[Openswan Users] Another attempt to get connected toaSonicWALL VPN.

Fri Dec 8 14:08:30 EST 2006

> From: Bas Driessen [mailto:bas.driessen at xobas.com] 
> Sent: December 7, 2006 8:23 PM
> Subject: Re: [Openswan Users] Another attempt to get connected toaSonicWALL VPN.
> Hi Peter, The Group has been changed to DH 2 and I am able to get past phase 1 now. I am now stuck at phase 2. You suggested that
this could be related to incorrect subnets or using a different encryption. Well, the system admin advised me of the subnetmask and
that matches. The phase 2 encryption is 3des-md5 which also matches. pfs is set to 'no' at the server end and that also matches. The
system admin told me that I should be configured to pull a DHCP ip number. Is this a configuration option in openswan, or is it just
part of the 'normal' network settings? 
> 
> I am running out of ideas/options. Would appreciate if you can give me any additional pointers where things could go wrong or how
to debug this.
> 	
> My current conf file:
> 	
> conn sonicwall
>     type=tunnel
>     auto=add
>     auth=esp
>     pfs=no
>     authby=secret
>     keyingtries=1
>     left=192.168.1.13
>     right=66.nnn.nnn.nnn
>     rightsubnet=192.168.128.0/24
>     #rightsubnet=0.0.0.0/0
>     rightid=66.nnn.nnn.nnn
>     esp=3des-md5
>     keyexchange=ike
>     ike=3des-md5-modp1024
> 	
> Current output:
> 	
> [root at ams ipsec.d]# /usr/sbin/ipsec whack --name sonicwall --initiate
> 002 "sonicwall" #1: initiating Main Mode
> 104 "sonicwall" #1: STATE_MAIN_I1: initiate
> 003 "sonicwall" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
> 002 "sonicwall" #1: enabling possible NAT-traversal with method draft-ietf-ipsec-nat-t-ike-02/03
> 002 "sonicwall" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> 106 "sonicwall" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> 003 "sonicwall" #1: ignoring unknown Vendor ID payload [da8e937880010000]
> 003 "sonicwall" #1: ignoring unknown Vendor ID payload [404bf439522ca3f6]
> 003 "sonicwall" #1: received Vendor ID payload [XAUTH]
> 002 "sonicwall" #1: I did not send a certificate because I do not have one.
> 003 "sonicwall" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-00/01: i am NATed
> 002 "sonicwall" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> 108 "sonicwall" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> 002 "sonicwall" #1: Main mode peer ID is ID_IPV4_ADDR: '66.nnn.nnn.nnn'
> 002 "sonicwall" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
> 004 "sonicwall" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1024}
> 002 "sonicwall" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
> 117 "sonicwall" #2: STATE_QUICK_I1: initiate
> 010 "sonicwall" #2: STATE_QUICK_I1: retransmission; will wait 20s for response

I'm sorry but I do not know how to configure DHCP w/ IPSec or Openswan.
I scanned the doc's and there are a few references to it, but I found no examples or howtos.
I'm not even sure if it's possible, but perhaps someone else on the list has done this?
Or can you get your remote admin to use plain IPSec instead?
Also note that you have no leftsubnet= line, this is fine, but that effectively makes leftsubnet=192.168.1.13 (left),
Just in case you thought it defaulted to something else. And this needs to match the remote end.

Peter