[Openswan Users] SonicWALL weirdness...
Francesco Peeters
Francesco at FamPeeters.com
Sun Mar 5 09:17:58 CET 2006
Hi all,
I have a running and working config between OpenSWAN (WiFi connection) and
a SonicWALL with SonicOS Enhanced.
I'll post my config at the bottom...
I have 2 issues however:
1) I use 0.0.0.0/0 for destination network, and this works fine (ie. I can
reach both the LAN behind the SonicWALL and the Internet through the
tunnel, which is what I want.
I can however *not* reach any of the networks behind the VPNs between my
SNWL and SNWLs at other locations. When I use my wife's laptop (WinXP and
Global VPN Client) it works fine. Has anybody solved this already? (I'd
hade to reinvent the wheel)
2) Everything works fine (except the VPN to VPN, as described above) until
the key expires. Once the key expires, the tunnel breaks. The only
solution I have found to work so far:
ipsec whack --shutdown
ipsec setup --restart
ipsec whack --name group --initialize
(Skipping either shutdown or restart doesn't work. When I skip either one
of the first two, I need to reboot the SonicWALL before I can get access
again. Never tried waiting more than 10-15 minutes, so maybe it recovers
automatically (like after a few hours), but so far this is what I found)
Any suggestions?
(I also have another issue, which I submitted as a bug to SNWL: If my
laptop shuts down without explicitly releasing the DHCP lease, it doesn't
get a lease untill the SNWL reboots, when I *do* release it (dhclient3
-r), it works fine)
TIA & BRgds
--
Francesco Peeters
----
GPG Key = AA69 E7C6 1D8A F148 160C D5C4 9943 6E38 D5E3 7704
If your program doesn't recognize my signature, please visit
http://www.CAcert.org/index.php?id=3 to retrieve the Root CA certificate.
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.1 2005/07/26 12:28:39 ken Exp $
# This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
#interfaces="ipsec0=eth0"
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 private"
# eg:
# plutodebug="control parsing"
#
# Only enable klipsdebug=all if you are a developer
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
# nat_traversal=yes
#virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
# Add connections here
# sample VPN connection
# conn sample
# # Left security gateway, subnet behind it, nexthop toward
right.
# left=10.0.0.1
# leftsubnet=172.16.0.0/24
# leftnexthop=10.22.33.44
# # Right security gateway, subnet behind it, nexthop toward
left.
# right=10.12.12.1
# rightsubnet=192.168.0.0/24
# rightnexthop=10.101.102.103
# # To authorize this connection, but not actually start it,
# # at startup, uncomment this.
# #auto=start
#conn dhcp
# type=tunnel
# rightid=
# #right=%any
# rekey=no
# keylife=10s
# rekeymargin=5s
# leftsubnet=0.0.0.0/0
# leftprotoport=udp/bootps
# rightprotoport=udp/bootpc
# pfs=no
# auto=add
conn group
type=tunnel
#left=172.16.0.159
#leftsubnet=172.16.0.159/32
left=%defaultroute
#leftsubnet=172.16.0.0/24 #10.50.164.26/32
#leftsourceip=10.50.164.26
leftid=@GroupVPN
leftxauthclient=yes
right=172.16.0.1
#rightsubnet=10.50.164.0/27 #0.0.0.0/0
rightsubnet=0.0.0.0/0
rightxauthserver=yes
rightid=@0006B1075E94
keyingtries=0
keylife=8h
rekey=yes
pfs=yes
aggrmode=yes
auto=add
auth=esp
esp=3des-sha1
ike=3des-sha1
authby=secret
xauth=yes
dpddelay=5
dpdtimeout=60
dpdaction=clear
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
More information about the Users
mailing list