[Openswan Users] Trying to connect OpenSwan to SonicWall.
Aaron Kincer
kincera at gmail.com
Fri Jun 15 12:23:11 EDT 2007
Make sure your encryption settings on your Sonicwall match what you are
using here. Also, make sure you have turned of XAUTH for your GroupVPN. Have
you read my posting on how I got it working for Sonicwall?
On 6/15/07, Rick Knight <rick_knight at rlknight.com> wrote:
>
> I'm trying to establish a connection to a SonicWall 3060 Enhanced
> firewall using Openswan 2.3. I have several documents describing how to
> do this, but for some reason I can't make it work. Can someone take a
> look at my settings and tell me what I've missed or gotten wrong? Below
> is my ipsec.conf and several lines of output generated when I try to
> connect.
>
> My ipsec.conf
> # /etc/ipsec.conf - Openswan IPsec configuration file
> # RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $
>
> # This file: /usr/share/doc/openswan/ipsec.conf-sample
> #
> # Manual: ipsec.conf.5
>
>
> version 2.0 # conforms to second version of ipsec.conf specification
>
> # basic configuration
> config setup
> # plutodebug / klipsdebug = "all", "none" or a combation from below:
> # "raw crypt parsing emitting control klips pfkey natt x509 private"
> # eg:
> # plutodebug="control parsing"
> #
> # Only enable klipsdebug=all if you are a developer
> #
> # NAT-TRAVERSAL support, see README.NAT-Traversal
> nat_traversal=yes
> # virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
>
> # Add connections here
>
> conn sonicwall
> type=tunnel
> left=172.16.88.25
> leftnexthop=172.16.88.2
> leftsubnet=172.16.88.0/23
> leftxauthclient=yes
> leftid=@localID
> right=x.x.x.x
> rightsubnet=192.168.0.0/24
> rightxauthserver=yes
> rightid=@uniqueID
> keyingtries=0
> pfs=no
> aggrmode=no
> auto=add
> auth=esp
> ike=3des-sha1
> esp=3des-sha1
> authby=secret
> #xauth=yes
> keyexchange=ike
>
> #Disable Opportunistic Encryption
> #include /etc/ipsec.d/examples/no_oe.conf
>
> My ipsec.secrets contains this...
> @localID @uniqueID : PSK "secret"
>
> Output of # ipsec auto --up sonicwall
> 104 "sonicwall" #2: STATE_MAIN_I1: initiate
> 003 "sonicwall" #2: ignoring unknown Vendor ID payload [5b362bc820f60001]
> 003 "sonicwall" #2: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-03] method set to=108
> 106 "sonicwall" #2: STATE_MAIN_I2: sent MI2, expecting MR2
> 003 "sonicwall" #2: ignoring unknown Vendor ID payload [404bf439522ca3f6]
> 003 "sonicwall" #2: received Vendor ID payload [XAUTH]
> 003 "sonicwall" #2: received Vendor ID payload [Dead Peer Detection]
> 003 "sonicwall" #2: NAT-Traversal: Result using
> draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
> 108 "sonicwall" #2: STATE_MAIN_I3: sent MI3, expecting MR3
> 003 "sonicwall" #2: Mode Config message is unacceptable because it is
> for an incomplete ISAKMP SA (state=STATE_MAIN_I3)
> 010 "sonicwall" #2: STATE_MAIN_I3: retransmission; will wait 20s for
> response
> 004 "sonicwall" #2: STATE_MAIN_I4: ISAKMP SA established
> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
> group=modp1024}
> 003 "sonicwall" #2: next payload type of ISAKMP Hash Payload has an
> unknown value: 255
> 003 "sonicwall" #2: malformed payload in packet
> 003 "sonicwall" #2: next payload type of ISAKMP Hash Payload has an
> unknown value: 255
> 003 "sonicwall" #2: malformed payload in packet
>
> Can someone please help me out?
>
> Thanks,
> Rick Knight
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070615/ff9c7e2a/attachment.html
More information about the Users
mailing list