d/ipsec start), the</FONT>
<FONT COLOR="#000000">> output to screen as follows:</FONT>
<FONT COLOR="#000000">></FONT>
<FONT COLOR="#000000">> [root@ams ipsec.d]# /sbin/service ipsec restart</FONT>
<FONT COLOR="#000000">> Shutting down IPsec: Stopping Openswan IPsec...</FONT>
<FONT COLOR="#000000">> [ OK ]</FONT>
<FONT COLOR="#000000">> Starting IPsec: Starting Openswan IPsec 2.4.5...</FONT>
<FONT COLOR="#000000">> insmod /lib/modules/2.6.18-1.2849.fc6/kernel/net/key/af_key.ko</FONT>
<FONT COLOR="#000000">> insmod /lib/modules/2.6.18-1.2849.fc6/kernel/net/ipv4/xfrm4_tunnel.ko</FONT>
<FONT COLOR="#000000"> [ OK ]</FONT>
<FONT COLOR="#000000">Since you did auto=add, the connection is only loaded, not started.</FONT>
<FONT COLOR="#000000">Use auto=start to start it at startup, or run 'ipsec auto --up sonicwall'</FONT>
<FONT COLOR="#000000">at a later time to bring it up.</FONT>
<FONT COLOR="#000000">> Nov 23 14:06:36 ams pluto[16213]: | inserting event EVENT_LOG_DAILY,</FONT>
<FONT COLOR="#000000">> timeout in 35604 seconds</FONT>
<FONT COLOR="#000000">And do NOT enable plutodebug unless you are a developer or being asked to.</FONT>
<FONT COLOR="#000000">> When trying to create the connection, I type:</FONT>
<FONT COLOR="#000000">></FONT>
<FONT COLOR="#000000">> /usr/sbin/ipsec whack --name sonicwall --initiate</FONT>
<FONT COLOR="#000000">></FONT>
<FONT COLOR="#000000">> The output to screen is:</FONT>
<FONT COLOR="#000000">></FONT>
<FONT COLOR="#000000">> [root@ams ipsec.d]# /usr/sbin/ipsec whack --name sonicwall --initiate</FONT>
<FONT COLOR="#000000">> 002 "sonicwall" #1: initiating Main Mode</FONT>
<FONT COLOR="#000000">> 104 "sonicwall" #1: STATE_MAIN_I1: initiate</FONT>
<FONT COLOR="#000000">> 010 "sonicwall" #1: STATE_MAIN_I1: retransmission; will wait 20s for</FONT>
<FONT COLOR="#000000">> response</FONT>
<FONT COLOR="#000000">></FONT>
<FONT COLOR="#000000">> (the re-transmission errors are repeating)</FONT>
<FONT COLOR="#000000">Looks like the other end is rejecting on the first packet, or someone</FONT>
<FONT COLOR="#000000">is firewalling your packets.</FONT>
<FONT COLOR="#000000">> Nov 23 14:09:54 ams pluto[16661]: | *received 92 bytes from</FONT>
<FONT COLOR="#000000">> 66.nnn.nnn.nnn:500 on eth0 (port=500)</FONT>
<FONT COLOR="#000000">> Nov 23 14:09:54 ams pluto[16661]: | **parse ISAKMP Message:</FONT>
<FONT COLOR="#000000">> Nov 23 14:09:54 ams pluto[16661]: | initiator cookie:</FONT>
<FONT COLOR="#000000">> Nov 23 14:09:54 ams pluto[16661]: | b3 fb 6d de b8 44 10 98</FONT>
<FONT COLOR="#000000">> Nov 23 14:09:54 ams pluto[16661]: | responder cookie:</FONT>
<FONT COLOR="#000000">> Nov 23 14:09:54 ams pluto[16661]: | 4b c1 9a fa 48 f0 0d 6d</FONT>
<FONT COLOR="#000000">> Nov 23 14:09:54 ams pluto[16661]: | next payload type: ISAKMP_NEXT_N</FONT>
<FONT COLOR="#000000">> Nov 23 14:09:54 ams pluto[16661]: | ISAKMP version: ISAKMP Version</FONT>
<FONT COLOR="#000000">Though this seems like you received something, so I don't think these runs</FONT>
<FONT COLOR="#000000">are the same run.</FONT>
<FONT COLOR="#000000">> Nov 23 14:09:54 ams pluto[16661]: packet from 66.nnn.nnn.nnn:500:</FONT>
<FONT COLOR="#000000">> ignoring informational payload, type NO_PROPOSAL_CHOSEN</FONT>
<FONT COLOR="#000000">This is a configuration error between the two endpoints. You will have to</FONT>
<FONT COLOR="#000000">ask more information from the other end. You can try adding "pfs=no".</FONT>
</PRE>
</BLOCKQUOTE>
<BR>
Thanks Paul. Applied the changes you suggested, but no luck unfortunately. <BR>
<BR>
Does the ike= entry require a modp suffix perhaps? (ie <FONT COLOR="#000000">ike=3des-md5</FONT>-modp1024). If so how would I know which one? I did try the modp1024. <BR>
<BR>
Any other suggestions you may have are welcome.<BR>
<BR>
Thanks again,<BR>
Bas.<BR>
<BR>
</BODY>
</HTML>