The remote Sonicwall doesn't support L2TP (from what I can tell in the administration). Is there a way that I can "fake" the IP stack out to use a remote IP locally? Perhaps with some sort of smoke and mirrors with tun/tap devices and some hard routes (proxy arp,too)? I have tried doing device aliases but that does not seem to work (i.e. if my internet device is ppp0, configuring a ppp0:0 with <a href="http://192.168.1.152/24">192.168.1.152/24</a>). <br>
<br>From what I can tell with the feedback I've been given, this issue looks like a routing problem on the devices on the <a href="http://192.168.2.0">192.168.2.0</a> network. In other words, if I try to ping <a href="http://192.168.2.85">192.168.2.85</a> the device cannot reply back to me because I'm connected with my internet address and the device will try to reply using it's normal default gw. <br>
<br>Grasping at straws here...<br><br><div class="gmail_quote">On Fri, Apr 25, 2008 at 12:29 PM, Peter McGill <<a href="mailto:petermcgill@goco.net">petermcgill@goco.net</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">Only way I know of using openswan is to use
xl2tpd.</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">IPSec doesn't handle virtual IPs.</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">L2TP does.</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">That's how Windows IPSec works, it's actually
L2TP/IPSec.</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">L2TP running on top of IPSec for
security.</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">Look for Jacco's docs on setting up l2tp client with
ipsec.</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">Specifically it's recommended to use xl2tpd (from
xelerance,</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">the makers of openswan) with openswan.</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">Note that I haven't done this myself, so I'm cc'ing the
list, in</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">case someone else has better or more specific advice
here.</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2"></font></span> </div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">Note, your openswan version is a little out of
date...</font></span></div>
<div dir="ltr" align="left"><span><font color="#0000ff" face="Arial" size="2">I think 2.4.11 is the official stable
version.</font></span></div>
<div><font color="#0000ff" face="Arial" size="2"></font> </div>
<div align="left"><font face="Arial" size="2">Peter McGill</font></div>
<div> </div><br>
<blockquote style="border-left: 2px solid rgb(0, 0, 255); padding-left: 5px; margin-left: 5px; margin-right: 0px;">
<div dir="ltr" align="left" lang="en-us">
<hr>
<font face="Tahoma" size="2"><div class="Ih2E3d"><b>From:</b> Chris Zimmerman
[mailto:<a href="mailto:czimmer@wczimmerman.dyndns.org" target="_blank">czimmer@wczimmerman.dyndns.org</a>] <br></div><b>Sent:</b> April 25, 2008 3:15
PM<div><div></div><div class="Wj3C7c"><br><b>To:</b> <a href="mailto:petermcgill@goco.net" target="_blank">petermcgill@goco.net</a><br><b>Subject:</b> Re: [Openswan Users]
Anyone? Anyone? "Roadwarrior" to SonicWall VPNrouting
issues<br></div></div></font><br></div><div><div></div><div class="Wj3C7c">
<div></div>Ah-then that may be the issue. My presence on the remote LAN
is with my Internet IP. The other Windows clients that connect to this
VPN using the Sonicwall client are assigned a dynamic address which is on the
local LAN (192.168.1.x) and the client also creates routes at connection
time to allow them to navigate through to the <a href="http://192.168.2.0/24" target="_blank">192.168.2.0/24</a> and other remote
networks. <br><br>So-how can I assign a "local" ip to my
connection? Is this even possible? <br><br>Thanks so much again
for your help. <br><br>
<div class="gmail_quote">On Fri, Apr 25, 2008 at 12:10 PM, Peter McGill <<a href="mailto:petermcgill@goco.net" target="_blank">petermcgill@goco.net</a>> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div>
<p><span lang="en-us"><font color="#0000ff" face="Arial" size="2">I cannot see
anything wrong here, everything looks correct.</font></span> <br><span lang="en-us"><font color="#0000ff" face="Arial" size="2">Your connections are
connected successfully,</font></span> <br><span lang="en-us"><font color="#0000ff" face="Arial" size="2">You have not firewall rules blocking
traffic,</font></span> <br><span lang="en-us"><font color="#0000ff" face="Arial" size="2">The routes have been put in by IPSec.</font></span> <br><span lang="en-us"><font color="#0000ff" face="Arial" size="2">Are you sure it's not a
routing problem on the other side of the SonicWall?</font></span> <br><span lang="en-us"><font color="#0000ff" face="Arial" size="2">Ie) The computers in the
2.0 net and/or their gateway, will need to know to send</font></span>
<br><span lang="en-us"><font color="#0000ff" face="Arial" size="2">Traffic destined
for your ip address (68.27..) to the SonicWall (or 1.0 net) for
delivery,</font></span> <br><span lang="en-us"><font color="#0000ff" face="Arial" size="2">And not to their usual internet connection (assuming it isn't the
SonicWall.)</font></span> <br><span lang="en-us"><font color="#0000ff" face="Arial" size="2">Try sniffing the traffic at the lan side of the
SonicWall do your tests for 2.0 appear but</font></span> <br><span lang="en-us"><font color="#0000ff" face="Arial" size="2">Without
responses?</font></span> </p><br>
<p><span lang="en-us"><font face="Arial" size="2">Peter McGill</font></span>
</p><br>
<ul>
<p></p>
<div><span lang="en-us"><font face="Tahoma" size="1">_____________________________________________
</font></span><br><span lang="en-us"><b><font face="Tahoma" size="1">From:
</font></b> <font face="Tahoma" size="1">Chris Zimmerman
[</font></span><a href="mailto:czimmer@wczimmerman.dyndns.org" target="_blank"><span lang="en-us"><u><font color="#0000ff" face="Tahoma" size="1">mailto:czimmer@wczimmerman.dyndns.org</font></u></span></a><span lang="en-us"><font face="Tahoma" size="1">] </font></span><br>
</div><span lang="en-us"><b><font face="Tahoma" size="1">Sent: </font></b> <font face="Tahoma" size="1">April 25, 2008 2:27 PM</font></span> <br>
<div><span lang="en-us"><b><font face="Tahoma" size="1">To: </font></b> <font face="Tahoma" size="1"><a href="mailto:petermcgill@goco.net" target="_blank">petermcgill@goco.net</a></font></span> <br><span lang="en-us"><b><font face="Tahoma" size="1">Subject: </font></b> <font face="Tahoma" size="1">Re: [Openswan Users] Anyone? Anyone? "Roadwarrior" to
SonicWall VPNrouting issues</font></span> </div>
<p><span lang="en-ca"><font face="Arial">See attached.
<div><br><br>I did scrub the file a bit (to protect the
innocent) and the only deviation from my original post/IP's is that my
Sonicwall device is </div></font></span><a href="http://63.63.63.63" target="_blank"><span lang="en-ca"><u><font color="#0000ff" face="Arial">63.63.63.63</font></u></span></a><span lang="en-ca"><font face="Arial"> in the output file rather than </font></span><a href="http://1.1.1.1" target="_blank"><span lang="en-ca"><u><font color="#0000ff" face="Arial">1.1.1.1</font></u></span></a><span lang="en-ca"><font face="Arial">. If the scrubbing makes things more confusing, then I
can send the original output to you as well. I wasn't comfortable
with sending that info to the whole
list.<br><br>Thanks!<br><br><br><br></font></span>
</p><p></p>
<div><br><span lang="en-ca"><font face="Arial">On Fri, Apr 25,
2008 at 11:23 AM, Peter McGill <</font></span><a href="mailto:petermcgill@goco.net" target="_blank"><span lang="en-ca"><u><font color="#0000ff" face="Arial">petermcgill@goco.net</font></u></span></a><span lang="en-ca"><font face="Arial">> wrote:<br>
</font></span></div>
<div>
<ul>
<p><span lang="en-ca"><font color="#0000ff" face="Arial" size="2">Other people
might appreciate not receiving a large barf, so it may be best to try
just me</font></span> <br><span lang="en-ca"><font color="#0000ff" face="Arial" size="2">first, unless I cannot resolve your
problem.</font></span> <br><span lang="en-ca"><font face="Arial"> </font></span> <br><span lang="en-ca"><font face="Arial" size="2">Peter McGill</font></span> <br><span lang="en-ca"><font face="Arial"> </font></span> </p>
<br></ul>
<p align="justify"><u><span lang="en-us"><font face="Courier New"> </font><font face="Courier New"> _____
<br></font></span></u></p></div>
<ul>
<ul>
<p><span lang="en-us"><b><font face="Tahoma" size="2">From:</font></b><font face="Tahoma" size="2"> Chris Zimmerman [</font></span><a href="mailto:HYPERLINK" target="_blank"><span lang="en-us"><font face="Tahoma" size="2">mailto:HYPERLINK
"mailto:czimmer@wczimmerman.dyndns.org" \\n</font><u><font color="#0000ff" face="Tahoma" size="2">czimmer@wczimmerman.dyndns.org</font></u></span></a><span lang="en-us"><font face="Tahoma" size="2">]<br>
</font>
<div>
<div></div>
<div><b><font face="Tahoma" size="2">Sent:</font></b><font face="Tahoma" size="2"> April 25, 2008 2:16 PM<br></font><b><font face="Tahoma" size="2">To:</font></b><font face="Tahoma" size="2">
</font></div></div></span><a href="mailto:petermcgill@goco.net" target="_blank"><span lang="en-us"><u><font color="#0000ff" face="Tahoma" size="2">petermcgill@goco.net</font></u></span></a>
</p><p></p>
<div>
<div></div>
<div><span lang="en-us"><br><b><font face="Tahoma" size="2">Subject:</font></b><font face="Tahoma" size="2"> Re: [Openswan
Users] Anyone? Anyone? "Roadwarrior" to SonicWall VPNrouting
issues<br></font><br></span><br><span lang="en-ca"><font face="Arial">Would you rather I post the output of ipsec barf on the
list or to you directly?<br><br>Thanks!<br><br></font></span><br><span lang="en-ca"><font face="Arial">On Fri, Apr 25, 2008 at 10:35 AM, Peter
McGill <</font></span><a href="mailto:petermcgill@goco.net" target="_blank"><span lang="en-ca"></span><span lang="en-ca"><u><font color="#0000ff" face="Arial">petermcgill@goco.net</font></u></span><span lang="en-ca"></span></a><span lang="en-ca"><font face="Arial">>
wrote:<br></font></span></div></div>
<div>
<div></div>
<div>
<ul>
<p><span lang="en-ca"><font color="#0000ff" face="Arial" size="2">Well I've
never worked with XAUTH or a SonicWall specifically, but two general
suggestions.</font></span> <br><span lang="en-ca"><font color="#0000ff" face="Arial" size="2">1) This might just be an email typo,
but...</font></span> <br><span lang="en-ca"><font color="#0000ff" face="Arial" size="2">conn net2</font></span> <br><span lang="en-ca"><font color="#0000ff" face="Arial" size="2">
rightsubnet=</font></span><a href="http://192.168.2.0" target="_blank"><span lang="en-ca"></span><span lang="en-ca"><u><font color="#0000ff" face="Arial" size="2">192.168.2.0</font></u></span><span lang="en-ca"></span></a><span lang="en-ca"></span> <br>
<span lang="en-ca"><font color="#0000ff" face="Arial" size="2">should
be</font></span> <br><span lang="en-ca"><font face="Arial"> </font><font color="#0000ff" face="Arial" size="2">rightsubnet=</font></span><a href="http://192.168.2.0/24" target="_blank"><span lang="en-ca"></span><span lang="en-ca"><u><font color="#0000ff" face="Arial" size="2">192.168.2.0/24</font></u></span><span lang="en-ca"></span></a><span lang="en-ca"></span> <br>
<span lang="en-ca"><font face="Arial"> </font></span> <br><span lang="en-ca"><font color="#0000ff" face="Arial" size="2">Otherwise from the
information provided, I cannot see any problems, so...</font></span>
<br><span lang="en-ca"><font color="#0000ff" face="Arial" size="2">2) Give
us more information.</font></span> <br><span lang="en-ca"><font color="#0000ff" face="Arial" size="2">The output of...</font></span>
<br><span lang="en-ca"><font color="#0000ff" face="Arial" size="2">ipsec
barf</font></span> <br><span lang="en-ca"><font color="#0000ff" face="Arial" size="2">Preferably in an attachment and not the email
body.</font></span> <br><span lang="en-ca"><font color="#0000ff" face="Arial" size="2">Note from man ipsec_barf:</font></span> </p>
<p><span lang="en-ca"><font color="#0000ff" face="Arial" size="2"> Barf censors its output,
replacing keys and secrets with brief check-<br>
sums to avoid revealing sensitive information.</font></span>
<br><span lang="en-ca"><font color="#0000ff" face="Arial" size="2">Also send
us the SonicWall configuration information (without keys of
course).</font></span> <br><span lang="en-ca"><font face="Arial"> </font></span> <br><span lang="en-ca"><font color="#0000ff" face="Arial" size="2">As for your firewall question, You
need to allow the following in/out connections:</font></span>
<br><span lang="en-ca"><font color="#0000ff" face="Arial" size="2">udp/isakmp (proto 17 port 500)</font></span> <br><span lang="en-ca"><font color="#0000ff" face="Arial" size="2">esp (proto
50)</font></span> <br><span lang="en-ca"><font color="#0000ff" face="Arial" size="2">And if using NAT-T</font></span> <br><span lang="en-ca"><font color="#0000ff" face="Arial" size="2">udp/4500 (proto 17
port 4500)</font></span> <br><span lang="en-ca"><font color="#0000ff" face="Arial" size="2">If the firewall is on the same computer as
IPSec, then you'll also need to allow,</font></span> <br><span lang="en-ca"><font color="#0000ff" face="Arial" size="2">the private
tunnelled traffic ie) to/from </font></span><a href="http://192.168.1.0/24" target="_blank"><span lang="en-ca"></span><span lang="en-ca"><u><font color="#0000ff" face="Arial" size="2">192.168.1.0/24</font></u></span><span lang="en-ca"></span></a><span lang="en-ca"><font color="#0000ff" face="Arial" size="2"> and </font></span><a href="http://192.168.2.0/24" target="_blank"><span lang="en-ca"></span><span lang="en-ca"><u><font color="#0000ff" face="Arial" size="2">192.168.2.0/24</font></u></span><span lang="en-ca"></span></a><span lang="en-ca"><font color="#0000ff" face="Arial" size="2">.</font></span> <br>
<span lang="en-ca"><font color="#0000ff" face="Arial" size="2">If your using SNAT or MASQUERADE on
your IPSec device, you'll need to exempt,</font></span> <br><span lang="en-ca"><font color="#0000ff" face="Arial" size="2">the private
tunnelled traffic from that.</font></span> <br><span lang="en-ca"><font color="#0000ff" face="Arial" size="2">If the firewall is
on a different computer between IPSec endpoints, then you'll need
to</font></span> <br><span lang="en-ca"><font color="#0000ff" face="Arial" size="2">forward the above isakmp, esp and possibly NAT-T inbound to
the IPSec router to accept</font></span> <br><span lang="en-ca"><font color="#0000ff" face="Arial" size="2">connections from the other
side.</font></span> <br><span lang="en-ca"><font face="Arial"> </font></span> <br><span lang="en-ca"><font face="Arial" size="2">Peter McGill</font></span> <br><span lang="en-ca"><font face="Arial"> </font></span>
</p><br></ul></div></div></ul></ul>
<p align="justify"><u><span lang="en-us"><font face="Courier New"> </font><font face="Courier New"> _____
<br></font></span></u></p>
<ul>
<ul>
<ul>
<ul>
<p><span lang="en-us"><b><font face="Tahoma" size="2">From:</font></b><font face="Tahoma" size="2"> </font></span><a href="mailto:users-bounces@openswan.org" target="_blank"><span lang="en-us"><u><font color="#0000ff" face="Tahoma" size="2">users-bounces@openswan.org</font></u></span></a><span lang="en-us"><font face="Tahoma" size="2"> [</font></span><a href="mailto:HYPERLINK" target="_blank"><span lang="en-us"><font face="Tahoma" size="2">mailto:HYPERLINK
"mailto:users-bounces@openswan.org" \\n</font><u><font color="#0000ff" face="Tahoma" size="2">users-bounces@openswan.org</font></u></span></a><span lang="en-us"><font face="Tahoma" size="2">]</font><b> <font face="Tahoma" size="2">On Behalf Of</font></b> <font face="Tahoma" size="2">Chris
Zimmerman<br></font>
<div>
<div></div>
<div><b><font face="Tahoma" size="2">Sent:</font></b><font face="Tahoma" size="2"> April 25, 2008
1:00 PM<br></font><b><font face="Tahoma" size="2">To:</font></b><font face="Tahoma" size="2"> </font></div></div></span><a href="mailto:users@openswan.org" target="_blank"><span lang="en-us"><u><font color="#0000ff" face="Tahoma" size="2">users@openswan.org</font></u></span></a>
</p><p></p>
<div>
<div></div>
<div><span lang="en-us"><br><b><font face="Tahoma" size="2">Subject:</font></b><font face="Tahoma" size="2"> [Openswan
Users] Anyone? Anyone? "Roadwarrior" to SonicWall VPNrouting
issues<br></font><br></span><br><span lang="en-ca"><font face="Arial">I'm not trying to be a pest, but I have to get this
working:<br><br>I have been fighting through this setup for more
than a week now and I'm at a brick wall. <br><br>My
setup:<br><br>my.ip-----------{internet}-----</font></span><a href="http://1.1.1.1" target="_blank"><span lang="en-ca"></span><span lang="en-ca"><u><font color="#0000ff" face="Arial">1.1.1.1</font></u></span><span lang="en-ca"></span></a><span lang="en-ca"><font face="Arial">(sonicwall)</font></span><a href="http://192.168.1.254" target="_blank"><span lang="en-ca"></span><span lang="en-ca"><u><font color="#0000ff" face="Arial">192.168.1.254</font></u></span><span lang="en-ca"></span></a><span lang="en-ca"><font face="Arial">========[</font></span><a href="http://192.168.1.0/24" target="_blank"><span lang="en-ca"></span><span lang="en-ca"><u><font color="#0000ff" face="Arial">192.168.1.0/24</font></u></span><span lang="en-ca"></span></a><span lang="en-ca"><br>
</span><br><span lang="en-ca"><font face="Arial">
[--------[</font></span><a href="http://192.168.1.1/" target="_blank"><span lang="en-ca"></span><span lang="en-ca"><u><font color="#0000ff" face="Arial">192.168.1.1</font></u></span><span lang="en-ca"></span></a><span lang="en-ca"><font face="Arial">(router)</font></span><a href="http://192.168.2.1/" target="_blank"><span lang="en-ca"></span><span lang="en-ca"><u><font color="#0000ff" face="Arial">192.168.2.1</font></u></span><span lang="en-ca"></span></a><span lang="en-ca"><font face="Arial">]----------</font></span><a href="http://192.168.2.0/24" target="_blank"><span lang="en-ca"></span><span lang="en-ca"><u><font color="#0000ff" face="Arial">192.168.2.0/24</font></u></span><span lang="en-ca"></span></a><span lang="en-ca"><br>
<font face="Arial"> <br><br>I
am connected to the internet over an aircard using Ubuntu, so no
NAT'ing is in the way on my end. I need to establish a
tunnel from my machine to the sonicwall to gain access to the
</font></span><a href="http://192.168.1.0/" target="_blank"><span lang="en-ca"></span><span lang="en-ca"><u><font color="#0000ff" face="Arial">192.168.1.0</font></u></span><span lang="en-ca"></span></a><span lang="en-ca"><font face="Arial"> AND
</font></span><a href="http://192.168.2.0/" target="_blank"><span lang="en-ca"></span><span lang="en-ca"><u><font color="#0000ff" face="Arial">192.168.2.0</font></u></span><span lang="en-ca"></span></a><span lang="en-ca"><font face="Arial">
networks. I am using XAUTH on the Sonicwall and it has NAT
traverse enabled. I can successfully authenticate and
connect to the </font></span><a href="http://192.168.1.0/" target="_blank"><span lang="en-ca"></span><span lang="en-ca"><u><font color="#0000ff" face="Arial">192.168.1.0</font></u></span><span lang="en-ca"></span></a><span lang="en-ca"><font face="Arial"> network
and I can ping </font></span><a href="http://192.168.1.1/" target="_blank"><span lang="en-ca"></span><span lang="en-ca"><u><font color="#0000ff" face="Arial">192.168.1.1</font></u></span><span lang="en-ca"></span></a><span lang="en-ca"><font face="Arial">. I
can also ping </font></span><a href="http://192.168.2.1/" target="_blank"><span lang="en-ca"></span><span lang="en-ca"><u><font color="#0000ff" face="Arial">192.168.2.1</font></u></span><span lang="en-ca"></span></a><span lang="en-ca"><font face="Arial"> (other
interface on the router) but I cannot ping any other IP's on the
2.0 network. This connection is using the GroupVPN SA on the
Standard OS Sonicwall. How do I configure
this? <br><br>Here's my ipsec.conf config:<br><br>config
setup<br><br>conn block<br> auto=ignore<br>conn
private<br> auto=ignore<br>conn
private-or-clear<br> auto=ignore<br>conn
clear-or-private<br> auto=ignore<br>conn
clear<br> auto=ignore<br>conn
packetdefault<br> auto=ignore<br><br>conn
net1<br>
left=my.ip<br>
leftid=@home<br>
leftxauthclient=yes<br> right=ip.sonicwall
(internet)<br>
rightsubnet=</font></span><a href="http://192.168.1.0/24" target="_blank"><span lang="en-ca"></span><span lang="en-ca"><u><font color="#0000ff" face="Arial">192.168.1.0/24</font></u></span><span lang="en-ca"></span></a><span lang="en-ca"><br>
<font face="Arial">
rightxauthserver=yes<br>
rightid=@sonicwall identifier<br> <snip
auth lines><br> <br><br>conn
net2<br>
left=my.ip<br>
leftid=@home<br>
leftxauthclient=yes<br> right=ip.sonicwall
(internet)<br>
rightsubnet=</font></span><a href="http://192.168.2.0/" target="_blank"><span lang="en-ca"></span><span lang="en-ca"><u><font color="#0000ff" face="Arial">192.168.2.0</font></u></span><span lang="en-ca"></span></a><span lang="en-ca"><br>
<font face="Arial">
rightxauthserver=yes<br>
rightid=@sonicwall identifier<br> <snip
auth lines><br><br>I've read through countless mailing lists
and google links and the openswan wiki, but I cannot figure out
how to get this working. It has to be a routing issue but I
am still unfamiliar with ipsec so I am unsure of what to
change.<br><br>ANY assistance would be great!!<br><br>I would also
like to know what, if anything, would need to change for me to
connect this tunnel when my machine (laptop) is behind a firewall,
too.</font></span></div></div><br><br></ul></ul></ul></ul>
<p><span lang="en-ca"><b><font face="System" size="2"> << File:
ipsec.barf.output >>
</font></b></span></p></ul></div></blockquote></div><br></div></div></blockquote></div>
</blockquote></div><br>