<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; CHARSET=UTF-8">
<META content="MSHTML 6.00.6000.16544" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=982232514-27112007>Well you turn on aggressive mode by adding this to the
conn...</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=982232514-27112007>aggrmode=yes</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=982232514-27112007>It's off by default because it makes the connection
less secure, so it's better to turn off on both sides.</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=982232514-27112007>I'm forwarding back to the list to see if anyone else
knows what's happening with your FQDN mismatch.</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV align=left><FONT face=Arial size=2>Peter McGill</FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV><FONT face=Arial
size=2></FONT><FONT face=Arial size=2></FONT><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> David L. Cathey
[mailto:davidc@montagar.com] <BR><B>Sent:</B> November 26, 2007 8:41
PM<BR><B>To:</B> petermcgill@goco.net<BR><B>Subject:</B> RE: [Openswan Users]
Openswan <-> SonicWall TZ107 Roadwarrior<BR></FONT><BR></DIV>
<DIV></DIV>On Mon, 2007-11-26 at 09:51 -0500, Peter McGill wrote:
<BLOCKQUOTE TYPE="CITE"><PRE><FONT color=#000000>Can you set the id in the shorewall or does the shorewall have a static ip?</FONT>
<FONT color=#000000>The id must match the id used by the shorewall.</FONT>
<FONT color=#000000>The default is to set to match the ip address but you can't do that with dynamic ip.</FONT>
</PRE></BLOCKQUOTE><BR>I've set that before, and it correctly finds the
PSK. Figured out it needs to be aggressive mode to work.
However, refine_host_connection() is unable to find the matching connection to
complete the tunnel. From the log (with
plutodebug=control,controlmore. It's 2.4.9, which a couple of DBG()
changes so I can see more of what's going on. Namely the output of
match_id() to display the kind of peer and why it's failing the
test.<BR><BR>So far, it fails getting the connection right since it's confused
between the ID types of FQDN (openswan side) and USER_FQDN (Sonicwall
side).<BR><BR><PRE>Nov 26 14:22:21 iptables pluto[4381]: | refine_connection: starting with Sonic168
Nov 26 14:22:21 iptables pluto[4381]: | started looking for secret for @TSP168->@Sonic168 of kind PPK_PSK
Nov 26 14:22:21 iptables pluto[4381]: | actually looking for secret for @TSP168->@Sonic168 of kind PPK_PSK
Nov 26 14:22:21 iptables pluto[4381]: | 1: compared PSK @Sonic168 to @TSP168 / @Sonic168 -> 2
Nov 26 14:22:21 iptables pluto[4381]: | 2: compared PSK @TSP168 to @TSP168 / @Sonic168 -> 6
Nov 26 14:22:21 iptables pluto[4381]: | best_match 0>6 best=0x842b0a0 (line=17)
Nov 26 14:22:21 iptables pluto[4381]: | concluding with best_match=6 best=0x842b0a0 (lineno=17)
Nov 26 14:22:21 iptables pluto[4381]: | match_id a=@Sonic168, kind=3
Nov 26 14:22:21 iptables pluto[4381]: | b=@Sonic168, kind=2
Nov 26 14:22:21 iptables pluto[4381]: | results fail
Nov 26 14:22:21 iptables pluto[4381]: | trusted_ca called with a=(empty) b=(empty)
Nov 26 14:22:21 iptables pluto[4381]: | refine_connection: checking Sonic168 against Sonic168, best=(none) with match=0(id=0/ca=1/reqca=1)
Nov 26 14:22:21 iptables pluto[4381]: | find_host_pair: comparing to xx.xx.79.53:500 xx.xx.118.247:500
Nov 26 14:22:21 iptables pluto[4381]: | find_host_pair: comparing to xx.xx.79.53:500 0.0.0.0:500
Nov 26 14:22:21 iptables pluto[4381]: | find_host_pair_conn (refine_host_connection): xx.xx.79.53:500 %any:500 -> hp:Sonic168
Nov 26 14:22:21 iptables pluto[4381]: | match_id a=@Sonic168, kind=3
Nov 26 14:22:21 iptables pluto[4381]: | b=@Sonic168, kind=2
Nov 26 14:22:21 iptables pluto[4381]: | results fail
Nov 26 14:22:21 iptables pluto[4381]: | trusted_ca called with a=(empty) b=(empty)
Nov 26 14:22:21 iptables pluto[4381]: | refine_connection: checking Sonic168 against Sonic168, best=(none) with match=0(id=0/ca=1/reqca=1)
Nov 26 14:22:21 iptables pluto[4381]: "Sonic168"[1] xx.xx.118.247 #898: no suitable connection for peer <A href="mailto:'@Sonic168">'@Sonic168</A>'
</PRE><BR>So, it's in refine_connection, but match_id() is failing since the
peer kind's aren't the same. I guess I need to Sonicwall to use FQDN or
convince openswan that the leftid is a user FQDN.<BR><BR>
<BLOCKQUOTE TYPE="CITE"><PRE>
<FONT color=#000000>Also if you can turn on pfs on both sides, that will result in a more secure connection.</FONT>
</PRE></BLOCKQUOTE><BR>Agreed - but I'd like to get something working
first!<BR><BR>
<BLOCKQUOTE TYPE="CITE"><PRE>
<FONT color=#000000>Peter McGill</FONT>
<FONT color=#000000> </FONT>
<FONT color=#000000>> -----Original Message-----</FONT>
<FONT color=#000000>> From: <A href="mailto:users-bounces@openswan.org">users-bounces@openswan.org</A> </FONT>
<FONT color=#000000>> [mailto:<A href="mailto:users-bounces@openswan.org">users-bounces@openswan.org</A>] On Behalf Of David L. Cathey</FONT>
<FONT color=#000000>> Sent: November 23, 2007 5:59 PM</FONT>
<FONT color=#000000>> To: <A href="mailto:users@openswan.org">users@openswan.org</A></FONT>
<FONT color=#000000>> Subject: [Openswan Users] Openswan <-> SonicWall TZ107 Roadwarrior</FONT>
<FONT color=#000000>> </FONT>
<FONT color=#000000>> I'm trying to set up a SonicWall TZ107 as a Roadwarrior against an</FONT>
<FONT color=#000000>> openswan server (Fedora 6, openswan 2.4.9 built from source).</FONT>
<FONT color=#000000>> </FONT>
<FONT color=#000000>> Sonic168.conf:</FONT>
<FONT color=#000000>> conn Sonic168</FONT>
<FONT color=#000000>> type=tunnel</FONT>
<FONT color=#000000>> auto=add</FONT>
<FONT color=#000000>> auth=esp</FONT>
<FONT color=#000000>> pfs=no</FONT>
<FONT color=#000000>> authby=secret</FONT>
<FONT color=#000000>> keyingtries=1</FONT>
<FONT color=#000000>> left=66.60.79.53 # </FONT>
<FONT color=#000000>> leftid=@TSP168 # Local information</FONT>
<FONT color=#000000>> leftsubnet=192.168.2.0/24</FONT>
<FONT color=#000000>> leftnexthop=%defaultroute</FONT>
<FONT color=#000000>> right=%any # Remote information</FONT>
<FONT color=#000000>> #rightid=@Sonic168 #</FONT>
<FONT color=#000000>> rightsubnet=192.168.168.0/24 #</FONT>
<FONT color=#000000>> esp=3des-md5</FONT>
<FONT color=#000000>> ike=3des-md5</FONT>
<FONT color=#000000>> keyexchange=ike</FONT>
<FONT color=#000000>> </FONT>
<FONT color=#000000>> ipsec.secrets:</FONT>
<FONT color=#000000>> @TSP168 %any : PSK "CominationForMyLuggage" # Not the real PSK!</FONT>
<FONT color=#000000>> </FONT>
<FONT color=#000000>> This gets me to (several of these from ipsec auto --status):</FONT>
<FONT color=#000000>> 000 #nnn: "Sonic168"[1] 72.64.118.247:500 STATE_MAIN_R3 (sent MR3,</FONT>
<FONT color=#000000>> ISAKMP SA established); EVENT_SA_REPLACE in 2596s; nodpd</FONT>
<FONT color=#000000>> </FONT>
<FONT color=#000000>> I end up with openswan sending INVALID_ID_INFORMATION back to the</FONT>
<FONT color=#000000>> SonicWall. The SonicWall log also shows this(Start Quick Mode (Phase</FONT>
<FONT color=#000000>> 2), followed by Received notify: INVALID_ID_INFO).</FONT>
<FONT color=#000000>> </FONT>
<FONT color=#000000>> If I change the config to uncomment the rightid, it never gets a</FONT>
<FONT color=#000000>> connection (visible with plutodebug="all"):</FONT>
<FONT color=#000000>> concluding with best_match=6 best=0x812fb360 (lineno=29)</FONT>
<FONT color=#000000>> match_id a=72.64.118.247</FONT>
<FONT color=#000000>> b=@Sonic168</FONT>
<FONT color=#000000>> results fail</FONT>
<FONT color=#000000>> Since it thinks Sonic168 is a of kind ID_FQDN, and will not wildcard</FONT>
<FONT color=#000000>> with the connection, even though right=%any. Unless I just hack id.c</FONT>
<FONT color=#000000>> and have match_id() return true anyway (but that would be bad).</FONT>
<FONT color=#000000>> </FONT>
<FONT color=#000000>> Can this work, since I can't see what I'm missing here...</FONT>
<FONT color=#000000>> </FONT>
<FONT color=#000000>> -- </FONT>
<FONT color=#000000>> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - </FONT>
<FONT color=#000000>> - - - - -</FONT>
<FONT color=#000000>> David L. Cathey |Inet: <A href="mailto:davidc@montagar.com">davidc@montagar.com</A></FONT>
<FONT color=#000000>> Montagar Software, Inc. |Fone: (972)-423-5224</FONT>
<FONT color=#000000>> P. O. Box 260772, Plano, TX 75026 |<A href="http://www.montagar.com">http://www.montagar.com</A></FONT>
<FONT color=#000000>> </FONT>
<FONT color=#000000>> _______________________________________________</FONT>
<FONT color=#000000>> <A href="mailto:Users@openswan.org">Users@openswan.org</A></FONT>
<FONT color=#000000>> <A href="http://lists.openswan.org/mailman/listinfo/users">http://lists.openswan.org/mailman/listinfo/users</A></FONT>
<FONT color=#000000>> Building and Integrating Virtual Private Networks with Openswan: </FONT>
<FONT color=#000000>> <A href="http://www.amazon.com/gp/product/1904811256/104-3099591-294632">http://www.amazon.com/gp/product/1904811256/104-3099591-294632</A></FONT>
<FONT color=#000000>> 7?n=283155</FONT>
</PRE></BLOCKQUOTE>
<TABLE cellSpacing=0 cellPadding=0 width="100%">
<TBODY>
<TR>
<TD><PRE>--
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
David L. Cathey |Inet: <A href="mailto:davidc@montagar.com">davidc@montagar.com</A>
Montagar Software, Inc. |Fone: (972)-423-5224
P. O. Box 260772, Plano, TX 75026 |<A href="http://www.montagar.com">http://www.montagar.com</A>
</PRE></TD></TR></TBODY></TABLE></BLOCKQUOTE></BODY></HTML>