[Openswan Users] Re: SonicWALL weirdness...
Francesco Peeters
Francesco at FamPeeters.com
Tue Mar 7 09:09:14 CET 2006
On Sun, March 5, 2006 9:17, Francesco Peeters said:
> Hi all,
>
> I have a running and working config between OpenSWAN (WiFi connection) and
> a SonicWALL with SonicOS Enhanced.
>
> I'll post my config at the bottom...
>
> I have 2 issues however:
> 1) I use 0.0.0.0/0 for destination network, and this works fine (ie. I can
> reach both the LAN behind the SonicWALL and the Internet through the
> tunnel, which is what I want.
> I can however *not* reach any of the networks behind the VPNs between my
> SNWL and SNWLs at other locations. When I use my wife's laptop (WinXP and
> Global VPN Client) it works fine. Has anybody solved this already? (I'd
> hade to reinvent the wheel)
>
> 2) Everything works fine (except the VPN to VPN, as described above) until
> the key expires. Once the key expires, the tunnel breaks. The only
> solution I have found to work so far:
> ipsec whack --shutdown
> ipsec setup --restart
> ipsec whack --name group --initialize
>
> (Skipping either shutdown or restart doesn't work. When I skip either one
> of the first two, I need to reboot the SonicWALL before I can get access
> again. Never tried waiting more than 10-15 minutes, so maybe it recovers
> automatically (like after a few hours), but so far this is what I found)
>
> Any suggestions?
OK, I solved #1 (D'oh!)
To make OpenS/WAN work with the WLAN GroupVPN, I turned off virtual IPs
for the WLAN. This means the WLAN IPs are now exposed to the destination
networks, whereas before only LAN IPs were. The remote VPNs were not aware
of the WLAN IP range, and therefore did not know where to send the
replies. (Double D'oh!)
I have added the WLAN range to the remote machines (I use 'firewalled
subnets' locally, so it is already included in there!) and lo and behold,
I receive replies! :-)
Now if only #2 was as easy to fix... :-(
--
Francesco Peeters
----
GPG Key = AA69 E7C6 1D8A F148 160C D5C4 9943 6E38 D5E3 7704
If your program doesn't recognize my signature, please visit
http://www.CAcert.org/index.php?id=3 to retrieve the Root CA certificate.
More information about the Users
mailing list