[Openswan Users] Openswan Linux Client to SonicWall Windows

Francesco Peeters Francesco at FamPeeters.com
Wed Sep 27 02:58:26 EDT 2006 

On Wed, September 27, 2006 08:51, Bas Driessen wrote:
> Hello,
>
> I am having trouble getting a Openswan client connection to work from
> linux (Fedora Core 5 x86_64) to an SonicWALL VPN. The settings passed on
> by the administrator of that site is DES MD5 group 1.
>
> Going through the lists, I found out that DES is not supported by
> default in OpenSwan, so I have re-compiled the package by setting the
> USE_WEAKSTUFF?=true flag in the Makefile.inc and also corrected the line
> to WEAK_DEFS=-DUSE_VERYWEAK_DH1=1 -DUSE_1DES in the Makefile of Pluto.
> All compiles OK. I know that 3DES is better etc, but this is out of my
> control. I have to get it to work with the current setup.
>
> I am very very close to get it all to work, but there is a last hurdle
> that I can't get out of the way. Below the information. Would appreciate
> any help/tips/comments. Also can I enable some additional debugging to
> find out what I am missing?
>
> My settings are as follows (for security reasons I have marked the VPN
> ip number sections with nnn and changed the key password):
>
> sonicwall.conf
>
> conn sonicwall
>     left=%defaultroute
>     leftsubnet=192.168.1.0/24
>     leftid=192.168.1.13
>     right=66.nnn.nnn.nnn
>     rightsubnet=192.168.128.0/24
>     rightid=66.nnn.nnn.nnn
>     keyingtries=0
>     pfs=yes
>     aggrmode=no
>     auto=add
>     auth=esp
>     ike=des-md5-modp768
>     esp=des-md5
>     authby=secret
>
>
> sonicwall.secrets
>
> 192.168.1.13 66.nnn.nnn.nnn : PSK "abcdef"
>
> ipsec starts OK using /etc/rc.d/init.d/ipsec restart
>
> Then I try to get the connection up with:
>
> /usr/sbin/ipsec whack --name sonicwall --initiate
>
> output as follows:
>
> # /usr/sbin/ipsec whack --name sonicwall --initiate
> 002 "sonicwall" #1: initiating Main Mode
> 104 "sonicwall" #1: STATE_MAIN_I1: initiate
> 003 "sonicwall" #1: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-00]
> 003 "sonicwall" #1: You should NOT use insecure IKE algorithms
> (OAKLEY_DES_CBC)!
> 002 "sonicwall" #1: enabling possible NAT-traversal with method
> draft-ietf-ipsec-nat-t-ike-02/03
> 002 "sonicwall" #1: transition from state STATE_MAIN_I1 to state
> STATE_MAIN_I2
> 106 "sonicwall" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> 003 "sonicwall" #1: ignoring unknown Vendor ID payload
> [da8e937880010000]
> 003 "sonicwall" #1: ignoring unknown Vendor ID payload
> [404bf439522ca3f6]
> 003 "sonicwall" #1: received Vendor ID payload [XAUTH]
> 002 "sonicwall" #1: I did not send a certificate because I do not have
> one.
> 003 "sonicwall" #1: NAT-Traversal: Result using
> draft-ietf-ipsec-nat-t-ike-00/01: i am NATed
> 002 "sonicwall" #1: transition from state STATE_MAIN_I2 to state
> STATE_MAIN_I3
> 108 "sonicwall" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> 002 "sonicwall" #1: Main mode peer ID is ID_IPV4_ADDR: '66.nnn.nnn.nnn'
> 002 "sonicwall" #1: transition from state STATE_MAIN_I3 to state
> STATE_MAIN_I4
> 004 "sonicwall" #1: STATE_MAIN_I4: ISAKMP SA established
> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_des_cbc_64 prf=oakley_md5
> group=modp768}
> 002 "sonicwall" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP
> {using isakmp#1}
> 117 "sonicwall" #2: STATE_QUICK_I1: initiate
> 010 "sonicwall" #2: STATE_QUICK_I1: retransmission; will wait 20s for
> response
>
> The output of  /usr/sbin/ipsec auto --status
>
> 000 interface lo/lo ::1
> 000 interface lo/lo 127.0.0.1
> 000 interface lo/lo 127.0.0.1
> 000 interface eth0/eth0 192.168.1.13
> 000 interface eth0/eth0 192.168.1.13
> 000 %myid = (none)
> 000 debug none
> 000
> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
> keysizemax=64
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
> keysizemax=192
> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
> keysizemin=40, keysizemax=448
> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
> keysizemax=0
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
> keysizemax=256
> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
> keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
> keysizemin=160, keysizemax=160
> 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
> keysizemin=256, keysizemax=256
> 000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0,
> keysizemax=0
> 000
> 000 algorithm IKE encrypt: id=1, name=OAKLEY_DES_CBC, blocksize=8,
> keydeflen=64
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
> keydeflen=192
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
> keydeflen=128
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> 000 algorithm IKE dh group: id=1, name=OAKLEY_GROUP_MODP768, bits=768
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
> 000
> 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,4,64}
> trans={0,4,672} attrs={0,4,224}
> 000
> 000 "sonicwall":
> 192.168.1.0/24===192.168.1.13---192.168.1.1...66.nnn.nnn.nnn===192.168.128.0/24;
> unrouted; eroute owner: #0
> 000 "sonicwall":     srcip=unset; dstip=unset; srcup=ipsec _updown;
> dstup=ipsec _updown;
> 000 "sonicwall":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
> 540s; rekey_fuzz: 100%; keyingtries: 0
> 000 "sonicwall":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24;
> interface: eth0;
> 000 "sonicwall":   newest ISAKMP SA: #1; newest IPsec SA: #0;
> 000 "sonicwall":   IKE algorithms wanted: 1_000-1-1, flags=-strict
> 000 "sonicwall":   IKE algorithms found:  1_064-1_128-1,
> 000 "sonicwall":   IKE algorithm newest: DES_CBC_64-MD5-MODP768
> 000 "sonicwall":   ESP algorithms wanted: 2_000-1, flags=-strict
> 000 "sonicwall":   ESP algorithms loaded: 2_000-1, flags=-strict
> 000
> 000 #4: "sonicwall":500 STATE_QUICK_I1 (sent QI1, expecting QR1);
> EVENT_RETRANSMIT in 40s; nodpd
> 000 #1: "sonicwall":500 STATE_MAIN_I4 (ISAKMP SA established);
> EVENT_SA_REPLACE in 2499s; newest ISAKMP; nodpd
> 000
>
>
> The output dumped in /var/log/secure:
>
> Sep 27 16:43:31 ams pluto[15124]: shutting down
> Sep 27 16:43:31 ams pluto[15124]: forgetting secrets
> Sep 27 16:43:31 ams pluto[15124]: "sonicwall": deleting connection
> Sep 27 16:43:31 ams pluto[15124]: "sonicwall" #3: deleting state
> (STATE_QUICK_I1)
> Sep 27 16:43:31 ams pluto[15124]: "sonicwall" #2: deleting state
> (STATE_QUICK_I1)
> Sep 27 16:43:31 ams pluto[15124]: "sonicwall" #1: deleting state
> (STATE_MAIN_I4)
> Sep 27 16:43:31 ams pluto[15124]: shutting down interface lo/lo ::1:500
> Sep 27 16:43:31 ams pluto[15124]: shutting down interface lo/lo
> 127.0.0.1:4500
> Sep 27 16:43:31 ams pluto[15124]: shutting down interface lo/lo
> 127.0.0.1:500
> Sep 27 16:43:31 ams pluto[15124]: shutting down interface eth0/eth0
> 192.168.1.13:4500
> Sep 27 16:43:31 ams pluto[15124]: shutting down interface eth0/eth0
> 192.168.1.13:500
> Sep 27 16:43:33 ams ipsec__plutorun: Starting Pluto subsystem...
> Sep 27 16:43:33 ams pluto[15319]: Starting Pluto (Openswan Version 2.4.4
> X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID
> OEz}FFFfgr_e)
> Sep 27 16:43:33 ams pluto[15319]: Setting NAT-Traversal port-4500
> floating to on
> Sep 27 16:43:33 ams pluto[15319]:    port floating activation criteria
> nat_t=1/port_fload=1
> Sep 27 16:43:33 ams pluto[15319]:   including NAT-Traversal patch
> (Version 0.6c)
> Sep 27 16:43:34 ams pluto[15319]: ike_alg_register_enc(): Activating
> OAKLEY_AES_CBC: Ok (ret=0)
> Sep 27 16:43:34 ams pluto[15319]: starting up 1 cryptographic helpers
> Sep 27 16:43:34 ams pluto[15319]: started helper pid=15320 (fd:6)
> Sep 27 16:43:34 ams pluto[15319]: Using Linux 2.6 IPsec interface code
> on 2.6.17-1.2187_FC5
> Sep 27 16:43:34 ams pluto[15319]: Could not change to directory
> '/etc/ipsec.d/cacerts'
> Sep 27 16:43:34 ams pluto[15319]: Could not change to directory
> '/etc/ipsec.d/aacerts'
> Sep 27 16:43:34 ams pluto[15319]: Could not change to directory
> '/etc/ipsec.d/ocspcerts'
> Sep 27 16:43:34 ams pluto[15319]: Could not change to directory
> '/etc/ipsec.d/crls'
> Sep 27 16:43:34 ams pluto[15319]: added connection description
> "sonicwall"
> Sep 27 16:43:34 ams pluto[15319]: listening for IKE messages
> Sep 27 16:43:34 ams pluto[15319]: adding interface eth0/eth0
> 192.168.1.13:500
> Sep 27 16:43:34 ams pluto[15319]: adding interface eth0/eth0
> 192.168.1.13:4500
> Sep 27 16:43:34 ams pluto[15319]: adding interface lo/lo 127.0.0.1:500
> Sep 27 16:43:34 ams pluto[15319]: adding interface lo/lo 127.0.0.1:4500
> Sep 27 16:43:34 ams pluto[15319]: adding interface lo/lo ::1:500
> Sep 27 16:43:34 ams pluto[15319]: loading secrets from
> "/etc/ipsec.secrets"
> Sep 27 16:43:34 ams pluto[15319]: loading secrets from
> "/etc/ipsec.d/hostkey.secrets"
> Sep 27 16:43:34 ams pluto[15319]: loading secrets from
> "/etc/ipsec.d/sonicwall.secrets"
> Sep 27 16:43:40 ams pluto[15319]: "sonicwall" #1: initiating Main Mode
> Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: received Vendor ID
> payload [draft-ietf-ipsec-nat-t-ike-00]
> Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: You should NOT use
> insecure IKE algorithms (OAKLEY_DES_CBC)!
> Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: enabling possible
> NAT-traversal with method draft-ietf-ipsec-nat-t-ike-02/03
> Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: transition from state
> STATE_MAIN_I1 to state STATE_MAIN_I2
> Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: STATE_MAIN_I2: sent
> MI2, expecting MR2
> Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: ignoring unknown
> Vendor ID payload [da8e937880010000]
> Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: ignoring unknown
> Vendor ID payload [404bf439522ca3f6]
> Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: received Vendor ID
> payload [XAUTH]
> Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: I did not send a
> certificate because I do not have one.
> Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: NAT-Traversal: Result
> using draft-ietf-ipsec-nat-t-ike-00/01: i am NATed
> Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: transition from state
> STATE_MAIN_I2 to state STATE_MAIN_I3
> Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: STATE_MAIN_I3: sent
> MI3, expecting MR3
> Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: Main mode peer ID is
> ID_IPV4_ADDR: '66.nnn.nnn.nnn'
> Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: transition from state
> STATE_MAIN_I3 to state STATE_MAIN_I4
> Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: STATE_MAIN_I4: ISAKMP
> SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_des_cbc_64
> prf=oakley_md5 group=modp768}
> Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #2: initiating Quick Mode
> PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
> Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: ignoring informational
> payload, type NO_PROPOSAL_CHOSEN
> Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: received and ignored
> informational message
> Sep 27 16:43:52 ams pluto[15319]: "sonicwall" #1: discarding duplicate
> packet; already STATE_MAIN_I4
> Sep 27 16:44:11 ams pluto[15319]: "sonicwall" #1: ignoring informational
> payload, type NO_PROPOSAL_CHOSEN
> Sep 27 16:44:11 ams pluto[15319]: "sonicwall" #1: received and ignored
> informational message
> Sep 27 16:44:51 ams pluto[15319]: "sonicwall" #2: max number of
> retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to
> our first Quick Mode message: perhaps peer likes no proposal
> Sep 27 16:44:51 ams pluto[15319]: "sonicwall" #2: starting keying
> attempt 2 of an unlimited number, but releasing whack
> Sep 27 16:44:51 ams pluto[15319]: "sonicwall" #3: initiating Quick Mode
> PSK+ENCRYPT+TUNNEL+PFS+UP to replace #2 {using isakmp#1}
> Sep 27 16:44:52 ams pluto[15319]: "sonicwall" #1: ignoring informational
> payload, type NO_PROPOSAL_CHOSEN
> Sep 27 16:44:52 ams pluto[15319]: "sonicwall" #1: received and ignored
> informational message
>
> Thanks in advance for any response,
>
> Bas.
>

You'd also need to have the SNWL logs to knoe why it doesn't complete phase 2

Also you'll need more info on the SNWL side, including what version of OS
they are using

Lastly, if they have a halfway decent version, you will *not* be able to
use the GroupVPN SA, as that will require the SNWL VPN Client!...

Good luck!

-- 
Francesco Peeters
----
GPG Key = AA69 E7C6 1D8A F148 160C  D5C4 9943 6E38 D5E3 7704
If your program doesn't recognize my signature, please visit
http://www.CAcert.org/index.php?id=3 to retrieve the Root CA certificate.

More information about the Users mailing list