[Openswan Users] SonicWall and Openswan

Rick Knight rick_knight at rlknight.com
Wed Jul 4 16:06:55 EDT 2007 

Still trying to get my Linux box to connect to my SonicWall VPN at work. 
I think I'm getting close. I get to a point where SonicWall is waiting 
for a response but not getting any. I can see in my firewall logs where 
my linux box is responding, but instead of sending to the SonicWall 
public IP it's sending to 10.1.0.11. I don't have anything on either end 
at 10.1.x.x. Where is this comming from? I've checked all of the 
Openswan and my own network settings, but I don't see 10.1.0.11 anywhere.

Thanks for any help.

I'm running Kubuntu Feisty 7.04, Kernel 2.6.20 Openswan 2.4.8, also 
tried 2.4.6 with same results.

ipsec.conf 'conn sonicwall' section

conn sonicwall
    type=tunnel
    left=172.16.88.25
    leftnexthop=172.16.88.2
    leftsubnet=172.16.88.0/23
    leftxauthclient=yes
    leftid=@myid
    right=vpn.public.ip.addr
    rightsubnet=192.168.0.0/24
    rightxauthserver=yes
    rightid=@vpnid
    keyingtries=0
    pfs=no
    aggrmode=no
    auto=add
    auth=esp
    ike=3des-sha1
    esp=3des-sha1
    authby=secret
    xauth=yes
    keyexchange=ike



Output of # ipsec auto --up  sonicwall

104 "sonicwall" #5: STATE_MAIN_I1: initiate
003 "sonicwall" #5: ignoring unknown Vendor ID payload [5b362bc820f60001]
003 "sonicwall" #5: received Vendor ID payload 
[draft-ietf-ipsec-nat-t-ike-03] method set to=108
106 "sonicwall" #5: STATE_MAIN_I2: sent MI2, expecting MR2
003 "sonicwall" #5: ignoring unknown Vendor ID payload [404bf439522ca3f6]
003 "sonicwall" #5: received Vendor ID payload [XAUTH]
003 "sonicwall" #5: received Vendor ID payload [Dead Peer Detection]
003 "sonicwall" #5: NAT-Traversal: Result using 
draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
108 "sonicwall" #5: STATE_MAIN_I3: sent MI3, expecting MR3
003 "sonicwall" #5: discarding duplicate packet; already STATE_MAIN_I3
010 "sonicwall" #5: STATE_MAIN_I3: retransmission; will wait 20s for 
response
003 "sonicwall" #5: ignoring informational payload, type INVALID_COOKIE
003 "sonicwall" #5: received and ignored informational message
010 "sonicwall" #5: STATE_MAIN_I3: retransmission; will wait 40s for 
response
003 "sonicwall" #5: ignoring informational payload, type INVALID_COOKIE
003 "sonicwall" #5: received and ignored informational message
031 "sonicwall" #5: max number of retransmissions (2) reached 
STATE_MAIN_I3.  Possible authentication failure: no acceptable response 
to our first encrypted message
000 "sonicwall" #5: starting keying attempt 2 of an unlimited number, 
but releasing whack


Relevent section of SonicWall VPN log (x.x.x.x = PVN public IP, z.z.z.z 
= my private IP)

18    07/04/2007 12:41:15.064    Info    VPN IKE    NAT Discovery : Peer 
IPSec Security Gateway behind a NAT/NAPT Device                    
19    07/04/2007 12:41:15.000    Info    VPN IKE    IKE Responder: 
Received Main Mode request (Phase 1)    z.z.z.z, 1 (stroadmin)    
x.x.x.x, 500     
HTTPS     
23    07/04/2007 12:36:47.544    Info    VPN IKE    IKE Responder: No 
response - remote party timeout    x.x.x.x, 500    z.z.z.z, 500          
24    07/04/2007 12:36:47.544    Info    VPN IKE    IKE SA lifetime 
expired.    x.x.x.x    z.z.z.z          
25    07/04/2007 12:36:42.608    Info    VPN IKE    NAT Discovery : Peer 
IPSec Security Gateway behind a NAT/NAPT Device

More information about the Users mailing list