[Openswan Users] Openswan Linux Client to SonicWall Windows

Bas Driessen bas.driessen at xobas.com
Wed Sep 27 07:08:30 EDT 2006


On Wed, 2006-09-27 at 12:07 +0200, Francesco Peeters wrote:

> On Wed, September 27, 2006 11:54, Bas Driessen wrote:
> > On Wed, 2006-09-27 at 10:35 +0200, Francesco Peeters wrote:
> >
> >> On Wed, September 27, 2006 09:40, Bas Driessen wrote:
> >> > On Wed, 2006-09-27 at 08:58 +0200, Francesco Peeters wrote:
> >> <SNIP>
> >> >> You'd also need to have the SNWL logs to knoe why it doesn't complete
> >> >> phase 2
> >> >>
> >> >> Also you'll need more info on the SNWL side, including what version
> >> of
> >> >> OS
> >> >> they are using
> >> >>
> >> >> Lastly, if they have a halfway decent version, you will *not* be able
> >> to
> >> >> use the GroupVPN SA, as that will require the SNWL VPN Client!...
> >> >>
> >> >
> >> > Thanks Francesco. Will request the log files from the administrator.
> >> >
> >> > Can you please clarify GroupVPN SA versus VPN Client? All I need is a
> >> > VPN client connection. If there is a different package that is easy to
> >> > set up on Linux, that is the thing I want.
> >> >
> >> > Bas.
> >> >
> >> > ___
> >> In more recent firmwares, the GroupVPN is set up for use with the
> >> SonicWALL Global VPN Client (GVC).
> >>
> >> AFAIK, the GroupVPN can *only* be used with the GVC, due to stuff like
> >> Client Enforcing and Profile Distribution mechanisms in the SNWL box,
> >> unless all the enhanced GVC features are turned off in the box, and even
> >> then I'm not sure whether it'll work...
> >>
> >> Older versions (And that excludes anything that runs SonicOS) will be
> >> able
> >> to use the GroupVPN, but you'll need to have a firmware that predates
> >> the
> >> GVC!
> >>
> >> AFAIK the GVC is only available for Windows and Windows Mobile...
> >>
> >> In newer firmware you will need to use a separate 'box to box' vpn SA...
> >>
> >
> > Thanks Francesco. On the sonicwall.com web site, there are documents as
> > follows:
> >
> > http://www.sonicwall.com/support/pdfs/technotes/SonicOS_Enhanced_to_Openswan_Using_GroupVPN_with_XAUTH.pdf
> > http://www.sonicwall.com/support/pdfs/technotes/SonicOS_Enhanced_to_Openswan_Using_Main_Mode_IKE_with_PreShared_key.pdf
> > http://www.sonicwall.com/support/pdfs/technotes/SonicOS_Enhanced_to_Openswan_Using_Aggressive_Mode_IKE_with_PreShared_key.pdf
> >
> > This indicates to me that OpenSwan can be used using GroupVPN, Main Mode
> > and Agressive Mode. Also since I am so close of having a VPN connecting
> > using OpenSwan (as in my original posting), I do believe that a
> > connection is possible with OpenSwan. Will gather the info from the
> > other side and hopefully that generates some new ideas.
> >
> > Bas.
> >
> >
> OK, so apparently GroupVPN has changed sufficiently to allow other clients
> to connect since I last tried...
> 
> Good!
> 
> You'll still need the details from the SNWL side though  ;-)
> 
> I think however you'll need to change the left and right id's
> 
> The SonicWALL uses the ID's to match the SA's, and for GroupVPN you cannot
> alter the ID's.
> Bij default the SonicWALL uses the MAC address of it's main interface
> (also the box's serial#) as local ID and the SA name (GroupVPN) as the
> remote ID.
> 
> Hence the entries:
> leftid=@GroupVPN   (ie the name of the SA)
> rightid=@0006B1.....  (The MAC Address and Serial# of the SNWL)
> 
> The actual SA name may actually be different (like 'GroupVPN WAN') as they
> made a split a while back for the GroupVPN, so you can have different SA's
> for clients from WAN, LAN, WLAN, etc.
> 
> The Technote is a year old, so it may not have been adjusted for that fact...
> 
> (Again: You'll need the SNWL details to be able to determine that!)
> 


My understanding is that the leftid is just a name that I can use as id
for my local computer. So the name should not be important right? I can
use leftid=@home or leftid=@abcdef as long as it matches the entry in
the .secrets file. Regarding the rightid, if in MAIN Mode, this should
be the ip number of the VPN, if in AGGRESSIVE mode I do get an error
back where it comes back with an id (let's say) @Destination  (changed
this name for obvious security reasons). If I set this as rightid and
use aggressive mode, it stops at the same place in Phase 2. Therefore, I
don't believe the left/right id or MAIN versus AGGRESSIVE is the issue,
but since I am not a VPN expert, I can be wrong.

Bas.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060927/aa8165c4/attachment-0001.html 


More information about the Users mailing list