[Openswan Users] Sonicwall with Openswan

Erik Lotspeich erik at lotspeich.org
Wed Apr 19 12:14:44 CEST 2006 

Hi Paul,

Thanks for your good suggestions.  I made the changes to my configuration, 
but to no avail.  The "xauthserver" and "xauthclient" don't seem to be 
supported in my version -- maybe a newer pre-release version of openswan 
supports this.

root at dell:/home/erik# ipsec --version
Linux Openswan U2.4.5/K2.6.16 (netkey)
See `ipsec --copyright' for copyright information.

Or maybe there's a newer version that I didn't notice yet.

I'll try to get some logs from the IT guy in my company -- he never ceases 
to help me out.

Do you believe that it should be possible to get this working with the 
SonicWall?  Have other people done this?  I don't want to waste your time 
if there's some fundamental limitation.

Thanks again,

Erik.

On Wed, 19 Apr 2006, Paul Wouters wrote:

> On Wed, 19 Apr 2006, Erik Lotspeich wrote:
>
>> Phase I:
>> Encryption Algorithm: 3DES-CBC (192-bit)
>> Hash: SHA
>> Auth method: Xauth w/pre-shared key
>> Diffie-Hellman: Alt. 1024-bit MODP (Grp. 2)
>
> translates to: ike=3des-sha1-modp1024
>
>> Phase II:
>> Encapsulating sec. payload
>> Encap. mode: UDP
>> Encr: 3DES
>> Hash: HMAC-SHA
>
> translates to: esp=3des-sha1
>
>> conn sonicwall
>>      left=%defaultroute
>>      leftid=@home
>>      leftxauthclient=yes
>>      right=1.2.3.4
>>      rightsubnet=192.168.44.0/22
>>      rightxauthserver=yes
>>      rightid=@sonicwall.unique.firewall.identifier
>>      keyingtries=0
>>      pfs=yes
>
> Are you sure about pfs=yes? Try pfs=no if adding the above two lines
> does not help.
>
>>      auto=add
>>      auth=esp
>>      authby=secret
>>      xauth=yes
>
> I don't think "xauth=yes" is used anymore, it is replaced by xauthclient= and
> xauthserver=
>
>> root at dell:/home/erik# ipsec auto --up sonicwall
>> 104 "sonicwall" #39: STATE_MAIN_I1: initiate
>> 003 "sonicwall" #39: ignoring unknown Vendor ID payload [5b362bc820f60001]
>> 106 "sonicwall" #39: STATE_MAIN_I2: sent MI2, expecting MR2
>> 003 "sonicwall" #39: ignoring unknown Vendor ID payload [404bf439522ca3f6]
>> 003 "sonicwall" #39: received Vendor ID payload [XAUTH]
>> 003 "sonicwall" #39: received Vendor ID payload [Dead Peer Detection]
>> 108 "sonicwall" #39: STATE_MAIN_I3: sent MI3, expecting MR3
>> 003 "sonicwall" #39: ignoring informational payload, type INVALID_PAYLOAD_TYPE
>
> I guess it did not like something.... Can you get more logs from the other end?
>
>> The Windows client prompts me for a username and password.  I don't know how
>> to supply a username to openswan -- and it doesn't prompt for one.
>
> It will prompt you when you complete phase 1 and enter phase 2. You don't get that
> far.
>
> Paul
>

More information about the Users mailing list