[Openswan Users] Openswan Linux Client to SonicWall Windows

Francesco Peeters Francesco at FamPeeters.com
Wed Sep 27 06:07:39 EDT 2006

On Wed, September 27, 2006 11:54, Bas Driessen wrote:
> On Wed, 2006-09-27 at 10:35 +0200, Francesco Peeters wrote:
>> On Wed, September 27, 2006 09:40, Bas Driessen wrote:
>> > On Wed, 2006-09-27 at 08:58 +0200, Francesco Peeters wrote:
>> <SNIP>
>> >> You'd also need to have the SNWL logs to knoe why it doesn't complete
>> >> phase 2
>> >>
>> >> Also you'll need more info on the SNWL side, including what version
>> of
>> >> OS
>> >> they are using
>> >>
>> >> Lastly, if they have a halfway decent version, you will *not* be able
>> to
>> >> use the GroupVPN SA, as that will require the SNWL VPN Client!...
>> >>
>> >
>> > Thanks Francesco. Will request the log files from the administrator.
>> >
>> > Can you please clarify GroupVPN SA versus VPN Client? All I need is a
>> > VPN client connection. If there is a different package that is easy to
>> > set up on Linux, that is the thing I want.
>> >
>> > Bas.
>> >
>> > ___
>> In more recent firmwares, the GroupVPN is set up for use with the
>> SonicWALL Global VPN Client (GVC).
>> AFAIK, the GroupVPN can *only* be used with the GVC, due to stuff like
>> Client Enforcing and Profile Distribution mechanisms in the SNWL box,
>> unless all the enhanced GVC features are turned off in the box, and even
>> then I'm not sure whether it'll work...
>> Older versions (And that excludes anything that runs SonicOS) will be
>> able
>> to use the GroupVPN, but you'll need to have a firmware that predates
>> the
>> GVC!
>> AFAIK the GVC is only available for Windows and Windows Mobile...
>> In newer firmware you will need to use a separate 'box to box' vpn SA...
> Thanks Francesco. On the sonicwall.com web site, there are documents as
> follows:
> http://www.sonicwall.com/support/pdfs/technotes/SonicOS_Enhanced_to_Openswan_Using_GroupVPN_with_XAUTH.pdf
> http://www.sonicwall.com/support/pdfs/technotes/SonicOS_Enhanced_to_Openswan_Using_Main_Mode_IKE_with_PreShared_key.pdf
> http://www.sonicwall.com/support/pdfs/technotes/SonicOS_Enhanced_to_Openswan_Using_Aggressive_Mode_IKE_with_PreShared_key.pdf
> This indicates to me that OpenSwan can be used using GroupVPN, Main Mode
> and Agressive Mode. Also since I am so close of having a VPN connecting
> using OpenSwan (as in my original posting), I do believe that a
> connection is possible with OpenSwan. Will gather the info from the
> other side and hopefully that generates some new ideas.
> Bas.
OK, so apparently GroupVPN has changed sufficiently to allow other clients
to connect since I last tried...


You'll still need the details from the SNWL side though  ;-)

I think however you'll need to change the left and right id's

The SonicWALL uses the ID's to match the SA's, and for GroupVPN you cannot
alter the ID's.
Bij default the SonicWALL uses the MAC address of it's main interface
(also the box's serial#) as local ID and the SA name (GroupVPN) as the
remote ID.

Hence the entries:
leftid=@GroupVPN   (ie the name of the SA)
rightid=@0006B1.....  (The MAC Address and Serial# of the SNWL)

The actual SA name may actually be different (like 'GroupVPN WAN') as they
made a split a while back for the GroupVPN, so you can have different SA's
for clients from WAN, LAN, WLAN, etc.

The Technote is a year old, so it may not have been adjusted for that fact...

(Again: You'll need the SNWL details to be able to determine that!)

Good luck!

Francesco Peeters
GPG Key = AA69 E7C6 1D8A F148 160C  D5C4 9943 6E38 D5E3 7704
If your program doesn't recognize my signature, please visit
http://www.CAcert.org/index.php?id=3 to retrieve the Root CA certificate.

More information about the Users mailing list