[Openswan Users] Openswan Linux Client to SonicWall Windows

Bas Driessen bas.driessen at xobas.com
Wed Sep 27 03:40:20 EDT 2006


On Wed, 2006-09-27 at 08:58 +0200, Francesco Peeters wrote:

> On Wed, September 27, 2006 08:51, Bas Driessen wrote:
> > Hello,
> >
> > I am having trouble getting a Openswan client connection to work from
> > linux (Fedora Core 5 x86_64) to an SonicWALL VPN. The settings passed on
> > by the administrator of that site is DES MD5 group 1.
> >
> > Going through the lists, I found out that DES is not supported by
> > default in OpenSwan, so I have re-compiled the package by setting the
> > USE_WEAKSTUFF?=true flag in the Makefile.inc and also corrected the line
> > to WEAK_DEFS=-DUSE_VERYWEAK_DH1=1 -DUSE_1DES in the Makefile of Pluto.
> > All compiles OK. I know that 3DES is better etc, but this is out of my
> > control. I have to get it to work with the current setup.
> >
> > I am very very close to get it all to work, but there is a last hurdle
> > that I can't get out of the way. Below the information. Would appreciate
> > any help/tips/comments. Also can I enable some additional debugging to
> > find out what I am missing?
> >
> > My settings are as follows (for security reasons I have marked the VPN
> > ip number sections with nnn and changed the key password):
> >
> > sonicwall.conf
> >
> > conn sonicwall
> >     left=%defaultroute
> >     leftsubnet=192.168.1.0/24
> >     leftid=192.168.1.13
> >     right=66.nnn.nnn.nnn
> >     rightsubnet=192.168.128.0/24
> >     rightid=66.nnn.nnn.nnn
> >     keyingtries=0
> >     pfs=yes
> >     aggrmode=no
> >     auto=add
> >     auth=esp
> >     ike=des-md5-modp768
> >     esp=des-md5
> >     authby=secret
> >
> >
> > sonicwall.secrets
> >
> > 192.168.1.13 66.nnn.nnn.nnn : PSK "abcdef"
> >
> > ipsec starts OK using /etc/rc.d/init.d/ipsec restart
> >
> > Then I try to get the connection up with:
> >
> > /usr/sbin/ipsec whack --name sonicwall --initiate
> >
> > output as follows:
> >
> > # /usr/sbin/ipsec whack --name sonicwall --initiate
> > 002 "sonicwall" #1: initiating Main Mode
> > 104 "sonicwall" #1: STATE_MAIN_I1: initiate
> > 003 "sonicwall" #1: received Vendor ID payload
> > [draft-ietf-ipsec-nat-t-ike-00]
> > 003 "sonicwall" #1: You should NOT use insecure IKE algorithms
> > (OAKLEY_DES_CBC)!
> > 002 "sonicwall" #1: enabling possible NAT-traversal with method
> > draft-ietf-ipsec-nat-t-ike-02/03
> > 002 "sonicwall" #1: transition from state STATE_MAIN_I1 to state
> > STATE_MAIN_I2
> > 106 "sonicwall" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> > 003 "sonicwall" #1: ignoring unknown Vendor ID payload
> > [da8e937880010000]
> > 003 "sonicwall" #1: ignoring unknown Vendor ID payload
> > [404bf439522ca3f6]
> > 003 "sonicwall" #1: received Vendor ID payload [XAUTH]
> > 002 "sonicwall" #1: I did not send a certificate because I do not have
> > one.
> > 003 "sonicwall" #1: NAT-Traversal: Result using
> > draft-ietf-ipsec-nat-t-ike-00/01: i am NATed
> > 002 "sonicwall" #1: transition from state STATE_MAIN_I2 to state
> > STATE_MAIN_I3
> > 108 "sonicwall" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> > 002 "sonicwall" #1: Main mode peer ID is ID_IPV4_ADDR: '66.nnn.nnn.nnn'
> > 002 "sonicwall" #1: transition from state STATE_MAIN_I3 to state
> > STATE_MAIN_I4
> > 004 "sonicwall" #1: STATE_MAIN_I4: ISAKMP SA established
> > {auth=OAKLEY_PRESHARED_KEY cipher=oakley_des_cbc_64 prf=oakley_md5
> > group=modp768}
> > 002 "sonicwall" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP
> > {using isakmp#1}
> > 117 "sonicwall" #2: STATE_QUICK_I1: initiate
> > 010 "sonicwall" #2: STATE_QUICK_I1: retransmission; will wait 20s for
> > response
> >
> > The output of  /usr/sbin/ipsec auto --status
> >
> > 000 interface lo/lo ::1
> > 000 interface lo/lo 127.0.0.1
> > 000 interface lo/lo 127.0.0.1
> > 000 interface eth0/eth0 192.168.1.13
> > 000 interface eth0/eth0 192.168.1.13
> > 000 %myid = (none)
> > 000 debug none
> > 000
> > 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
> > keysizemax=64
> > 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
> > keysizemax=192
> > 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
> > keysizemin=40, keysizemax=448
> > 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
> > keysizemax=0
> > 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
> > keysizemax=256
> > 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
> > keysizemin=128, keysizemax=256
> > 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
> > keysizemin=128, keysizemax=256
> > 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
> > keysizemin=128, keysizemax=128
> > 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
> > keysizemin=160, keysizemax=160
> > 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
> > keysizemin=256, keysizemax=256
> > 000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0,
> > keysizemax=0
> > 000
> > 000 algorithm IKE encrypt: id=1, name=OAKLEY_DES_CBC, blocksize=8,
> > keydeflen=64
> > 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
> > keydeflen=192
> > 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
> > keydeflen=128
> > 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> > 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> > 000 algorithm IKE dh group: id=1, name=OAKLEY_GROUP_MODP768, bits=768
> > 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
> > 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
> > 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
> > 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
> > 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
> > 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
> > 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
> > 000
> > 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,4,64}
> > trans={0,4,672} attrs={0,4,224}
> > 000
> > 000 "sonicwall":
> > 192.168.1.0/24===192.168.1.13---192.168.1.1...66.nnn.nnn.nnn===192.168.128.0/24;
> > unrouted; eroute owner: #0
> > 000 "sonicwall":     srcip=unset; dstip=unset; srcup=ipsec _updown;
> > dstup=ipsec _updown;
> > 000 "sonicwall":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
> > 540s; rekey_fuzz: 100%; keyingtries: 0
> > 000 "sonicwall":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24;
> > interface: eth0;
> > 000 "sonicwall":   newest ISAKMP SA: #1; newest IPsec SA: #0;
> > 000 "sonicwall":   IKE algorithms wanted: 1_000-1-1, flags=-strict
> > 000 "sonicwall":   IKE algorithms found:  1_064-1_128-1,
> > 000 "sonicwall":   IKE algorithm newest: DES_CBC_64-MD5-MODP768
> > 000 "sonicwall":   ESP algorithms wanted: 2_000-1, flags=-strict
> > 000 "sonicwall":   ESP algorithms loaded: 2_000-1, flags=-strict
> > 000
> > 000 #4: "sonicwall":500 STATE_QUICK_I1 (sent QI1, expecting QR1);
> > EVENT_RETRANSMIT in 40s; nodpd
> > 000 #1: "sonicwall":500 STATE_MAIN_I4 (ISAKMP SA established);
> > EVENT_SA_REPLACE in 2499s; newest ISAKMP; nodpd
> > 000
> >
> >
> > The output dumped in /var/log/secure:
> >
> > Sep 27 16:43:31 ams pluto[15124]: shutting down
> > Sep 27 16:43:31 ams pluto[15124]: forgetting secrets
> > Sep 27 16:43:31 ams pluto[15124]: "sonicwall": deleting connection
> > Sep 27 16:43:31 ams pluto[15124]: "sonicwall" #3: deleting state
> > (STATE_QUICK_I1)
> > Sep 27 16:43:31 ams pluto[15124]: "sonicwall" #2: deleting state
> > (STATE_QUICK_I1)
> > Sep 27 16:43:31 ams pluto[15124]: "sonicwall" #1: deleting state
> > (STATE_MAIN_I4)
> > Sep 27 16:43:31 ams pluto[15124]: shutting down interface lo/lo ::1:500
> > Sep 27 16:43:31 ams pluto[15124]: shutting down interface lo/lo
> > 127.0.0.1:4500
> > Sep 27 16:43:31 ams pluto[15124]: shutting down interface lo/lo
> > 127.0.0.1:500
> > Sep 27 16:43:31 ams pluto[15124]: shutting down interface eth0/eth0
> > 192.168.1.13:4500
> > Sep 27 16:43:31 ams pluto[15124]: shutting down interface eth0/eth0
> > 192.168.1.13:500
> > Sep 27 16:43:33 ams ipsec__plutorun: Starting Pluto subsystem...
> > Sep 27 16:43:33 ams pluto[15319]: Starting Pluto (Openswan Version 2.4.4
> > X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID
> > OEz}FFFfgr_e)
> > Sep 27 16:43:33 ams pluto[15319]: Setting NAT-Traversal port-4500
> > floating to on
> > Sep 27 16:43:33 ams pluto[15319]:    port floating activation criteria
> > nat_t=1/port_fload=1
> > Sep 27 16:43:33 ams pluto[15319]:   including NAT-Traversal patch
> > (Version 0.6c)
> > Sep 27 16:43:34 ams pluto[15319]: ike_alg_register_enc(): Activating
> > OAKLEY_AES_CBC: Ok (ret=0)
> > Sep 27 16:43:34 ams pluto[15319]: starting up 1 cryptographic helpers
> > Sep 27 16:43:34 ams pluto[15319]: started helper pid=15320 (fd:6)
> > Sep 27 16:43:34 ams pluto[15319]: Using Linux 2.6 IPsec interface code
> > on 2.6.17-1.2187_FC5
> > Sep 27 16:43:34 ams pluto[15319]: Could not change to directory
> > '/etc/ipsec.d/cacerts'
> > Sep 27 16:43:34 ams pluto[15319]: Could not change to directory
> > '/etc/ipsec.d/aacerts'
> > Sep 27 16:43:34 ams pluto[15319]: Could not change to directory
> > '/etc/ipsec.d/ocspcerts'
> > Sep 27 16:43:34 ams pluto[15319]: Could not change to directory
> > '/etc/ipsec.d/crls'
> > Sep 27 16:43:34 ams pluto[15319]: added connection description
> > "sonicwall"
> > Sep 27 16:43:34 ams pluto[15319]: listening for IKE messages
> > Sep 27 16:43:34 ams pluto[15319]: adding interface eth0/eth0
> > 192.168.1.13:500
> > Sep 27 16:43:34 ams pluto[15319]: adding interface eth0/eth0
> > 192.168.1.13:4500
> > Sep 27 16:43:34 ams pluto[15319]: adding interface lo/lo 127.0.0.1:500
> > Sep 27 16:43:34 ams pluto[15319]: adding interface lo/lo 127.0.0.1:4500
> > Sep 27 16:43:34 ams pluto[15319]: adding interface lo/lo ::1:500
> > Sep 27 16:43:34 ams pluto[15319]: loading secrets from
> > "/etc/ipsec.secrets"
> > Sep 27 16:43:34 ams pluto[15319]: loading secrets from
> > "/etc/ipsec.d/hostkey.secrets"
> > Sep 27 16:43:34 ams pluto[15319]: loading secrets from
> > "/etc/ipsec.d/sonicwall.secrets"
> > Sep 27 16:43:40 ams pluto[15319]: "sonicwall" #1: initiating Main Mode
> > Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: received Vendor ID
> > payload [draft-ietf-ipsec-nat-t-ike-00]
> > Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: You should NOT use
> > insecure IKE algorithms (OAKLEY_DES_CBC)!
> > Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: enabling possible
> > NAT-traversal with method draft-ietf-ipsec-nat-t-ike-02/03
> > Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: transition from state
> > STATE_MAIN_I1 to state STATE_MAIN_I2
> > Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: STATE_MAIN_I2: sent
> > MI2, expecting MR2
> > Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: ignoring unknown
> > Vendor ID payload [da8e937880010000]
> > Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: ignoring unknown
> > Vendor ID payload [404bf439522ca3f6]
> > Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: received Vendor ID
> > payload [XAUTH]
> > Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: I did not send a
> > certificate because I do not have one.
> > Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: NAT-Traversal: Result
> > using draft-ietf-ipsec-nat-t-ike-00/01: i am NATed
> > Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: transition from state
> > STATE_MAIN_I2 to state STATE_MAIN_I3
> > Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: STATE_MAIN_I3: sent
> > MI3, expecting MR3
> > Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: Main mode peer ID is
> > ID_IPV4_ADDR: '66.nnn.nnn.nnn'
> > Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: transition from state
> > STATE_MAIN_I3 to state STATE_MAIN_I4
> > Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: STATE_MAIN_I4: ISAKMP
> > SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_des_cbc_64
> > prf=oakley_md5 group=modp768}
> > Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #2: initiating Quick Mode
> > PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
> > Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: ignoring informational
> > payload, type NO_PROPOSAL_CHOSEN
> > Sep 27 16:43:41 ams pluto[15319]: "sonicwall" #1: received and ignored
> > informational message
> > Sep 27 16:43:52 ams pluto[15319]: "sonicwall" #1: discarding duplicate
> > packet; already STATE_MAIN_I4
> > Sep 27 16:44:11 ams pluto[15319]: "sonicwall" #1: ignoring informational
> > payload, type NO_PROPOSAL_CHOSEN
> > Sep 27 16:44:11 ams pluto[15319]: "sonicwall" #1: received and ignored
> > informational message
> > Sep 27 16:44:51 ams pluto[15319]: "sonicwall" #2: max number of
> > retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to
> > our first Quick Mode message: perhaps peer likes no proposal
> > Sep 27 16:44:51 ams pluto[15319]: "sonicwall" #2: starting keying
> > attempt 2 of an unlimited number, but releasing whack
> > Sep 27 16:44:51 ams pluto[15319]: "sonicwall" #3: initiating Quick Mode
> > PSK+ENCRYPT+TUNNEL+PFS+UP to replace #2 {using isakmp#1}
> > Sep 27 16:44:52 ams pluto[15319]: "sonicwall" #1: ignoring informational
> > payload, type NO_PROPOSAL_CHOSEN
> > Sep 27 16:44:52 ams pluto[15319]: "sonicwall" #1: received and ignored
> > informational message
> >
> > Thanks in advance for any response,
> >
> > Bas.
> >
> 
> You'd also need to have the SNWL logs to knoe why it doesn't complete phase 2
> 
> Also you'll need more info on the SNWL side, including what version of OS
> they are using
> 
> Lastly, if they have a halfway decent version, you will *not* be able to
> use the GroupVPN SA, as that will require the SNWL VPN Client!...
> 

Thanks Francesco. Will request the log files from the administrator.

Can you please clarify GroupVPN SA versus VPN Client? All I need is a
VPN client connection. If there is a different package that is easy to
set up on Linux, that is the thing I want.

Bas.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060927/a28d0763/attachment-0001.html 


More information about the Users mailing list