<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.6000.16640" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=579180917-25042008><FONT face=Arial
color=#0000ff size=2>Well I've never worked with XAUTH or a SonicWall
specifically, but two general suggestions.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=579180917-25042008><FONT face=Arial
color=#0000ff size=2>1) This might just be an email typo,
but...</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=579180917-25042008><FONT face=Arial
color=#0000ff size=2>conn net2</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=579180917-25042008><FONT face=Arial
color=#0000ff size=2>
rightsubnet=192.168.2.0</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=579180917-25042008><FONT face=Arial
color=#0000ff size=2>should be</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=579180917-25042008> <FONT
face=Arial color=#0000ff size=2>rightsubnet=192.168.2.0/24</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=579180917-25042008><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=579180917-25042008><FONT face=Arial
color=#0000ff size=2>Otherwise from the information provided, I cannot see any
problems, so...</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=579180917-25042008><FONT face=Arial
color=#0000ff size=2>2) Give us more information.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=579180917-25042008><FONT face=Arial
color=#0000ff size=2>The output of...</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=579180917-25042008><FONT face=Arial
color=#0000ff size=2>ipsec barf</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=579180917-25042008><FONT face=Arial
color=#0000ff size=2>Preferably in an attachment and not the email
body.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=579180917-25042008><FONT face=Arial
color=#0000ff size=2>Note from man ipsec_barf:</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=579180917-25042008>
<DIV dir=ltr align=left><SPAN class=579180917-25042008><FONT face=Arial
color=#0000ff size=2> Barf censors its output,
replacing keys and secrets with brief check-<BR> sums to avoid
revealing sensitive information.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=579180917-25042008><FONT face=Arial
color=#0000ff size=2>Also send us the SonicWall configuration information
(without keys of course).</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=579180917-25042008><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=579180917-25042008><FONT face=Arial
color=#0000ff size=2>As for your firewall question, You need to allow the
following in/out connections:</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=579180917-25042008><FONT face=Arial
color=#0000ff size=2>udp/isakmp (proto 17 port 500)</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=579180917-25042008><FONT face=Arial
color=#0000ff size=2>esp (proto 50)</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=579180917-25042008><FONT face=Arial
color=#0000ff size=2>And if using NAT-T</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=579180917-25042008><FONT face=Arial
color=#0000ff size=2>udp/4500 (proto 17 port 4500)</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=579180917-25042008><FONT face=Arial
color=#0000ff size=2>If the firewall is on the same computer as IPSec, then
you'll also need to allow,</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=579180917-25042008><FONT face=Arial
color=#0000ff size=2>the private tunnelled traffic ie) to/from 192.168.1.0/24
and 192.168.2.0/24.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=579180917-25042008><FONT face=Arial
color=#0000ff size=2>If your using SNAT or MASQUERADE on your IPSec device,
you'll need to exempt,</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=579180917-25042008><FONT face=Arial
color=#0000ff size=2>the private tunnelled traffic from
that.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=579180917-25042008><FONT face=Arial
color=#0000ff size=2>If the firewall is on a different computer between IPSec
endpoints, then you'll need to</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=579180917-25042008><FONT face=Arial
color=#0000ff size=2>forward the above isakmp, esp and possibly NAT-T inbound to
the IPSec router to accept</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=579180917-25042008><FONT face=Arial
color=#0000ff size=2>connections from the other
side.</FONT></SPAN></DIV></SPAN></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV align=left><FONT face=Arial size=2>Peter McGill</FONT></DIV>
<DIV> </DIV><BR>
<BLOCKQUOTE dir=ltr
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> users-bounces@openswan.org
[mailto:users-bounces@openswan.org] <B>On Behalf Of </B>Chris
Zimmerman<BR><B>Sent:</B> April 25, 2008 1:00 PM<BR><B>To:</B>
users@openswan.org<BR><B>Subject:</B> [Openswan Users] Anyone? Anyone?
"Roadwarrior" to SonicWall VPNrouting issues<BR></FONT><BR></DIV>
<DIV></DIV>I'm not trying to be a pest, but I have to get this
working:<BR><BR>I have been fighting through this setup for more than a week
now and I'm at a brick wall. <BR><BR>My
setup:<BR><BR>my.ip-----------{internet}-----<A
href="http://1.1.1.1">1.1.1.1</A>(sonicwall)<A
href="http://192.168.1.254">192.168.1.254</A>========[<A
href="http://192.168.1.0/24" target=_blank>192.168.1.0/24</A><BR>
<DIV class="ArwC7c ckChnd"
id=1fsq>
[--------[<A href="http://192.168.1.1/"
target=_blank>192.168.1.1</A>(router)<A href="http://192.168.2.1/"
target=_blank>192.168.2.1</A>]----------<A href="http://192.168.2.0/24"
target=_blank>192.168.2.0/24</A><BR>
<BR><BR>I am connected to the internet over an aircard using Ubuntu, so no
NAT'ing is in the way on my end. I need to establish a tunnel from my
machine to the sonicwall to gain access to the <A href="http://192.168.1.0/"
target=_blank>192.168.1.0</A> AND <A href="http://192.168.2.0/"
target=_blank>192.168.2.0</A> networks. I am using XAUTH on the
Sonicwall and it has NAT traverse enabled. I can successfully
authenticate and connect to the <A href="http://192.168.1.0/"
target=_blank>192.168.1.0</A> network and I can ping <A
href="http://192.168.1.1/" target=_blank>192.168.1.1</A>. I can also
ping <A href="http://192.168.2.1/" target=_blank>192.168.2.1</A> (other
interface on the router) but I cannot ping any other IP's on the 2.0
network. This connection is using the GroupVPN SA on the Standard OS
Sonicwall. How do I configure this? <BR><BR>Here's my ipsec.conf
config:<BR><BR>config setup<BR><BR>conn block<BR>
auto=ignore<BR>conn private<BR> auto=ignore<BR>conn
private-or-clear<BR> auto=ignore<BR>conn
clear-or-private<BR> auto=ignore<BR>conn
clear<BR> auto=ignore<BR>conn
packetdefault<BR> auto=ignore<BR><BR>conn
net1<BR> left=my.ip<BR>
leftid=@home<BR>
leftxauthclient=yes<BR> right=ip.sonicwall
(internet)<BR> rightsubnet=<A
href="http://192.168.1.0/24"
target=_blank>192.168.1.0/24</A><BR>
rightxauthserver=yes<BR> rightid=@sonicwall
identifier<BR> <snip auth
lines><BR> <BR><BR>conn
net2<BR> left=my.ip<BR>
leftid=@home<BR>
leftxauthclient=yes<BR> right=ip.sonicwall
(internet)<BR> rightsubnet=<A
href="http://192.168.2.0/"
target=_blank>192.168.2.0</A><BR>
rightxauthserver=yes<BR> rightid=@sonicwall
identifier<BR> <snip auth lines><BR><BR>I've
read through countless mailing lists and google links and the openswan wiki,
but I cannot figure out how to get this working. It has to be a routing
issue but I am still unfamiliar with ipsec so I am unsure of what to
change.<BR><BR>ANY assistance would be great!!<BR><BR>I would also like to
know what, if anything, would need to change for me to connect this tunnel
when my machine (laptop) is behind a firewall,
too.</DIV></BLOCKQUOTE></BODY></HTML>