[Openswan Users] SonicWall and Openswan

Rick Knight rick_knight at rlknight.com
Thu Jul 5 14:05:41 EDT 2007 

Aaron,

My WAN Group VPN, Settings, Client, Virtual Adaptor  Settings , is set 
for  "DHCP Lease or Manual Config". I have Xauth turned now and when I 
try to connect, I get the same messages and no connection. I did find 
the source for the 10.1.0.11 IP address. It was in 
/etc/isakmpd/isakmpd.conf. I've removed that file and I no longer see 
any attempt to connect to the network. Do I need isakmpd?

Thanks again,
Rick Knight

Aaron Kincer wrote:
> On your Sonicwall WAN GroupVPN Client settings, what do you have for 
> Virtual
> Adapter settings? You need "DHCP Lease or Manual Config".
>
> DHCP alone will cause it to fail.
>
> On 7/4/07, Rick Knight <rick_knight at rlknight.com> wrote:
>>
>> Aaron,
>>
>> I've tried both with and without Xauth. I get the same behaviour either
>> way. I can turn Xauth off if that makes things work, but something else
>> appears to be getting in the way.
>>
>> Thanks,
>> Rick Knight
>>
>> Aaron Kincer wrote:
>> > So long as you are trying to use XAUTH with Sonicwall, it will not 
>> work.
>> > Period. I don't which side of the equation has the issue, but it is
>> > what it
>> > is.
>> >
>> >
>> >
>> > On 7/4/07, Rick Knight <rick_knight at rlknight.com> wrote:
>> >>
>> >> Still trying to get my Linux box to connect to my SonicWall VPN at
>> work.
>> >> I think I'm getting close. I get to a point where SonicWall is 
>> waiting
>> >> for a response but not getting any. I can see in my firewall logs 
>> where
>> >> my linux box is responding, but instead of sending to the SonicWall
>> >> public IP it's sending to 10.1.0.11. I don't have anything on either
>> end
>> >> at 10.1.x.x. Where is this comming from? I've checked all of the
>> >> Openswan and my own network settings, but I don't see 10.1.0.11
>> >> anywhere.
>> >>
>> >> Thanks for any help.
>> >>
>> >> I'm running Kubuntu Feisty 7.04, Kernel 2.6.20 Openswan 2.4.8, also
>> >> tried 2.4.6 with same results.
>> >>
>> >> ipsec.conf 'conn sonicwall' section
>> >>
>> >> conn sonicwall
>> >>     type=tunnel
>> >>     left=172.16.88.25
>> >>     leftnexthop=172.16.88.2
>> >>     leftsubnet=172.16.88.0/23
>> >>     leftxauthclient=yes
>> >>     leftid=@myid
>> >>     right=vpn.public.ip.addr
>> >>     rightsubnet=192.168.0.0/24
>> >>     rightxauthserver=yes
>> >>     rightid=@vpnid
>> >>     keyingtries=0
>> >>     pfs=no
>> >>     aggrmode=no
>> >>     auto=add
>> >>     auth=esp
>> >>     ike=3des-sha1
>> >>     esp=3des-sha1
>> >>     authby=secret
>> >>     xauth=yes
>> >>     keyexchange=ike
>> >>
>> >>
>> >>
>> >> Output of # ipsec auto --up  sonicwall
>> >>
>> >> 104 "sonicwall" #5: STATE_MAIN_I1: initiate
>> >> 003 "sonicwall" #5: ignoring unknown Vendor ID payload
>> >> [5b362bc820f60001]
>> >> 003 "sonicwall" #5: received Vendor ID payload
>> >> [draft-ietf-ipsec-nat-t-ike-03] method set to=108
>> >> 106 "sonicwall" #5: STATE_MAIN_I2: sent MI2, expecting MR2
>> >> 003 "sonicwall" #5: ignoring unknown Vendor ID payload
>> >> [404bf439522ca3f6]
>> >> 003 "sonicwall" #5: received Vendor ID payload [XAUTH]
>> >> 003 "sonicwall" #5: received Vendor ID payload [Dead Peer Detection]
>> >> 003 "sonicwall" #5: NAT-Traversal: Result using
>> >> draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
>> >> 108 "sonicwall" #5: STATE_MAIN_I3: sent MI3, expecting MR3
>> >> 003 "sonicwall" #5: discarding duplicate packet; already 
>> STATE_MAIN_I3
>> >> 010 "sonicwall" #5: STATE_MAIN_I3: retransmission; will wait 20s for
>> >> response
>> >> 003 "sonicwall" #5: ignoring informational payload, type 
>> INVALID_COOKIE
>> >> 003 "sonicwall" #5: received and ignored informational message
>> >> 010 "sonicwall" #5: STATE_MAIN_I3: retransmission; will wait 40s for
>> >> response
>> >> 003 "sonicwall" #5: ignoring informational payload, type 
>> INVALID_COOKIE
>> >> 003 "sonicwall" #5: received and ignored informational message
>> >> 031 "sonicwall" #5: max number of retransmissions (2) reached
>> >> STATE_MAIN_I3.  Possible authentication failure: no acceptable 
>> response
>> >> to our first encrypted message
>> >> 000 "sonicwall" #5: starting keying attempt 2 of an unlimited number,
>> >> but releasing whack
>> >>
>> >>
>> >> Relevent section of SonicWall VPN log (x.x.x.x = PVN public IP, 
>> z.z.z.z
>> >> = my private IP)
>> >>
>> >> 18    07/04/2007 12:41:15.064    Info    VPN IKE    NAT Discovery :
>> Peer
>> >> IPSec Security Gateway behind a NAT/NAPT Device
>> >> 19    07/04/2007 12:41:15.000    Info    VPN IKE    IKE Responder:
>> >> Received Main Mode request (Phase 1)    z.z.z.z, 1 (stroadmin)
>> >> x.x.x.x, 500
>> >> HTTPS
>> >> 23    07/04/2007 12:36:47.544    Info    VPN IKE    IKE Responder: No
>> >> response - remote party timeout    x.x.x.x, 500    z.z.z.z, 500
>> >> 24    07/04/2007 12:36:47.544    Info    VPN IKE    IKE SA lifetime
>> >> expired.    x.x.x.x    z.z.z.z
>> >> 25    07/04/2007 12:36:42.608    Info    VPN IKE    NAT Discovery :
>> Peer
>> >> IPSec Security Gateway behind a NAT/NAPT Device
>> >>
>> >>
>> >> _______________________________________________
>> >> Users at openswan.org
>> >> http://lists.openswan.org/mailman/listinfo/users
>> >> Building and Integrating Virtual Private Networks with Openswan:
>> >>
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>> >>
>>
>>

More information about the Users mailing list