<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7651.59">
<TITLE>RE: [Openswan Users] Tunnel initiates to Sonicwall but cannot reach anything inside network</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<P><FONT SIZE=2>Have you run ipsec verify?<BR>
<BR>
What does your tcpdump or wireshark trace show?<BR>
<BR>
Have you set up masquerading correctly?<BR>
<BR>
<BR>
What version of openswan?<BR>
-----Original Message-----<BR>
From: users-bounces@openswan.org on behalf of Michael Leonetti<BR>
Sent: Mon 2/15/2010 5:27 PM<BR>
To: users@openswan.org<BR>
Subject: [Openswan Users] Tunnel initiates to Sonicwall but cannot reach anything inside network<BR>
<BR>
I set up a connection to a Sonicwall system with the current config:<BR>
<BR>
<BR>
<BR>
conn sonicwall<BR>
left=(leftip)<BR>
leftsubnet=10.1.1.0/24<BR>
leftid=(leftid)<BR>
right=(rightip)<BR>
rightsubnet=10.10.12.0/24<BR>
rightid=(rightid)<BR>
keyingtries=0<BR>
pfs=no<BR>
aggrmode=yes<BR>
auto=add<BR>
auth=esp<BR>
esp=3des-sha1<BR>
ike=3des-sha1<BR>
authby=secret<BR>
xauth=no<BR>
keyexchange=ike<BR>
<BR>
<BR>
<BR>
And I can get it up just fine:<BR>
<BR>
fortissimo linux # ipsec auto --up sonicwall<BR>
003 "sonicwall" #5: multiple transforms were set in aggressive mode. Only first one used.<BR>
003 "sonicwall" #5: transform (5,2,2,0) ignored.<BR>
003 "sonicwall" #5: multiple transforms were set in aggressive mode. Only first one used.<BR>
003 "sonicwall" #5: transform (5,2,2,0) ignored.<BR>
112 "sonicwall" #5: STATE_AGGR_I1: initiate<BR>
003 "sonicwall" #5: ignoring unknown Vendor ID payload [404bf439522ca3f6]<BR>
003 "sonicwall" #5: ignoring unknown Vendor ID payload [5b362bc820f60007]<BR>
003 "sonicwall" #5: received Vendor ID payload [RFC 3947] method set to=109<BR>
003 "sonicwall" #5: received Vendor ID payload [Dead Peer Detection]<BR>
003 "sonicwall" #5: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected<BR>
004 "sonicwall" #5: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1536}<BR>
117 "sonicwall" #6: STATE_QUICK_I1: initiate<BR>
004 "sonicwall" #6: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x97b8d6ff <0x0eb44887 xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}<BR>
<BR>
<BR>
000 interface lo/lo 127.0.0.1 <BR>
000 interface lo/lo 127.0.0.1 <BR>
000 interface eth0/eth0 (leftip) <BR>
000 interface eth0/eth0 (leftip) <BR>
000 interface br0/br0 10.1.1.1 <BR>
000 interface br0/br0 10.1.1.1 <BR>
000 %myid = (none) <BR>
000 debug none <BR>
000 <BR>
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64 <BR>
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192 <BR>
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448 <BR>
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0 <BR>
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256 <BR>
000 algorithm ESP encrypt: id=22, name=(null), ivlen=8, keysizemin=128, keysizemax=256 <BR>
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256 <BR>
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256 <BR>
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128 <BR>
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160 <BR>
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256 <BR>
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128 <BR>
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0 <BR>
000 <BR>
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192 <BR>
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128 <BR>
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16 <BR>
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20 <BR>
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024 <BR>
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536 <BR>
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048 <BR>
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072 <BR>
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096 <BR>
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144 <BR>
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192 <BR>
000 <BR>
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,4,64} trans={0,4,960} attrs={0,4,320} <BR>
000<BR>
000 "sonicwall": 10.1.1.0/24===(leftip)...(rightip)===10.10.12.0/24; erouted; eroute owner: #6<BR>
000 "sonicwall": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;<BR>
000 "sonicwall": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0<BR>
000 "sonicwall": policy: PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE; prio: 24,24; interface: eth0; encap: esp;<BR>
000 "sonicwall": newest ISAKMP SA: #5; newest IPsec SA: #6;<BR>
000 "sonicwall": IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)-MODP1536(5), 3DES_CBC(5)_000-SHA1(2)-MODP1024(2); flags=strict<BR>
000 "sonicwall": IKE algorithms found: 3DES_CBC(5)_192-SHA1(2)_160-MODP1536(5), 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)<BR>
000 "sonicwall": IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1536<BR>
000 "sonicwall": ESP algorithms wanted: 3DES(3)_000-SHA1(2); flags=strict<BR>
000 "sonicwall": ESP algorithms loaded: 3DES(3)_000-SHA1(2); flags=strict<BR>
000 "sonicwall": ESP algorithm newest: 3DES_0-HMAC_SHA1; pfsgroup=<N/A><BR>
000<BR>
000 #6: "sonicwall":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 28036s; newest IPSEC; eroute owner<BR>
000 #6: "sonicwall" esp.97b8d6ff@(rightip) esp.eb44887@72.68.153.122 tun.0@(rightip) tun.0@(leftip)<BR>
000 #5: "sonicwall":500 STATE_AGGR_I2 (sent AI2, ISAKMP SA established); EVENT_SA_REPLACE in 2554s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)<BR>
000<BR>
<BR>
<BR>
When I try to reach anything in the network:<BR>
<BR>
fortissimo linux # ping 10.10.12.199<BR>
PING 10.10.12.199 (10.10.12.199) 56(84) bytes of data.<BR>
>From 130.81.12.202 icmp_seq=6 Destination Net Unreachable<BR>
>From 130.81.12.202 icmp_seq=12 Destination Net Unreachable<BR>
<BR>
<BR>
But I can reach:<BR>
<BR>
fortissimo linux # ping 10.10.12.1<BR>
PING 10.10.12.1 (10.10.12.1) 56(84) bytes of data.<BR>
64 bytes from 10.10.12.1: icmp_seq=1 ttl=243 time=21.1 ms<BR>
64 bytes from 10.10.12.1: icmp_seq=2 ttl=243 time=12.2 ms<BR>
<BR>
<BR>
But the problem is that when I stop ipsec I can still ping 10.10.12.1 even though it's not defined anywhere else :X. I'm actually not even sure if I got an IP on the remote side. DHCP isn't even enabled on the remote side so I'm not sure what IP I'd get or if I even need one.<BR>
<BR>
<BR>
<BR>
Thanks.<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
</FONT>
</P>
</BODY>
</HTML>