Can you send me the log when you try to initiate a tunnel? Sanitize it if you need to.<br><br><div><span class="gmail_quote">On 10/3/07, <b class="gmail_sendername">Marius Schrecker</b> <<a href="mailto:marius@schrecker.org">
marius@schrecker.org</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">> Geez. I forgot that xauth ALSO caused that error. Been a while since I
<br>> went<br>> down that road.<br>><br>> xauth on Sonicwall does not play well with Openswan. I spent a long time<br>> trying to get it to work, but never could. I shut it off and it worked.<br><br>Aargh! Still no joy. Tried turning off xauth. Same problem as before
<br>except with one less security phase.<br><br>So frustrating to get through both phases of the security to be stumped by<br>something as apparently simple as an IP address.<br><br>Cheers!<br><br>Marius<br>><br>> If turning of xauth fixes it, try turning DHCP back on and see if that
<br>> works<br>> for you. It didn't for me.<br>><br>> On 10/3/07, Marius Schrecker <<a href="mailto:marius@schrecker.org">marius@schrecker.org</a>> wrote:<br>>><br>>> > I've posted a working config in the past. I was never able to get DHCP
<br>>> > over<br>>> > VPN working at all.<br>>> ><br>>> > <a href="http://lists.openswan.org/pipermail/users/2007-March/012092.html">http://lists.openswan.org/pipermail/users/2007-March/012092.html
</a><br>>> ><br>>> > If you use Ubuntu, do NOT install Racoon. It screwed things up in the<br>>> end<br>>> > and isn't needed as far as I can tell.<br>>> ><br>>> > On 10/2/07, Marius Schrecker <
<a href="mailto:marius@schrecker.org">marius@schrecker.org</a>> wrote:<br>>> >><br>>> >> > -----BEGIN PGP SIGNED MESSAGE-----<br>>> >> > Hash: SHA1<br>>> >> ><br>
>> >> > Hello Paul W,<br>>> >> ><br>>> >> > Thank you for the suggestions, unfortunately, upgrading to 2.4.9<br>>> did<br>>> >> not<br>>> >> > change the behaviour.
<br>>> >> ><br>>> >> > I also tried the modecfgpull=yes ( I also tried adding<br>>> >> > leftmodecfgclient=yes ) but no luck with either of these.<br>>> >> ><br>
>> >> > I still see the "Mode Config message is unacceptable..."; This<br>>> might<br>>> >> > indicate that modecfgpull is not going to work?<br>>> >> ><br>>> >> > ipsec verify asked me to turn off "enforced SElinux mode" which I
<br>>> also<br>>> >> > tried.<br>>> >> ><br>>> >> > I will check the Sonicwall f/w version at work Monday.<br>>> >> ><br>>> >> > Thanks again for the suggestions;
<br>>> >> ><br>>> >> > PdP<br>>> >> ><br>>> >> > Paul Wouters wrote:<br>>> >> >> On Sat, 29 Sep 2007, paul pantages wrote:<br>>> >> >>
<br>>> >> >>> [root@rigel pdp]# ipsec verify<br>>> >> >>> Checking your system to see if IPsec got installed and started<br>>> >> >>> correctly:<br>>> >> >>> Version check and ipsec on-path
<br>>> [OK]<br>>> >> >>> Linux Openswan U2.4.5/K2.6.20-1.2962.fc6 (netkey)<br>>> >> >><br>>> >> >> You should upgrade and try this with openswan 2.4.9.<br>>> >> >>
<br>>> >> >>> conn myclient<br>>> >> >>> left=<a href="http://172.16.1.35">172.16.1.35</a><br>>> >> >>> leftsubnet=<a href="http://172.16.1.35/32">
172.16.1.35/32</a><br>>> >> >><br>>> >> >> Leave out the leftsubnet. Otherwise it seems fine.<br>>> >> >> You could try adding modecfgpull=yes?<br>>> >> >>
<br>>> >> >>> STATE_MAIN_I3<br>>> >> >>> 108 "myclient" #1: STATE_MAIN_I3: sent MI3, expecting MR3<br>>> >> >>> 003 "myclient" #1: Mode Config message is unacceptable because it
<br>>> is<br>>> >> >>> for<br>>> >> >>> an incomplete ISAKMP SA (state=STATE_MAIN_I3)<br>>> >> >><br>>> >> >> Odd. That might to suggest a buggy implementation on the Sonic
<br>>> Wall.<br>>> >> Can<br>>> >> >> you see if you are running the latest firmware?<br>>> >> >><br>>> >> >> Paul<br>>> >> ><br>>> >> I'm having trouble configuring vpn from OpenSwan to Sonicwall TZ 170
<br>>> >> fw: 3.1.0.12-86s,so am interested in hearing from anyone who has a<br>>> >> working<br>>> >> configuration.<br>>> >><br>>> >> My problem is that the OpenSwan client doesn't get an IP on the vpn
<br>>> >> subnet. Was interested to read (above) that "leftsubnet" should be<br>>> left<br>>> >> out.<br>>> >><br>>> >> Does anyone have a working config (preferably for an OpenSwan
<br>>> >> RoadWarrior<br>>> >> authenticating against SonicWall OS standard?<br>>> >><br>>> >> Cheers<br>>> >><br>>> >> Marius<br>>> >> _______________________________________________
<br>>> >> <a href="mailto:Users@openswan.org">Users@openswan.org</a><br>>> >> <a href="http://lists.openswan.org/mailman/listinfo/users">http://lists.openswan.org/mailman/listinfo/users</a><br>>> >> Building and Integrating Virtual Private Networks with Openswan:
<br>>> >><br>>> <a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>>> >><br>>> Thanks for the link to the forum thread. I've followed the config as
<br>>> best<br>>> I can. Here are the points of divergence:<br>>> ->using Xauth and agr. mode<br>>> ->"set default route as this gateway" not available together with<br>>> DefaultRoute
<a href="http://0.0.0.0">0.0.0.0</a> in SonicOS standard. Therefore not set.<br>>> ->"Allow connections to Split Tunnels" to allow simultaneous internet<br>>> and VPN access<br>>><br>
>> I've tried both with and without leftsubnet in ipsec.my_connection.conf<br>>> leaving it out causes phase 2 to time out.<br>>><br>>> With leftsubnet in place I get complete authentication, but no
<br>>> communication through VPN (no IP?)<br>>><br>>> I have tried doing a<br>>> # ip addr add <a href="http://172.16.2.3/24">172.16.2.3/24</a> dev eth0 (yes, <a href="http://255.255.255.0">255.255.255.0
</a>)<br>>> # ip route change default dev eth0 src <a href="http://172.16.2.3">172.16.2.3</a><br>>><br>>> Doing a route I see a problem for the <a href="http://172.16.2.0">172.16.2.0</a> network (of which VPN
<br>>> is<br>>> a part). Getting:<br>>><br>>> Destination<br>>><br>>> _______________________________________________<br>>> <a href="mailto:Users@openswan.org">Users@openswan.org</a>
<br>>> <a href="http://lists.openswan.org/mailman/listinfo/users">http://lists.openswan.org/mailman/listinfo/users</a><br>>> Building and Integrating Virtual Private Networks with Openswan:<br>>> <a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>>><br>><br><br>_______________________________________________<br><a href="mailto:Users@openswan.org">Users@openswan.org</a><br><a href="http://lists.openswan.org/mailman/listinfo/users">
http://lists.openswan.org/mailman/listinfo/users</a><br>Building and Integrating Virtual Private Networks with Openswan:<br><a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
</a><br></blockquote></div><br>