[Openswan Users] Trying to connect OpenSwan to SonicWall.

Fri Jun 15 11:43:41 EDT 2007

I'm trying to establish a connection to a SonicWall 3060 Enhanced 
firewall using Openswan 2.3. I have several documents describing how to 
do this, but for some reason I can't make it work. Can someone take a 
look at my settings and tell me what I've missed or gotten wrong? Below 
is my ipsec.conf and several lines of output generated when I try to 
connect.

My ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5

version    2.0    # conforms to second version of ipsec.conf specification

# basic configuration
config setup
    # plutodebug / klipsdebug = "all", "none" or a combation from below:
    # "raw crypt parsing emitting control klips pfkey natt x509 private"
    # eg:
    # plutodebug="control parsing"
    #
    # Only enable klipsdebug=all if you are a developer
    #
    # NAT-TRAVERSAL support, see README.NAT-Traversal
    nat_traversal=yes
    # virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12

# Add connections here

conn sonicwall
    type=tunnel
    left=172.16.88.25
    leftnexthop=172.16.88.2
    leftsubnet=172.16.88.0/23
    leftxauthclient=yes
    leftid=@localID
    right=x.x.x.x
    rightsubnet=192.168.0.0/24
    rightxauthserver=yes
    rightid=@uniqueID
    keyingtries=0
    pfs=no
    aggrmode=no
    auto=add
    auth=esp
    ike=3des-sha1
    esp=3des-sha1
    authby=secret
    #xauth=yes
    keyexchange=ike

#Disable Opportunistic Encryption
#include /etc/ipsec.d/examples/no_oe.conf

My ipsec.secrets contains this...
@localID @uniqueID : PSK "secret"

Output of # ipsec auto --up sonicwall
104 "sonicwall" #2: STATE_MAIN_I1: initiate
003 "sonicwall" #2: ignoring unknown Vendor ID payload [5b362bc820f60001]
003 "sonicwall" #2: received Vendor ID payload 
[draft-ietf-ipsec-nat-t-ike-03] method set to=108
106 "sonicwall" #2: STATE_MAIN_I2: sent MI2, expecting MR2
003 "sonicwall" #2: ignoring unknown Vendor ID payload [404bf439522ca3f6]
003 "sonicwall" #2: received Vendor ID payload [XAUTH]
003 "sonicwall" #2: received Vendor ID payload [Dead Peer Detection]
003 "sonicwall" #2: NAT-Traversal: Result using 
draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
108 "sonicwall" #2: STATE_MAIN_I3: sent MI3, expecting MR3
003 "sonicwall" #2: Mode Config message is unacceptable because it is 
for an incomplete ISAKMP SA (state=STATE_MAIN_I3)
010 "sonicwall" #2: STATE_MAIN_I3: retransmission; will wait 20s for 
response
004 "sonicwall" #2: STATE_MAIN_I4: ISAKMP SA established 
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha 
group=modp1024}
003 "sonicwall" #2: next payload type of ISAKMP Hash Payload has an 
unknown value: 255
003 "sonicwall" #2: malformed payload in packet
003 "sonicwall" #2: next payload type of ISAKMP Hash Payload has an 
unknown value: 255
003 "sonicwall" #2: malformed payload in packet

Can someone please help me out?

Thanks,
Rick Knight