Set DHCP over VPN to optional (can't remember exact setting) and allow static IPs. Openswan doesn't seem to like the DHCP packet Sonicwall spits out. If I remember correctly, DHCP over VPN is required by default on Sonicwall. That's what was wrong on my setup and caused the same message.
<br><br><div><span class="gmail_quote">On 10/1/07, <b class="gmail_sendername">paul pantages</b> <<a href="mailto:pdp@centinasystems.com">pdp@centinasystems.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
-----BEGIN PGP SIGNED MESSAGE-----<br>Hash: SHA1<br><br>Hello Paul W,<br><br>Thank you for the suggestions, unfortunately, upgrading to 2.4.9 did not<br>change the behaviour.<br><br>I also tried the modecfgpull=yes ( I also tried adding
<br>leftmodecfgclient=yes ) but no luck with either of these.<br><br>I still see the "Mode Config message is unacceptable..."; This might<br>indicate that modecfgpull is not going to work?<br><br>ipsec verify asked me to turn off "enforced SElinux mode" which I also
<br>tried.<br><br>I will check the Sonicwall f/w version at work Monday.<br><br>Thanks again for the suggestions;<br><br>PdP<br><br>Paul Wouters wrote:<br>> On Sat, 29 Sep 2007, paul pantages wrote:<br>><br>>> [
root@rigel pdp]# ipsec verify<br>>> Checking your system to see if IPsec got installed and started correctly:<br>>> Version check and ipsec on-path [OK]<br>>> Linux Openswan
U2.4.5/K2.6.20-1.2962.fc6 (netkey)<br>><br>> You should upgrade and try this with openswan 2.4.9.<br>><br>>> conn myclient<br>>> left=<a href="http://172.16.1.35">172.16.1.35</a><br>>> leftsubnet=
<a href="http://172.16.1.35/32">172.16.1.35/32</a><br>><br>> Leave out the leftsubnet. Otherwise it seems fine.<br>> You could try adding modecfgpull=yes?<br>><br>>> STATE_MAIN_I3<br>>> 108 "myclient" #1: STATE_MAIN_I3: sent MI3, expecting MR3
<br>>> 003 "myclient" #1: Mode Config message is unacceptable because it is for<br>>> an incomplete ISAKMP SA (state=STATE_MAIN_I3)<br>><br>> Odd. That might to suggest a buggy implementation on the Sonic Wall. Can
<br>> you see if you are running the latest firmware?<br>><br>> Paul<br><br>-----BEGIN PGP SIGNATURE-----<br>Version: GnuPG v1.4.7 (GNU/Linux)<br>Comment: Using GnuPG with Mozilla - <a href="http://enigmail.mozdev.org">
http://enigmail.mozdev.org</a><br><br>iD8DBQFHAH1uGpzL0LBlXDcRAhmuAKC1OGg6H6V1rgiMuK6rBJNefq8KngCg+ERq<br>axiLVgGeK6pO82qj7x91+KY=<br>=Ddif<br>-----END PGP SIGNATURE-----<br>_______________________________________________
<br><a href="mailto:Users@openswan.org">Users@openswan.org</a><br><a href="http://lists.openswan.org/mailman/listinfo/users">http://lists.openswan.org/mailman/listinfo/users</a><br>Building and Integrating Virtual Private Networks with Openswan:
<br><a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br></blockquote></div><br>