[Openswan Users] Another attempt to get connected to aSonicWALL VPN.

[Bas Driessen]

On Fri, 2006-11-24 at 08:10 -0500, Peter McGill wrote:

> On Thu, Nov 23, 2006 Bas Driessen wrote:
> > Thanks very much Peter. We may have something here. When I tried to setup the connection a couple of weeks for the first time, the 
> > VPN server was still set to
> > the old DES algorithm.  I had to recompile OpenSwan with a WEAK switch (or something like that) to get that to work. In the end I 
> > got it to go past Phase 1
> > and yes you are right, my setting then was ike=des-md5-modp768. Since I did not get past phase 2, I got in contact with this 
> > mailing list and most of the
> > responses were "don't use DES, but 3DES". After that am still  getting nowhere and in fact don't get past Phase 1 now. I asked the 
> > system administrator to
> > change to 3DES, which he kindly did.  I doubt if he changed the group and that most likely is the cause.
> >
> > Which group should I advise him to change to? Group 2 or 5?
> 
> Either is fine, both have sufficient size for 3DES, 5 may be considered stronger security because it has more bits, but either is 
> fine.
> 

Hi Peter, The Group has been changed to DH 2 and I am able to get past
phase 1 now. I am now stuck at phase 2. You suggested that this could be
related to incorrect subnets or using a different encryption. Well, the
system admin advised me of the subnetmask and that matches. The phase 2
encryption is 3des-md5 which also matches. pfs is set to 'no' at the
server end and that also matches. The system admin told me that I should
be configured to pull a DHCP ip number. Is this a configuration option
in openswan, or is it just part of the 'normal' network settings? 

I am running out of ideas/options. Would appreciate if you can give me
any additional pointers where things could go wrong or how to debug
this.

My current conf file:

conn sonicwall
    type=tunnel
    auto=add
    auth=esp
    pfs=no
    authby=secret
    keyingtries=1
    left=192.168.1.13
    right=66.nnn.nnn.nnn
    rightsubnet=192.168.128.0/24
    #rightsubnet=0.0.0.0/0
    rightid=66.nnn.nnn.nnn
    esp=3des-md5
    keyexchange=ike
    ike=3des-md5-modp1024


Current output:

[root at ams ipsec.d]# /usr/sbin/ipsec whack --name sonicwall --initiate
002 "sonicwall" #1: initiating Main Mode
104 "sonicwall" #1: STATE_MAIN_I1: initiate
003 "sonicwall" #1: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]
002 "sonicwall" #1: enabling possible NAT-traversal with method
draft-ietf-ipsec-nat-t-ike-02/03
002 "sonicwall" #1: transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2
106 "sonicwall" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "sonicwall" #1: ignoring unknown Vendor ID payload
[da8e937880010000]
003 "sonicwall" #1: ignoring unknown Vendor ID payload
[404bf439522ca3f6]
003 "sonicwall" #1: received Vendor ID payload [XAUTH]
002 "sonicwall" #1: I did not send a certificate because I do not have
one.
003 "sonicwall" #1: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-00/01: i am NATed
002 "sonicwall" #1: transition from state STATE_MAIN_I2 to state
STATE_MAIN_I3
108 "sonicwall" #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 "sonicwall" #1: Main mode peer ID is ID_IPV4_ADDR: '66.nnn.nnn.nnn'
002 "sonicwall" #1: transition from state STATE_MAIN_I3 to state
STATE_MAIN_I4
004 "sonicwall" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1024}
002 "sonicwall" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using
isakmp#1}
117 "sonicwall" #2: STATE_QUICK_I1: initiate
010 "sonicwall" #2: STATE_QUICK_I1: retransmission; will wait 20s for
response


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20061208/cd3d9548/attachment.html