[Openswan Users] Openswan Linux Client to SonicWall Windows Server.

Bas Driessen bas.driessen at xobas.com
Wed Sep 27 02:51:40 EDT 2006 

Hello,

I am having trouble getting a Openswan client connection to work from
linux (Fedora Core 5 x86_64) to an SonicWALL VPN. The settings passed on
by the administrator of that site is DES MD5 group 1. 

Going through the lists, I found out that DES is not supported by
default in OpenSwan, so I have re-compiled the package by setting the
USE_WEAKSTUFF?=true flag in the Makefile.inc and also corrected the line
to WEAK_DEFS=-DUSE_VERYWEAK_DH1=1 -DUSE_1DES in the Makefile of Pluto.
All compiles OK. I know that 3DES is better etc, but this is out of my
control. I have to get it to work with the current setup.

I am very very close to get it all to work, but there is a last hurdle
that I can't get out of the way. Below the information. Would appreciate
any help/tips/comments. Also can I enable some additional debugging to
find out what I am missing?

My settings are as follows (for security reasons I have marked the VPN
ip number sections with nnn and changed the key password):

sonicwall.conf

conn sonicwall
    left=%defaultroute
    leftsubnet=192.168.1.0/24
    leftid=192.168.1.13
    right=66.nnn.nnn.nnn
    rightsubnet=192.168.128.0/24
    rightid=66.nnn.nnn.nnn
    keyingtries=0
    pfs=yes
    aggrmode=no
    auto=add
    auth=esp
    ike=des-md5-modp768
    esp=des-md5
    authby=secret


sonicwall.secrets

192.168.1.13 66.nnn.nnn.nnn : PSK "abcdef"

ipsec starts OK using /etc/rc.d/init.d/ipsec restart

Then I try to get the connection up with:

/usr/sbin/ipsec whack --name sonicwall --initiate

output as follows:

# /usr/sbin/ipsec whack --name sonicwall --initiate
002 "sonicwall" #1: initiating Main Mode
104 "sonicwall" #1: STATE_MAIN_I1: initiate
003 "sonicwall" #1: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]
003 "sonicwall" #1: You should NOT use insecure IKE algorithms
(OAKLEY_DES_CBC)!
002 "sonicwall" #1: enabling possible NAT-traversal with method
draft-ietf-ipsec-nat-t-ike-02/03
002 "sonicwall" #1: transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2
106 "sonicwall" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "sonicwall" #1: ignoring unknown Vendor ID payload
[da8e937880010000]
003 "sonicwall" #1: ignoring unknown Vendor ID payload
[404bf439522ca3f6]
003 "sonicwall" #1: received Vendor ID payload [XAUTH]
002 "sonicwall" #1: I did not send a certificate because I do not have
one.
003 "sonicwall" #1: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-00/01: i am NATed
002 "sonicwall" #1: transition from state STATE_MAIN_I2 to state
STATE_MAIN_I3
108 "sonicwall" #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 "sonicwall" #1: Main mode peer ID is ID_IPV4_ADDR: '66.nnn.nnn.nnn'
002 "sonicwall" #1: transition from state STATE_MAIN_I3 to state
STATE_MAIN_I4
004 "sonicwall" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_des_cbc_64 prf=oakley_md5
group=modp768}
002 "sonicwall" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP
{using isakmp#1}
117 "sonicwall" #2: STATE_QUICK_I1: initiate
010 "sonicwall" #2: STATE_QUICK_I1: retransmission; will wait 20s for
response

The output of  /usr/sbin/ipsec auto --status

000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.1.13
000 interface eth0/eth0 192.168.1.13
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0,
keysizemax=0
000
000 algorithm IKE encrypt: id=1, name=OAKLEY_DES_CBC, blocksize=8,
keydeflen=64
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=1, name=OAKLEY_GROUP_MODP768, bits=768
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,4,64}
trans={0,4,672} attrs={0,4,224}
000
000 "sonicwall":
192.168.1.0/24===192.168.1.13---192.168.1.1...66.nnn.nnn.nnn===192.168.128.0/24; unrouted; eroute owner: #0
000 "sonicwall":     srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "sonicwall":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "sonicwall":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24;
interface: eth0;
000 "sonicwall":   newest ISAKMP SA: #1; newest IPsec SA: #0;
000 "sonicwall":   IKE algorithms wanted: 1_000-1-1, flags=-strict
000 "sonicwall":   IKE algorithms found:  1_064-1_128-1,
000 "sonicwall":   IKE algorithm newest: DES_CBC_64-MD5-MODP768
000 "sonicwall":   ESP algorithms wanted: 2_000-1, flags=-strict
000 "sonicwall":   ESP algorithms loaded: 2_000-1, flags=-strict
000
000 #4: "sonicwall":500 STATE_QUICK_I1 (sent QI1, expecting QR1);
EVENT_RETRANSMIT in 40s; nodpd
000 #1: "sonicwall":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 2499s; newest ISAKMP; nodpd
000


The output dumped in /var/log/secure:

Sep 27 16:43:31 ams pluto[15124]: shutting down
Sep 27 16:43:31 ams pluto[15124]: forgetting secrets
Sep 27 16:43:31 ams pluto[15124]: "sonicwall": deleting connection
Sep 27 16:43:31 ams pluto[15124]: "sonicwall" #3: deleting state
(STATE_QUICK_I1)
Sep 27 16:43:31 ams pluto[15124]: "sonicwall" #2: deleting state
(STATE_QUICK_I1)
Sep 27 16:43:31 ams pluto[15124]: "sonicwall" #1: deleting state
(STATE_MAIN_I4)
Sep 27 16:43:31 ams pluto[15124]: shutting down interface lo/lo ::1:500
Sep 27 16:43:31 ams pluto[15124]: shutting down interface lo/lo
127.0.0.1:4500
Sep 27 16:43:31 ams pluto[15124]: shutting down interface lo/lo
127.0.0.1:500
Sep 27 16:43:31 ams pluto[15124]: shutting down interface eth0/eth0
192.168.1.13:4500
Sep 27 16:43:31 ams pluto[15124]: shutting down interface eth0/eth0
192.168.1.13:500
Sep 27 16:43:33 ams ipsec__plutorun: Starting Pluto subsystem...
Sep 27 16:43:33 ams pluto[15319]: Starting Pluto (Openswan Version 2.4.4
X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID
OEz}FFFfgr_e)
Sep 27 16:43:33 ams pluto[15319]: Setting NAT-Traversal port-4500
floating to on
Sep 27 16:43:33 ams pluto[15319]:    port floating activation criteria
nat_t=1/port_fload=1
Sep 27 16:43:33 ams pluto[15319]:   including NAT-Traversal patch
(Version 0.6c)
Sep 27 16:43:34 ams pluto[15319]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Sep 27 16:43:34 ams pluto[15319]: starting up 1 cryptographic helpers
Sep 27 16:43:34 ams pluto[15319]: started helper pid=15320 (fd:6)
Sep 27 16:43:34 ams pluto[15319]: Using Linux 2.6 IPsec interface code
on 2.6.17-1.2187_FC5
Sep 27 16:43:34 ams pluto[15319]: Could not change to directory
'/etc/ipsec.d/cacerts'
Sep 27 16:43:34 ams pluto[15319]: Could not change to directory
'/etc/ipsec.d/aacerts'
Sep 27 16:43:34 ams pluto[15319]: Could not change to directory
'/etc/ipsec.d/ocspcerts'
Sep 27 16:43:34 ams pluto[15319]: Could not change to directory
'/etc/ipsec.d/crls'
Sep 27 16:43:34 ams pluto[15319]: added connection description
"sonicwall"
Sep 27 16:43:34 ams pluto[15319]: listening for IKE messages
Sep 27 16:43:34 ams pluto[15319]: adding interface eth0/eth0
192.168.1.13:500
Sep 27 16:43:34 ams pluto[15319]: adding interface eth0/eth0
192.168.1.13:4500
Sep 27 16:43:34 ams pluto[15319]: adding interface lo/lo 127.0.0.1:500
Sep 27 16:43:34 ams pluto[15319]: adding interface lo/lo 127.0.0.1:4500
Sep 27 16:43:34 ams pluto[15319]: adding interface lo/lo ::1:500
Sep 27 16:43:34 ams pluto[15319]: loading secrets from
"/etc/ipsec.secrets"
Sep 27 16:43:34 ams pluto[15319]: loading secrets from
"/etc/ipsec.d/hostkey.secrets"
Sep 27 16:43:34 ams pluto[15319]: loading secrets from
"/etc/ipsec.d/sonicwall.secrets"
Sep 27 16:43:40 ams pluto[15319]: "sonicwall" #1: initiating Main Mode
Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-00]
Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: You should NOT use
insecure IKE algorithms (OAKLEY_DES_CBC)!
Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: enabling possible
NAT-traversal with method draft-ietf-ipsec-nat-t-ike-02/03
Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: STATE_MAIN_I2: sent
MI2, expecting MR2
Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: ignoring unknown
Vendor ID payload [da8e937880010000]
Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: ignoring unknown
Vendor ID payload [404bf439522ca3f6]
Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: received Vendor ID
payload [XAUTH]
Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: I did not send a
certificate because I do not have one.
Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: NAT-Traversal: Result
using draft-ietf-ipsec-nat-t-ike-00/01: i am NATed
Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: STATE_MAIN_I3: sent
MI3, expecting MR3
Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: Main mode peer ID is
ID_IPV4_ADDR: '66.nnn.nnn.nnn'
Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: STATE_MAIN_I4: ISAKMP
SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_des_cbc_64
prf=oakley_md5 group=modp768}
Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: ignoring informational
payload, type NO_PROPOSAL_CHOSEN
Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: received and ignored
informational message
Sep 27 16:43:52 ams pluto[15319]: "sonicwall" #1: discarding duplicate
packet; already STATE_MAIN_I4
Sep 27 16:44:11 ams pluto[15319]: "sonicwall" #1: ignoring informational
payload, type NO_PROPOSAL_CHOSEN
Sep 27 16:44:11 ams pluto[15319]: "sonicwall" #1: received and ignored
informational message
Sep 27 16:44:51 ams pluto[15319]: "sonicwall" #2: max number of
retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to
our first Quick Mode message: perhaps peer likes no proposal
Sep 27 16:44:51 ams pluto[15319]: "sonicwall" #2: starting keying
attempt 2 of an unlimited number, but releasing whack
Sep 27 16:44:51 ams pluto[15319]: "sonicwall" #3: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP to replace #2 {using isakmp#1}
Sep 27 16:44:52 ams pluto[15319]: "sonicwall" #1: ignoring informational
payload, type NO_PROPOSAL_CHOSEN
Sep 27 16:44:52 ams pluto[15319]: "sonicwall" #1: received and ignored
informational message

Thanks in advance for any response,

Bas.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060927/058a52d4/attachment-0001.html

More information about the Users mailing list