I have been unable to get Sonicwall with XAUTH and Openswan to play nicely together and don't know the root cause. I haven't had the time to setup some alternative VPN boxes to see if XAUTH is broken globally with my Openswan installation or just with Sonicwall. I know that Global VPN clients can use it. But since using XAUTH isn't required for our setup (since I make those rules), I just turned it off.
<br><br>Another thing -- if you are requiring authenticating clients to use DHCP via the Sonicwall, you will have issues. You can allow both static and DHCP to be used.<br><br>Here's my current settings:<br><br>version
2.0<br><br>config setup<br> plutodebug="control parsing natt private"<br> nat_traversal=yes<br> nhelpers=0<br><br><br>conn sonicwall<br> type=tunnel<br> left=%defaultroute<br> leftnexthop=<my home gateway IP>
<br> leftsubnet=<my home subnet><br> leftid=<the id I used to associate the shared secret in my ipsec.secrets file><br> right=<my Sonicwall's public IP><br> rightsubnet=<the subnet on the other side of the Sonicwall>
<br> rightid=<my Sonicwall's unique ID prefixed by @><br> keyingtries=0<br> pfs=no<br> aggrmode=no<br> auto=add<br> auth=esp<br> ike=aes256-md5<br> esp=aes256-md5
<br> authby=secret<br> xauth=no<br> keyexchange=ike<br><br>include /etc/ipsec.d/examples/no_oe.conf<br><br>Here's the posting I wrote before. Ignore the part about Raccoon. It broke Sonicwall on my current configuration (Ubuntu
7.04 Feisty):<br><br><a href="http://lists.openswan.org/pipermail/users/2007-March/012092.html">http://lists.openswan.org/pipermail/users/2007-March/012092.html</a><br><br>If your Sonicwall must have XAUTH, then you will have to solve that problem or develop a workaround. Depending on how much leverage you have on your setup, you could in theory have an Openswan box configured on one of your unused public IP addresses and route that to your local subnet. You would be bypassing your border firewall that way, but it is doable.
<br><br><div><span class="gmail_quote">On 6/15/07, <b class="gmail_sendername">Rick Knight</b> <<a href="mailto:rick_knight@rlknight.com">rick_knight@rlknight.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Aaron, thanks for your reply.<br><br>I need to use Xauth for authentication, it's in the policy and I can't<br>change that. Also, my SonicWall is configured for 3DES and SHA1 so<br>that's what I have in my ipsec.conf
. One thing I'm wondering about<br>though is the name of the VPN Policy. Do I need to match this in my<br>ipsec.conf file? Whoever set up the SonicWall and configured the VPN<br>policies, put spaces in the name. Instead of "GroupVPN", we have "WAN
<br>GroupVPN". I have not been able to get my secrets file to work with the<br>later.Could that be causing problems.<br><br>Also, where can I find your article?<br><br>Thanks,<br>Rick Knight<br><br>Aaron Kincer wrote:
<br>> Make sure your encryption settings on your Sonicwall match what you are<br>> using here. Also, make sure you have turned of XAUTH for your<br>> GroupVPN. Have<br>> you read my posting on how I got it working for Sonicwall?
<br>><br>> On 6/15/07, Rick Knight <<a href="mailto:rick_knight@rlknight.com">rick_knight@rlknight.com</a>> wrote:<br>>><br>>> I'm trying to establish a connection to a SonicWall 3060 Enhanced<br>
>> firewall using Openswan 2.3. I have several documents describing how to<br>>> do this, but for some reason I can't make it work. Can someone take a<br>>> look at my settings and tell me what I've missed or gotten wrong? Below
<br>>> is my ipsec.conf and several lines of output generated when I try to<br>>> connect.<br>>><br>>> My ipsec.conf<br>>> # /etc/ipsec.conf - Openswan IPsec configuration file<br>>> # RCSID $Id:
<a href="http://ipsec.conf.in">ipsec.conf.in</a>,v <a href="http://1.15.2.2">1.15.2.2</a> 2005/11/14 20:10:27 paul Exp $<br>>><br>>> # This file: /usr/share/doc/openswan/ipsec.conf-sample<br>>> #<br>>> # Manual:
ipsec.conf.5<br>>><br>>><br>>> version 2.0 # conforms to second version of ipsec.conf<br>>> specification<br>>><br>>> # basic configuration<br>>> config setup<br>>> # plutodebug / klipsdebug = "all", "none" or a combation from below:
<br>>> # "raw crypt parsing emitting control klips pfkey natt x509 private"<br>>> # eg:<br>>> # plutodebug="control parsing"<br>>> #<br>>> # Only enable klipsdebug=all if you are a developer
<br>>> #<br>>> # NAT-TRAVERSAL support, see README.NAT-Traversal<br>>> nat_traversal=yes<br>>> # virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12">
10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12</a><br>>><br>>> # Add connections here<br>>><br>>> conn sonicwall<br>>> type=tunnel<br>>> left=<a href="http://172.16.88.25">172.16.88.25
</a><br>>> leftnexthop=<a href="http://172.16.88.2">172.16.88.2</a><br>>> leftsubnet=<a href="http://172.16.88.0/23">172.16.88.0/23</a><br>>> leftxauthclient=yes<br>>> leftid=@localID
<br>>> right=x.x.x.x<br>>> rightsubnet=<a href="http://192.168.0.0/24">192.168.0.0/24</a><br>>> rightxauthserver=yes<br>>> rightid=@uniqueID<br>>> keyingtries=0<br>>> pfs=no
<br>>> aggrmode=no<br>>> auto=add<br>>> auth=esp<br>>> ike=3des-sha1<br>>> esp=3des-sha1<br>>> authby=secret<br>>> #xauth=yes<br>>> keyexchange=ike
<br>>><br>>> #Disable Opportunistic Encryption<br>>> #include /etc/ipsec.d/examples/no_oe.conf<br>>><br>>> My ipsec.secrets contains this...<br>>> @localID @uniqueID : PSK "secret"
<br>>><br>>> Output of # ipsec auto --up sonicwall<br>>> 104 "sonicwall" #2: STATE_MAIN_I1: initiate<br>>> 003 "sonicwall" #2: ignoring unknown Vendor ID payload<br>>> [5b362bc820f60001]
<br>>> 003 "sonicwall" #2: received Vendor ID payload<br>>> [draft-ietf-ipsec-nat-t-ike-03] method set to=108<br>>> 106 "sonicwall" #2: STATE_MAIN_I2: sent MI2, expecting MR2<br>>> 003 "sonicwall" #2: ignoring unknown Vendor ID payload
<br>>> [404bf439522ca3f6]<br>>> 003 "sonicwall" #2: received Vendor ID payload [XAUTH]<br>>> 003 "sonicwall" #2: received Vendor ID payload [Dead Peer Detection]<br>>> 003 "sonicwall" #2: NAT-Traversal: Result using
<br>>> draft-ietf-ipsec-nat-t-ike-02/03: i am NATed<br>>> 108 "sonicwall" #2: STATE_MAIN_I3: sent MI3, expecting MR3<br>>> 003 "sonicwall" #2: Mode Config message is unacceptable because it is
<br>>> for an incomplete ISAKMP SA (state=STATE_MAIN_I3)<br>>> 010 "sonicwall" #2: STATE_MAIN_I3: retransmission; will wait 20s for<br>>> response<br>>> 004 "sonicwall" #2: STATE_MAIN_I4: ISAKMP SA established
<br>>> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha<br>>> group=modp1024}<br>>> 003 "sonicwall" #2: next payload type of ISAKMP Hash Payload has an<br>>> unknown value: 255
<br>>> 003 "sonicwall" #2: malformed payload in packet<br>>> 003 "sonicwall" #2: next payload type of ISAKMP Hash Payload has an<br>>> unknown value: 255<br>>> 003 "sonicwall" #2: malformed payload in packet
<br>>><br>>> Can someone please help me out?<br>>><br>>> Thanks,<br>>> Rick Knight<br>>> _______________________________________________<br>>> <a href="mailto:Users@openswan.org">
Users@openswan.org</a><br>>> <a href="http://lists.openswan.org/mailman/listinfo/users">http://lists.openswan.org/mailman/listinfo/users</a><br>>> Building and Integrating Virtual Private Networks with Openswan:
<br>>> <a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>>><br><br>_______________________________________________
<br><a href="mailto:Users@openswan.org">Users@openswan.org</a><br><a href="http://lists.openswan.org/mailman/listinfo/users">http://lists.openswan.org/mailman/listinfo/users</a><br>Building and Integrating Virtual Private Networks with Openswan:
<br><a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br></blockquote></div><br>