[Openswan Users] OpenS/WAN and SonicWALL SonicOS/Enh.

Francesco Peeters Francesco at FamPeeters.com
Wed Feb 22 21:32:27 CET 2006 

On Tue, February 21, 2006 23:08, Francesco Peeters said:
> Hi All,
>
> I have set up a connection between a laptop running Ubuntu with OpenS/WAN
> and a SonicWALL running SonicOS/Enh. as described in both the Wiki and the
> SonicWALL PDF.
>
> When I do 'ipsec whack --name group --initiate --xauthname XXXXXX
> -xauthpass XXXXX' it builds up the session just fine, and the session and
> name show up correctly in the SNWL GUI.
>
> However when I ping anything on the SNWL LAN, I do not get any reply
> unless I ping the SNWL LAN IP address.
>
> TCPDUMPing the connection shows that the pings cause ESP data to be sent
> to the SNWL.
> When I ping the SNWL LAN IP, I see a return ESP packet *and* a cleartext
> PING reply!!!
> When I ping any other LAN IP, I do not see any replies...
>
> Before I post configfiles, etc, is there anything I should (could) check
> on either side?
>
> TIA & BRgds

Note that below IP addresses are NOT the real live network addresses!

The ipsec.conf:

conn group
     type=tunnel
     left=%defaultroute
     leftid=@GroupVPN
     leftxauthclient=yes
     right=172.16.0.1
     rightsubnet=0.0.0.0/0
     rightxauthserver=yes
     rightid=@0006B1075E94
     keyingtries=0
     pfs=yes
     aggrmode=yes
     auto=add
     auth=esp
     esp=3des-sha1
     ike=3des-sha1
     authby=secret
     xauth=yes
     dpddelay=5
     dpdtimeout=60
     dpdaction=clear

SonicWALL VPN Settings:
WLAN GroupVPN
Phase1: DH5 3DES-SHA1
Phase2: ESP-3DES-SHA1
PFS: on
DH Group: DH5
Require XAuth
Virtual Adapter: None
Allow connections to: All Secured Gateways
Set Default Route as this Gateway: on

root at VAIO-KUbuntu:~# ipsec whack --name group --initiate --xauthname
XXXXXXXXX --xauthpass XXXXXXXXXXX
003 "group" #1: multiple transforms were set in aggressive mode. Only
first one used.
003 "group" #1: transform (5,2,2,0) ignored.
002 "group" #1: initiating Aggressive Mode #1, connection "group"
003 "group" #1: multiple transforms were set in aggressive mode. Only
first one used.
003 "group" #1: transform (5,2,2,0) ignored.
112 "group" #1: STATE_AGGR_I1: initiate
003 "group" #1: ignoring unknown Vendor ID payload [404bf439522ca3f6]
003 "group" #1: ignoring unknown Vendor ID payload [5b362bc820f60001]
003 "group" #1: received Vendor ID payload [Dead Peer Detection]
003 "group" #1: received Vendor ID payload [XAUTH]
002 "group" #1: Aggressive mode peer ID is ID_FQDN: '@0006B1075E94'
002 "group" #1: Aggressive mode peer ID is ID_FQDN: '@0006B1075E94'
002 "group" #1: transition from state STATE_AGGR_I1 to state STATE_AGGR_I2
004 "group" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1536}
002 "group" #1: Dead Peer Detection (RFC 3706): enabled
041 "group" #1: group prompt for Username:
040 "group" #1: group prompt for Password:
002 "group" #1: XAUTH: Answering XAUTH challenge with user='XXXXXXXXX'
002 "group" #1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
004 "group" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
002 "group" #1: Dead Peer Detection (RFC 3706): enabled
002 "group" #1: XAUTH: Successfully Authenticated
002 "group" #1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
004 "group" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
002 "group" #1: Dead Peer Detection (RFC 3706): enabled
002 "group" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+AGGRESSIVE
{using isakmp#1}
117 "group" #2: STATE_QUICK_I1: initiate
002 "group" #2: Dead Peer Detection (RFC 3706): enabled
002 "group" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 "group" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0x8b8a3e07 <0xe5feb357 xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=enabled}


Then tcpdump of ping 10.0.0.1 (SonicWALL LAN IP):
21:25:19.894528 IP 172.16.0.159 > 172.16.0.1:
ESP(spi=0x8b8a3e07,seq=0x83), length 116
21:25:19.898633 IP 172.16.0.1 > 172.16.0.159:
ESP(spi=0xe5feb357,seq=0x13), length 116
21:25:19.898633 IP 10.0.0.1 > 172.16.0.159: ICMP echo reply, id 12326, seq
4, length 64
21:25:20.895335 IP 172.16.0.159 > 172.16.0.1:
ESP(spi=0x8b8a3e07,seq=0x84), length 116
21:25:20.898953 IP 172.16.0.1 > 172.16.0.159:
ESP(spi=0xe5feb357,seq=0x14), length 116
21:25:20.898953 IP 10.0.0.1 > 172.16.0.159: ICMP echo reply, id 12326, seq
5, length 64

Then tcpdump of ping 10.0.0.9 (A random host on the LAN):
21:28:36.841566 IP 172.16.0.159 > 172.16.0.1:
ESP(spi=0x8b8a3e07,seq=0x87), length 116
21:28:37.842380 IP 172.16.0.159 > 172.16.0.1:
ESP(spi=0x8b8a3e07,seq=0x88), length 116
21:28:38.842260 IP 172.16.0.159 > 172.16.0.1:
ESP(spi=0x8b8a3e07,seq=0x89), length 116

This is one of the last things stopping me from migrating my laptop to
Linux full time, and any help would be appreciated...

TIA & BRgds

-- 
Francesco Peeters
----
GPG Key = AA69 E7C6 1D8A F148 160C  D5C4 9943 6E38 D5E3 7704
If your program doesn't recognize my signature, please visit
http://www.CAcert.org/index.php?id=3 to retrieve the Root CA certificate.

More information about the Users mailing list