Geez. I forgot that xauth ALSO caused that error. Been a while since I went down that road.<br><br>xauth on Sonicwall does not play well with Openswan. I spent a long time trying to get it to work, but never could. I shut it off and it worked.
<br><br>If turning of xauth fixes it, try turning DHCP back on and see if that works for you. It didn't for me.<br> <br><div><span class="gmail_quote">On 10/3/07, <b class="gmail_sendername">Marius Schrecker</b> <<a href="mailto:marius@schrecker.org">
marius@schrecker.org</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">> I've posted a working config in the past. I was never able to get DHCP
<br>> over<br>> VPN working at all.<br>><br>> <a href="http://lists.openswan.org/pipermail/users/2007-March/012092.html">http://lists.openswan.org/pipermail/users/2007-March/012092.html</a><br>><br>> If you use Ubuntu, do NOT install Racoon. It screwed things up in the end
<br>> and isn't needed as far as I can tell.<br>><br>> On 10/2/07, Marius Schrecker <<a href="mailto:marius@schrecker.org">marius@schrecker.org</a>> wrote:<br>>><br>>> > -----BEGIN PGP SIGNED MESSAGE-----
<br>>> > Hash: SHA1<br>>> ><br>>> > Hello Paul W,<br>>> ><br>>> > Thank you for the suggestions, unfortunately, upgrading to 2.4.9 did<br>>> not<br>>> > change the behaviour.
<br>>> ><br>>> > I also tried the modecfgpull=yes ( I also tried adding<br>>> > leftmodecfgclient=yes ) but no luck with either of these.<br>>> ><br>>> > I still see the "Mode Config message is unacceptable..."; This might
<br>>> > indicate that modecfgpull is not going to work?<br>>> ><br>>> > ipsec verify asked me to turn off "enforced SElinux mode" which I also<br>>> > tried.<br>>> >
<br>>> > I will check the Sonicwall f/w version at work Monday.<br>>> ><br>>> > Thanks again for the suggestions;<br>>> ><br>>> > PdP<br>>> ><br>>> > Paul Wouters wrote:
<br>>> >> On Sat, 29 Sep 2007, paul pantages wrote:<br>>> >><br>>> >>> [root@rigel pdp]# ipsec verify<br>>> >>> Checking your system to see if IPsec got installed and started
<br>>> >>> correctly:<br>>> >>> Version check and ipsec on-path [OK]<br>>> >>> Linux Openswan U2.4.5/K2.6.20-1.2962.fc6 (netkey)<br>>> >>
<br>>> >> You should upgrade and try this with openswan 2.4.9.<br>>> >><br>>> >>> conn myclient<br>>> >>> left=<a href="http://172.16.1.35">172.16.1.35</a><br>>> >>> leftsubnet=
<a href="http://172.16.1.35/32">172.16.1.35/32</a><br>>> >><br>>> >> Leave out the leftsubnet. Otherwise it seems fine.<br>>> >> You could try adding modecfgpull=yes?<br>>> >>
<br>>> >>> STATE_MAIN_I3<br>>> >>> 108 "myclient" #1: STATE_MAIN_I3: sent MI3, expecting MR3<br>>> >>> 003 "myclient" #1: Mode Config message is unacceptable because it is
<br>>> >>> for<br>>> >>> an incomplete ISAKMP SA (state=STATE_MAIN_I3)<br>>> >><br>>> >> Odd. That might to suggest a buggy implementation on the Sonic Wall.<br>>> Can
<br>>> >> you see if you are running the latest firmware?<br>>> >><br>>> >> Paul<br>>> ><br>>> I'm having trouble configuring vpn from OpenSwan to Sonicwall TZ 170<br>
>> fw: 3.1.0.12-86s,so am interested in hearing from anyone who has a<br>>> working<br>>> configuration.<br>>><br>>> My problem is that the OpenSwan client doesn't get an IP on the vpn<br>
>> subnet. Was interested to read (above) that "leftsubnet" should be left<br>>> out.<br>>><br>>> Does anyone have a working config (preferably for an OpenSwan<br>>> RoadWarrior<br>
>> authenticating against SonicWall OS standard?<br>>><br>>> Cheers<br>>><br>>> Marius<br>>> _______________________________________________<br>>> <a href="mailto:Users@openswan.org">
Users@openswan.org</a><br>>> <a href="http://lists.openswan.org/mailman/listinfo/users">http://lists.openswan.org/mailman/listinfo/users</a><br>>> Building and Integrating Virtual Private Networks with Openswan:
<br>>> <a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>>><br>Thanks for the link to the forum thread. I've followed the config as best
<br>I can. Here are the points of divergence:<br> ->using Xauth and agr. mode<br> ->"set default route as this gateway" not available together with<br> DefaultRoute <a href="http://0.0.0.0">0.0.0.0</a>
in SonicOS standard. Therefore not set.<br> ->"Allow connections to Split Tunnels" to allow simultaneous internet<br> and VPN access<br><br>I've tried both with and without leftsubnet in ipsec.my_connection.conf
<br>leaving it out causes phase 2 to time out.<br><br>With leftsubnet in place I get complete authentication, but no<br>communication through VPN (no IP?)<br><br>I have tried doing a<br># ip addr add <a href="http://172.16.2.3/24">
172.16.2.3/24</a> dev eth0 (yes, <a href="http://255.255.255.0">255.255.255.0</a>)<br># ip route change default dev eth0 src <a href="http://172.16.2.3">172.16.2.3</a><br><br>Doing a route I see a problem for the <a href="http://172.16.2.0">
172.16.2.0</a> network (of which VPN is<br>a part). Getting:<br><br>Destination<br><br>_______________________________________________<br><a href="mailto:Users@openswan.org">Users@openswan.org</a><br><a href="http://lists.openswan.org/mailman/listinfo/users">
http://lists.openswan.org/mailman/listinfo/users</a><br>Building and Integrating Virtual Private Networks with Openswan:<br><a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
</a><br></blockquote></div><br>