[Openswan Users] Trying to connect OpenSwan to SonicWall.

Rick Knight rick_knight at rlknight.com
Fri Jun 15 12:43:39 EDT 2007 

Aaron, thanks for your reply.

I need to use Xauth for authentication, it's in the policy and I can't 
change that. Also, my  SonicWall is configured for 3DES and SHA1 so 
that's what I have in my ipsec.conf. One thing I'm wondering about 
though is the name of the VPN Policy. Do I need to match this in my 
ipsec.conf file?  Whoever set up the SonicWall  and configured the VPN 
policies, put spaces in the name. Instead of "GroupVPN", we have "WAN 
GroupVPN". I have not been able to get my secrets file to work with the 
later.Could that be causing problems.

Also, where can I find your article?

Thanks,
Rick Knight

Aaron Kincer wrote:
> Make sure your encryption settings on your Sonicwall match what you are
> using here. Also, make sure you have turned of XAUTH for your 
> GroupVPN. Have
> you read my posting on how I got it working for Sonicwall?
>
> On 6/15/07, Rick Knight <rick_knight at rlknight.com> wrote:
>>
>> I'm trying to establish a connection to a SonicWall 3060 Enhanced
>> firewall using Openswan 2.3. I have several documents describing how to
>> do this, but for some reason I can't make it work. Can someone take a
>> look at my settings and tell me what I've missed or gotten wrong? Below
>> is my ipsec.conf and several lines of output generated when I try to
>> connect.
>>
>> My ipsec.conf
>> # /etc/ipsec.conf - Openswan IPsec configuration file
>> # RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $
>>
>> # This file:  /usr/share/doc/openswan/ipsec.conf-sample
>> #
>> # Manual:     ipsec.conf.5
>>
>>
>> version    2.0    # conforms to second version of ipsec.conf 
>> specification
>>
>> # basic configuration
>> config setup
>>     # plutodebug / klipsdebug = "all", "none" or a combation from below:
>>     # "raw crypt parsing emitting control klips pfkey natt x509 private"
>>     # eg:
>>     # plutodebug="control parsing"
>>     #
>>     # Only enable klipsdebug=all if you are a developer
>>     #
>>     # NAT-TRAVERSAL support, see README.NAT-Traversal
>>     nat_traversal=yes
>>     # virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
>>
>> # Add connections here
>>
>> conn sonicwall
>>     type=tunnel
>>     left=172.16.88.25
>>     leftnexthop=172.16.88.2
>>     leftsubnet=172.16.88.0/23
>>     leftxauthclient=yes
>>     leftid=@localID
>>     right=x.x.x.x
>>     rightsubnet=192.168.0.0/24
>>     rightxauthserver=yes
>>     rightid=@uniqueID
>>     keyingtries=0
>>     pfs=no
>>     aggrmode=no
>>     auto=add
>>     auth=esp
>>     ike=3des-sha1
>>     esp=3des-sha1
>>     authby=secret
>>     #xauth=yes
>>     keyexchange=ike
>>
>> #Disable Opportunistic Encryption
>> #include /etc/ipsec.d/examples/no_oe.conf
>>
>> My ipsec.secrets contains this...
>> @localID @uniqueID : PSK "secret"
>>
>> Output of # ipsec auto --up sonicwall
>> 104 "sonicwall" #2: STATE_MAIN_I1: initiate
>> 003 "sonicwall" #2: ignoring unknown Vendor ID payload 
>> [5b362bc820f60001]
>> 003 "sonicwall" #2: received Vendor ID payload
>> [draft-ietf-ipsec-nat-t-ike-03] method set to=108
>> 106 "sonicwall" #2: STATE_MAIN_I2: sent MI2, expecting MR2
>> 003 "sonicwall" #2: ignoring unknown Vendor ID payload 
>> [404bf439522ca3f6]
>> 003 "sonicwall" #2: received Vendor ID payload [XAUTH]
>> 003 "sonicwall" #2: received Vendor ID payload [Dead Peer Detection]
>> 003 "sonicwall" #2: NAT-Traversal: Result using
>> draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
>> 108 "sonicwall" #2: STATE_MAIN_I3: sent MI3, expecting MR3
>> 003 "sonicwall" #2: Mode Config message is unacceptable because it is
>> for an incomplete ISAKMP SA (state=STATE_MAIN_I3)
>> 010 "sonicwall" #2: STATE_MAIN_I3: retransmission; will wait 20s for
>> response
>> 004 "sonicwall" #2: STATE_MAIN_I4: ISAKMP SA established
>> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
>> group=modp1024}
>> 003 "sonicwall" #2: next payload type of ISAKMP Hash Payload has an
>> unknown value: 255
>> 003 "sonicwall" #2: malformed payload in packet
>> 003 "sonicwall" #2: next payload type of ISAKMP Hash Payload has an
>> unknown value: 255
>> 003 "sonicwall" #2: malformed payload in packet
>>
>> Can someone please help me out?
>>
>> Thanks,
>> Rick Knight
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>

More information about the Users mailing list