[Openswan Users] Problem connecting to Sonicwall 2040

Aaron Kincer kincera at gmail.com
Sat Aug 19 14:35:02 EDT 2006 

Hello everyone, first time here.

I'm trying to connect to a Sonicwall Pro 2040 running their Enhanced OS
using the Group VPN. I've followed both the Openswan wiki documentation
using 3DES/MD5 and the Sonicwall documentation using 3DES/SHA1 with little
luck. Turning off aggressive mode seems to allow the authentication process
to go further than with it on as well as turning of PFS. But anyway, here is
my current ipsec.conf information:

version    2.0

# basic configuration
config setup

    plutodebug=all
    nat_traversal=yes
    dumpdir=/root

conn sonicwall
     #type=tunnel
     left=%defaultroute
     leftsubnet=(my subnet)
     leftid=@home
     leftxauthclient=yes
     right=(my sonicwall public ip)
     rightsubnet=(subnet behind sonicwall)
     rightxauthserver=yes
     rightid=(ID of my sonicwall)
     keyingtries=0
     pfs=no
     aggrmode=no
     auto=add
     auth=esp
     #esp=3des-md5-96
     esp=3des-sha1
     #keyexchange=ike
     ike=3des-sha1
     #ike=3des-md5-96
     authby=secret
     xauth=yes

Here is my ipsec.secrets file:

@home (ID of my sonicwall) : PSK "my shared secret"

On the Sonicwall, I've configured the Group VPN without PFS and have tried
back and forth with MD5 and SHA1 as seen above in the .conf file. Both
provide the same essential log output as seen below. It seems to get stuck
with the unknown hash playload bit at the bottom/malformed payload in packet
bit over and over. Has anyone seen anything like this? I'm running Openswan
2.4.4 on Ubuntu 6.06.

002 "sonicwall" #1: initiating Main Mode
104 "sonicwall" #1: STATE_MAIN_I1: initiate
003 "sonicwall" #1: ignoring unknown Vendor ID payload [5b362bc820f60001]
003 "sonicwall" #1: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] method set to=108
002 "sonicwall" #1: enabling possible NAT-traversal with method RFC 3947
(NAT-Traversal)002 "sonicwall" #1: transition from state STATE_MAIN_I1 to
state STATE_MAIN_I2
106 "sonicwall" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "sonicwall" #1: ignoring unknown Vendor ID payload [404bf439522ca3f6]
003 "sonicwall" #1: received Vendor ID payload [XAUTH]
003 "sonicwall" #1: received Vendor ID payload [Dead Peer Detection]
002 "sonicwall" #1: I did not send a certificate because I do not have one.
003 "sonicwall" #1: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
002 "sonicwall" #1: transition from state STATE_MAIN_I2 to state
STATE_MAIN_I3
108 "sonicwall" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "sonicwall" #1: Mode Config message is unacceptable because it is for an
incomplete ISAKMP SA (state=STATE_MAIN_I3)
010 "sonicwall" #1: STATE_MAIN_I3: retransmission; will wait 20s for
response
002 "sonicwall" #1: Main mode peer ID is ID_FQDN: '(my sonicwall ID)'
002 "sonicwall" #1: transition from state STATE_MAIN_I3 to state
STATE_MAIN_I4
004 "sonicwall" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1536}
003 "sonicwall" #1: next payload type of ISAKMP Hash Payload has an unknown
value: 246
003 "sonicwall" #1: malformed payload in packet
002 "sonicwall" #1: sending notification PAYLOAD_MALFORMED to (my sonicwall
public IP):4500


Thanks in advance for any insight you can provide.

Aaron Kincer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060819/a07fa21c/attachment.html

More information about the Users mailing list