[Openswan Users] SonicWall and Openswan

Rick Knight rick_knight at rlknight.com
Fri Jul 6 14:51:45 EDT 2007 

Thanks Aaron. I removed isakmpd yesterday, and aside from no longer 
trying to respond to the 10.1.0.11 address, it didn't seem to make much 
difference. Also, I can see a response from the SonicWall VPN hitting my 
firewall (iptables) and being forwarded to port 4500 on my PC, but my PC 
isn't responding. Almost like port 4500 is being blocked at the PC after 
getting through the firewall. Is this possible? Do I need to open port 
4500 (and 500) on my local machine?

Thanks again,
Rick Knight

Aaron Kincer wrote:
> I don't have it installed, so I'd say no. Maybe that is part of your
> problem.
>
> On 7/5/07, Rick Knight <rick_knight at rlknight.com> wrote:
>>
>> Aaron,
>>
>> My WAN Group VPN, Settings, Client, Virtual Adaptor  Settings , is set
>> for  "DHCP Lease or Manual Config". I have Xauth turned now and when I
>> try to connect, I get the same messages and no connection. I did find
>> the source for the 10.1.0.11 IP address. It was in
>> /etc/isakmpd/isakmpd.conf. I've removed that file and I no longer see
>> any attempt to connect to the network. Do I need isakmpd?
>>
>> Thanks again,
>> Rick Knight
>>
>> Aaron Kincer wrote:
>> > On your Sonicwall WAN GroupVPN Client settings, what do you have for
>> > Virtual
>> > Adapter settings? You need "DHCP Lease or Manual Config".
>> >
>> > DHCP alone will cause it to fail.
>> >
>> > On 7/4/07, Rick Knight <rick_knight at rlknight.com> wrote:
>> >>
>> >> Aaron,
>> >>
>> >> I've tried both with and without Xauth. I get the same behaviour 
>> either
>> >> way. I can turn Xauth off if that makes things work, but something 
>> else
>> >> appears to be getting in the way.
>> >>
>> >> Thanks,
>> >> Rick Knight
>> >>
>> >> Aaron Kincer wrote:
>> >> > So long as you are trying to use XAUTH with Sonicwall, it will not
>> >> work.
>> >> > Period. I don't which side of the equation has the issue, but it is
>> >> > what it
>> >> > is.
>> >> >
>> >> >
>> >> >
>> >> > On 7/4/07, Rick Knight <rick_knight at rlknight.com> wrote:
>> >> >>
>> >> >> Still trying to get my Linux box to connect to my SonicWall VPN at
>> >> work.
>> >> >> I think I'm getting close. I get to a point where SonicWall is
>> >> waiting
>> >> >> for a response but not getting any. I can see in my firewall logs
>> >> where
>> >> >> my linux box is responding, but instead of sending to the 
>> SonicWall
>> >> >> public IP it's sending to 10.1.0.11. I don't have anything on 
>> either
>> >> end
>> >> >> at 10.1.x.x. Where is this comming from? I've checked all of the
>> >> >> Openswan and my own network settings, but I don't see 10.1.0.11
>> >> >> anywhere.
>> >> >>
>> >> >> Thanks for any help.
>> >> >>
>> >> >> I'm running Kubuntu Feisty 7.04, Kernel 2.6.20 Openswan 2.4.8, 
>> also
>> >> >> tried 2.4.6 with same results.
>> >> >>
>> >> >> ipsec.conf 'conn sonicwall' section
>> >> >>
>> >> >> conn sonicwall
>> >> >>     type=tunnel
>> >> >>     left=172.16.88.25
>> >> >>     leftnexthop=172.16.88.2
>> >> >>     leftsubnet=172.16.88.0/23
>> >> >>     leftxauthclient=yes
>> >> >>     leftid=@myid
>> >> >>     right=vpn.public.ip.addr
>> >> >>     rightsubnet=192.168.0.0/24
>> >> >>     rightxauthserver=yes
>> >> >>     rightid=@vpnid
>> >> >>     keyingtries=0
>> >> >>     pfs=no
>> >> >>     aggrmode=no
>> >> >>     auto=add
>> >> >>     auth=esp
>> >> >>     ike=3des-sha1
>> >> >>     esp=3des-sha1
>> >> >>     authby=secret
>> >> >>     xauth=yes
>> >> >>     keyexchange=ike
>> >> >>
>> >> >>
>> >> >>
>> >> >> Output of # ipsec auto --up  sonicwall
>> >> >>
>> >> >> 104 "sonicwall" #5: STATE_MAIN_I1: initiate
>> >> >> 003 "sonicwall" #5: ignoring unknown Vendor ID payload
>> >> >> [5b362bc820f60001]
>> >> >> 003 "sonicwall" #5: received Vendor ID payload
>> >> >> [draft-ietf-ipsec-nat-t-ike-03] method set to=108
>> >> >> 106 "sonicwall" #5: STATE_MAIN_I2: sent MI2, expecting MR2
>> >> >> 003 "sonicwall" #5: ignoring unknown Vendor ID payload
>> >> >> [404bf439522ca3f6]
>> >> >> 003 "sonicwall" #5: received Vendor ID payload [XAUTH]
>> >> >> 003 "sonicwall" #5: received Vendor ID payload [Dead Peer 
>> Detection]
>> >> >> 003 "sonicwall" #5: NAT-Traversal: Result using
>> >> >> draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
>> >> >> 108 "sonicwall" #5: STATE_MAIN_I3: sent MI3, expecting MR3
>> >> >> 003 "sonicwall" #5: discarding duplicate packet; already
>> >> STATE_MAIN_I3
>> >> >> 010 "sonicwall" #5: STATE_MAIN_I3: retransmission; will wait 
>> 20s for
>> >> >> response
>> >> >> 003 "sonicwall" #5: ignoring informational payload, type
>> >> INVALID_COOKIE
>> >> >> 003 "sonicwall" #5: received and ignored informational message
>> >> >> 010 "sonicwall" #5: STATE_MAIN_I3: retransmission; will wait 
>> 40s for
>> >> >> response
>> >> >> 003 "sonicwall" #5: ignoring informational payload, type
>> >> INVALID_COOKIE
>> >> >> 003 "sonicwall" #5: received and ignored informational message
>> >> >> 031 "sonicwall" #5: max number of retransmissions (2) reached
>> >> >> STATE_MAIN_I3.  Possible authentication failure: no acceptable
>> >> response
>> >> >> to our first encrypted message
>> >> >> 000 "sonicwall" #5: starting keying attempt 2 of an unlimited
>> number,
>> >> >> but releasing whack
>> >> >>
>> >> >>
>> >> >> Relevent section of SonicWall VPN log (x.x.x.x = PVN public IP,
>> >> z.z.z.z
>> >> >> = my private IP)
>> >> >>
>> >> >> 18    07/04/2007 12:41:15.064    Info    VPN IKE    NAT 
>> Discovery :
>> >> Peer
>> >> >> IPSec Security Gateway behind a NAT/NAPT Device
>> >> >> 19    07/04/2007 12:41:15.000    Info    VPN IKE    IKE Responder:
>> >> >> Received Main Mode request (Phase 1)    z.z.z.z, 1 (stroadmin)
>> >> >> x.x.x.x, 500
>> >> >> HTTPS
>> >> >> 23    07/04/2007 12:36:47.544    Info    VPN IKE    IKE Responder:
>> No
>> >> >> response - remote party timeout    x.x.x.x, 500    z.z.z.z, 500
>> >> >> 24    07/04/2007 12:36:47.544    Info    VPN IKE    IKE SA 
>> lifetime
>> >> >> expired.    x.x.x.x    z.z.z.z
>> >> >> 25    07/04/2007 12:36:42.608    Info    VPN IKE    NAT 
>> Discovery :
>> >> Peer
>> >> >> IPSec Security Gateway behind a NAT/NAPT Device
>> >> >>
>> >> >>
>> >> >> _______________________________________________
>> >> >> Users at openswan.org
>> >> >> http://lists.openswan.org/mailman/listinfo/users
>> >> >> Building and Integrating Virtual Private Networks with Openswan:
>> >> >>
>> >>
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>> >> >>
>> >>
>> >>
>>
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>

More information about the Users mailing list