[Openswan Users] SonicWall and Openswan
Aaron Kincer
kincera at gmail.com
Wed Jul 4 16:16:02 EDT 2007
So long as you are trying to use XAUTH with Sonicwall, it will not work.
Period. I don't which side of the equation has the issue, but it is what it
is.
On 7/4/07, Rick Knight <rick_knight at rlknight.com> wrote:
>
> Still trying to get my Linux box to connect to my SonicWall VPN at work.
> I think I'm getting close. I get to a point where SonicWall is waiting
> for a response but not getting any. I can see in my firewall logs where
> my linux box is responding, but instead of sending to the SonicWall
> public IP it's sending to 10.1.0.11. I don't have anything on either end
> at 10.1.x.x. Where is this comming from? I've checked all of the
> Openswan and my own network settings, but I don't see 10.1.0.11 anywhere.
>
> Thanks for any help.
>
> I'm running Kubuntu Feisty 7.04, Kernel 2.6.20 Openswan 2.4.8, also
> tried 2.4.6 with same results.
>
> ipsec.conf 'conn sonicwall' section
>
> conn sonicwall
> type=tunnel
> left=172.16.88.25
> leftnexthop=172.16.88.2
> leftsubnet=172.16.88.0/23
> leftxauthclient=yes
> leftid=@myid
> right=vpn.public.ip.addr
> rightsubnet=192.168.0.0/24
> rightxauthserver=yes
> rightid=@vpnid
> keyingtries=0
> pfs=no
> aggrmode=no
> auto=add
> auth=esp
> ike=3des-sha1
> esp=3des-sha1
> authby=secret
> xauth=yes
> keyexchange=ike
>
>
>
> Output of # ipsec auto --up sonicwall
>
> 104 "sonicwall" #5: STATE_MAIN_I1: initiate
> 003 "sonicwall" #5: ignoring unknown Vendor ID payload [5b362bc820f60001]
> 003 "sonicwall" #5: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-03] method set to=108
> 106 "sonicwall" #5: STATE_MAIN_I2: sent MI2, expecting MR2
> 003 "sonicwall" #5: ignoring unknown Vendor ID payload [404bf439522ca3f6]
> 003 "sonicwall" #5: received Vendor ID payload [XAUTH]
> 003 "sonicwall" #5: received Vendor ID payload [Dead Peer Detection]
> 003 "sonicwall" #5: NAT-Traversal: Result using
> draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
> 108 "sonicwall" #5: STATE_MAIN_I3: sent MI3, expecting MR3
> 003 "sonicwall" #5: discarding duplicate packet; already STATE_MAIN_I3
> 010 "sonicwall" #5: STATE_MAIN_I3: retransmission; will wait 20s for
> response
> 003 "sonicwall" #5: ignoring informational payload, type INVALID_COOKIE
> 003 "sonicwall" #5: received and ignored informational message
> 010 "sonicwall" #5: STATE_MAIN_I3: retransmission; will wait 40s for
> response
> 003 "sonicwall" #5: ignoring informational payload, type INVALID_COOKIE
> 003 "sonicwall" #5: received and ignored informational message
> 031 "sonicwall" #5: max number of retransmissions (2) reached
> STATE_MAIN_I3. Possible authentication failure: no acceptable response
> to our first encrypted message
> 000 "sonicwall" #5: starting keying attempt 2 of an unlimited number,
> but releasing whack
>
>
> Relevent section of SonicWall VPN log (x.x.x.x = PVN public IP, z.z.z.z
> = my private IP)
>
> 18 07/04/2007 12:41:15.064 Info VPN IKE NAT Discovery : Peer
> IPSec Security Gateway behind a NAT/NAPT Device
> 19 07/04/2007 12:41:15.000 Info VPN IKE IKE Responder:
> Received Main Mode request (Phase 1) z.z.z.z, 1 (stroadmin)
> x.x.x.x, 500
> HTTPS
> 23 07/04/2007 12:36:47.544 Info VPN IKE IKE Responder: No
> response - remote party timeout x.x.x.x, 500 z.z.z.z, 500
> 24 07/04/2007 12:36:47.544 Info VPN IKE IKE SA lifetime
> expired. x.x.x.x z.z.z.z
> 25 07/04/2007 12:36:42.608 Info VPN IKE NAT Discovery : Peer
> IPSec Security Gateway behind a NAT/NAPT Device
>
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070704/28abd5f6/attachment-0001.html
More information about the Users
mailing list