[Openswan Users] Trying to connect OpenSwan to SonicWall.
Aaron Kincer
kincera at gmail.com
Fri Jun 15 13:10:02 EDT 2007
I have been unable to get Sonicwall with XAUTH and Openswan to play nicely
together and don't know the root cause. I haven't had the time to setup some
alternative VPN boxes to see if XAUTH is broken globally with my Openswan
installation or just with Sonicwall. I know that Global VPN clients can use
it. But since using XAUTH isn't required for our setup (since I make those
rules), I just turned it off.
Another thing -- if you are requiring authenticating clients to use DHCP via
the Sonicwall, you will have issues. You can allow both static and DHCP to
be used.
Here's my current settings:
version 2.0
config setup
plutodebug="control parsing natt private"
nat_traversal=yes
nhelpers=0
conn sonicwall
type=tunnel
left=%defaultroute
leftnexthop=<my home gateway IP>
leftsubnet=<my home subnet>
leftid=<the id I used to associate the shared secret in my
ipsec.secrets file>
right=<my Sonicwall's public IP>
rightsubnet=<the subnet on the other side of the Sonicwall>
rightid=<my Sonicwall's unique ID prefixed by @>
keyingtries=0
pfs=no
aggrmode=no
auto=add
auth=esp
ike=aes256-md5
esp=aes256-md5
authby=secret
xauth=no
keyexchange=ike
include /etc/ipsec.d/examples/no_oe.conf
Here's the posting I wrote before. Ignore the part about Raccoon. It broke
Sonicwall on my current configuration (Ubuntu 7.04 Feisty):
http://lists.openswan.org/pipermail/users/2007-March/012092.html
If your Sonicwall must have XAUTH, then you will have to solve that problem
or develop a workaround. Depending on how much leverage you have on your
setup, you could in theory have an Openswan box configured on one of your
unused public IP addresses and route that to your local subnet. You would be
bypassing your border firewall that way, but it is doable.
On 6/15/07, Rick Knight <rick_knight at rlknight.com> wrote:
>
> Aaron, thanks for your reply.
>
> I need to use Xauth for authentication, it's in the policy and I can't
> change that. Also, my SonicWall is configured for 3DES and SHA1 so
> that's what I have in my ipsec.conf. One thing I'm wondering about
> though is the name of the VPN Policy. Do I need to match this in my
> ipsec.conf file? Whoever set up the SonicWall and configured the VPN
> policies, put spaces in the name. Instead of "GroupVPN", we have "WAN
> GroupVPN". I have not been able to get my secrets file to work with the
> later.Could that be causing problems.
>
> Also, where can I find your article?
>
> Thanks,
> Rick Knight
>
> Aaron Kincer wrote:
> > Make sure your encryption settings on your Sonicwall match what you are
> > using here. Also, make sure you have turned of XAUTH for your
> > GroupVPN. Have
> > you read my posting on how I got it working for Sonicwall?
> >
> > On 6/15/07, Rick Knight <rick_knight at rlknight.com> wrote:
> >>
> >> I'm trying to establish a connection to a SonicWall 3060 Enhanced
> >> firewall using Openswan 2.3. I have several documents describing how to
> >> do this, but for some reason I can't make it work. Can someone take a
> >> look at my settings and tell me what I've missed or gotten wrong? Below
> >> is my ipsec.conf and several lines of output generated when I try to
> >> connect.
> >>
> >> My ipsec.conf
> >> # /etc/ipsec.conf - Openswan IPsec configuration file
> >> # RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $
> >>
> >> # This file: /usr/share/doc/openswan/ipsec.conf-sample
> >> #
> >> # Manual: ipsec.conf.5
> >>
> >>
> >> version 2.0 # conforms to second version of ipsec.conf
> >> specification
> >>
> >> # basic configuration
> >> config setup
> >> # plutodebug / klipsdebug = "all", "none" or a combation from
> below:
> >> # "raw crypt parsing emitting control klips pfkey natt x509
> private"
> >> # eg:
> >> # plutodebug="control parsing"
> >> #
> >> # Only enable klipsdebug=all if you are a developer
> >> #
> >> # NAT-TRAVERSAL support, see README.NAT-Traversal
> >> nat_traversal=yes
> >> # virtual_private=%v4:
> 10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
> >>
> >> # Add connections here
> >>
> >> conn sonicwall
> >> type=tunnel
> >> left=172.16.88.25
> >> leftnexthop=172.16.88.2
> >> leftsubnet=172.16.88.0/23
> >> leftxauthclient=yes
> >> leftid=@localID
> >> right=x.x.x.x
> >> rightsubnet=192.168.0.0/24
> >> rightxauthserver=yes
> >> rightid=@uniqueID
> >> keyingtries=0
> >> pfs=no
> >> aggrmode=no
> >> auto=add
> >> auth=esp
> >> ike=3des-sha1
> >> esp=3des-sha1
> >> authby=secret
> >> #xauth=yes
> >> keyexchange=ike
> >>
> >> #Disable Opportunistic Encryption
> >> #include /etc/ipsec.d/examples/no_oe.conf
> >>
> >> My ipsec.secrets contains this...
> >> @localID @uniqueID : PSK "secret"
> >>
> >> Output of # ipsec auto --up sonicwall
> >> 104 "sonicwall" #2: STATE_MAIN_I1: initiate
> >> 003 "sonicwall" #2: ignoring unknown Vendor ID payload
> >> [5b362bc820f60001]
> >> 003 "sonicwall" #2: received Vendor ID payload
> >> [draft-ietf-ipsec-nat-t-ike-03] method set to=108
> >> 106 "sonicwall" #2: STATE_MAIN_I2: sent MI2, expecting MR2
> >> 003 "sonicwall" #2: ignoring unknown Vendor ID payload
> >> [404bf439522ca3f6]
> >> 003 "sonicwall" #2: received Vendor ID payload [XAUTH]
> >> 003 "sonicwall" #2: received Vendor ID payload [Dead Peer Detection]
> >> 003 "sonicwall" #2: NAT-Traversal: Result using
> >> draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
> >> 108 "sonicwall" #2: STATE_MAIN_I3: sent MI3, expecting MR3
> >> 003 "sonicwall" #2: Mode Config message is unacceptable because it is
> >> for an incomplete ISAKMP SA (state=STATE_MAIN_I3)
> >> 010 "sonicwall" #2: STATE_MAIN_I3: retransmission; will wait 20s for
> >> response
> >> 004 "sonicwall" #2: STATE_MAIN_I4: ISAKMP SA established
> >> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
> >> group=modp1024}
> >> 003 "sonicwall" #2: next payload type of ISAKMP Hash Payload has an
> >> unknown value: 255
> >> 003 "sonicwall" #2: malformed payload in packet
> >> 003 "sonicwall" #2: next payload type of ISAKMP Hash Payload has an
> >> unknown value: 255
> >> 003 "sonicwall" #2: malformed payload in packet
> >>
> >> Can someone please help me out?
> >>
> >> Thanks,
> >> Rick Knight
> >> _______________________________________________
> >> Users at openswan.org
> >> http://lists.openswan.org/mailman/listinfo/users
> >> Building and Integrating Virtual Private Networks with Openswan:
> >>
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> >>
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070615/acb9168f/attachment-0001.html
More information about the Users
mailing list