<html><body bgcolor="#FFFFFF"><div></div><div><br><span class="Apple-style-span" style="-webkit-tap-highlight-color: rgba(26, 26, 26, 0.296875); -webkit-composition-fill-color: rgba(175, 192, 227, 0.230469); -webkit-composition-frame-color: rgba(77, 128, 180, 0.230469); font-size: medium; "><span>My goal is to setup a SITE to SITE vpn using Pre-Shared-Key. between</span><br>
<span>my openswan box and my Sonicwall.</span><br><span>I have been going at this for sometime and now I am just moving in</span><br><span>circles. Any help will be greatly appreciated.</span><br><span></span><br><span>Leftside (openswan)</span><br>
<span> Inside IP: <a href="tel:10.179.168.101/19">10.179.168.101/19</a> (eth1)</span><br><span> Outsite IP : <a href="tel:185.107.225.171/24">185.107.225.171/24</a> (eth0)</span><br><span></span><br><span>Rightside (sonicwall)</span><br>
<span> Inside subnet: <a href="tel:192.168.168.0/24">192.168.168.0/24</a></span><br><span> Outside IP: 217.58.22.147</span><br><span></span><br><span>My ipsec.conf file</span><br><span></span><br><span>config setup</span><br>
<span> nat_traversal=yes</span><br><span> nhelpers=0</span><br><span> interfaces="ipsec0=eth0"</span><br><span></span><br><span>conn sonicwall</span><br><span> type=tunnel</span><br><span> left=<a href="tel:10.179.168.101">10.179.168.101</a> #Inside IP of Openswan server.</span><br>
<span> leftid=@cloud</span><br><span> leftxauthclient=yes</span><br><span> right=<a href="tel:217.58.22.147">217.58.22.147</a> #IP address of your sonicwall router</span><br><span> rightsubnet=<a href="tel:192.168.168.0/24">192.168.168.0/24</a> # inside subnet of sonicwall</span><br>
<span> rightxauthserver=yes</span><br><span> <a href="mailto:rightid=@sonicwall.unique.identifier"><a href="mailto:rightid=@sonicwall.unique.identifier">rightid=@sonicwall.unique.identifier</a></a></span><br><span> keyingtries=0</span><br>
<span> pfs=yes</span><br><span> aggrmode=yes</span><br><span> auto=add</span><br><span> auth=esp</span><br><span> esp=3DES-SHA1</span><br><span> ike=3DES-SHA1</span><br><span> authby=secret</span><br>
<span> #xauth=yes</span><br><span></span><br><span></span><br><span>Results of starting the site to site</span><br><span>[root@FTOpenSwan etc]# ipsec auto --up sonicwall</span><br><span>003 "sonicwall" #1: multiple transforms were set in aggressive mode.</span><br>
<span>Only first one used.</span><br><span>003 "sonicwall" #1: transform (5,2,2,0) ignored.</span><br><span>003 "sonicwall": pluto_do_crypto: helper (-1) is exiting</span><br><span>003 "sonicwall" #1: multiple transforms were set in aggressive mode.</span><br>
<span>Only first one used.</span><br><span>003 "sonicwall" #1: transform (5,2,2,0) ignored.</span><br><span>112 "sonicwall" #1: STATE_AGGR_I1: initiate</span><br><span>010 "sonicwall" #1: STATE_AGGR_I1: retransmission; will wait 20s for response</span><br>
<span></span><br><span>STATUS</span><br><span></span><br><span>[root@FTOpenSwan ~]# ipsec auto --status</span><br><span>000 using kernel interface: netkey</span><br><span>000 interface lo/lo ::1</span><br><span>000 interface lo/lo 127.0.0.1</span><br>
<span>000 interface lo/lo 127.0.0.1</span><br><span>000 interface eth0/eth0 185.107.225.171</span><br><span>000 interface eth0/eth0 185.107.225.171</span><br><span>000 interface eth1/eth1 10.179.168.101</span><br><span>000 interface eth1/eth1 10.179.168.101</span><br>
<span>000 %myid = (none)</span><br><span>000 debug none</span><br><span>000</span><br><span>000 virtual_private (%priv):</span><br><span>000 - allowed 0 subnets:</span><br><span>000 - disallowed 0 subnets:</span><br><span>000 WARNING: Either virtual_private= was not specified, or there was a syntax</span><br>
<span>000 error in that line. 'left/rightsubnet=%priv' will not work!</span><br><span>000</span><br><span>000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,</span><br><span>keysizemax=64</span><br>
<span>000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,</span><br><span>keysizemin=192, keysizemax=192</span><br><span>000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8,</span><br><span>keysizemin=40, keysizemax=128</span><br>
<span>000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,</span><br><span>keysizemin=40, keysizemax=448</span><br><span>000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0,</span><br><span>keysizemin=0, keysizemax=0</span><br>
<span>000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8,</span><br><span>keysizemin=128, keysizemax=256</span><br><span>000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8,</span><br><span>keysizemin=128, keysizemax=256</span><br>
<span>000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,</span><br><span>keysizemin=128, keysizemax=256</span><br><span>000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8,</span><br><span>keysizemin=128, keysizemax=256</span><br>
<span>000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8,</span><br><span>keysizemin=128, keysizemax=256</span><br><span>000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,</span><br><span>keysizemin=128, keysizemax=256</span><br>
<span>000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8,</span><br><span>keysizemin=128, keysizemax=256</span><br><span>000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8,</span><br><span>keysizemin=128, keysizemax=256</span><br>
<span>000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8,</span><br><span>keysizemin=128, keysizemax=256</span><br><span>000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,</span><br><span>keysizemin=128, keysizemax=256</span><br>
<span>000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,</span><br><span>keysizemin=128, keysizemax=256</span><br><span>000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,</span><br><span>keysizemin=128, keysizemax=128</span><br>
<span>000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,</span><br><span>keysizemin=160, keysizemax=160</span><br><span>000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,</span><br><span>keysizemin=256, keysizemax=256</span><br>
<span>000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384,</span><br><span>keysizemin=384, keysizemax=384</span><br><span>000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512,</span><br><span>keysizemin=512, keysizemax=512</span><br>
<span>000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD,</span><br><span>keysizemin=160, keysizemax=160</span><br><span>000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,</span><br><span>keysizemin=128, keysizemax=128</span><br>
<span>000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0</span><br><span>000</span><br><span>000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131</span><br><span>000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC,</span><br>
<span>blocksize=8, keydeflen=128</span><br><span>000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,</span><br><span>keydeflen=192</span><br><span>000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,</span><br>
<span>keydeflen=128</span><br><span>000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC,</span><br><span>blocksize=16, keydeflen=128</span><br><span>000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC,</span><br>
<span>blocksize=16, keydeflen=128</span><br><span>000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH,</span><br><span>blocksize=16, keydeflen=128</span><br><span>000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16</span><br>
<span>000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20</span><br><span>000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32</span><br><span>000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64</span><br>
<span>000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024</span><br><span>000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536</span><br><span>000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048</span><br>
<span>000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072</span><br><span>000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096</span><br><span>000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144</span><br>
<span>000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192</span><br><span>000</span><br><span>000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,1,64}</span><br><span>trans={0,1,3072} attrs={0,1,2048}</span><br>
<span>000</span><br><span>000 "sonicwall":</span><br><span>10.179.168.101<10.179.168.101>[@cloud,+XC+S=C]...217.58.22.147<217.58.22.147>[@0017C55C5692,+XS+S=C]===<a href="tel:192.168.168.0/24">192.168.168.0/24</a>;</span><br>
<span>unrouted; eroute owner: #0</span><br><span>000 "sonicwall": myip=unset; hisip=unset;</span><br><span>000 "sonicwall": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:</span><br><span>540s; rekey_fuzz: 100%; keyingtries: 0</span><br>
<span>000 "sonicwall": policy:</span><br><span>PSK+ENCRYPT+TUNNEL+PFS+UP+AGGRESSIVE+IKEv2ALLOW+lKOD+rKOD; prio:</span><br><span>32,24; interface: eth1;</span><br><span>000 "sonicwall": newest ISAKMP SA: #0; newest IPsec SA: #0;</span><br>
<span>000 "sonicwall": IKE algorithms wanted:</span><br><span>3DES_CBC(5)_000-SHA1(2)-MODP1536(5),</span><br><span>3DES_CBC(5)_000-SHA1(2)-MODP1024(2); flags=-strict</span><br><span>000 "sonicwall": IKE algorithms found:</span><br>
<span>3DES_CBC(5)_192-SHA1(2)_160-5, 3DES_CBC(5)_192-SHA1(2)_160-2,</span><br><span>000 "sonicwall": ESP algorithms wanted: 3DES(3)_000-SHA1(2); flags=-strict</span><br><span>000 "sonicwall": ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160</span><br>
<span>000</span><br><span>000 #1: "sonicwall":500 STATE_AGGR_I1 (sent AI1, expecting AR1);</span><br><span>EVENT_RETRANSMIT in 18s; nodpd; idle; import:admin initiate</span><br><span>000 #1: pending Phase 2 for "sonicwall" replacing #0</span><br>
<br></span></div><div>Sent from my iPhone</div></body></html>