[Openswan Users] openswan and sonicwall

Gary W. Smith gary at primeexalia.com
Wed May 2 14:14:37 EDT 2007 

> I haven't been able to get XAUTH working between Sonicwall and
> Openswan.
> I turned it off and it works great. Forget aggressive mode. Even worse
> things happen there. Although I admit I haven't done exhaustive
> testing.
> I posted a while back on how to get it working. Right off hand, I
don't
> see anything wrong with your conf there. Google the words "sonicwall
> openswan 2040 solved" without quotes and you should get the post right
> away. If you are using a different model, you should be able to draw
> enough info out to get it working.

Aaron, 

Thanks for the response.  I did indeed find the article.  Very useful
but I still haven't been able to make a successful connection to the
sonicwall.  I have also verified that each item in our sonic wall
matches what you have specified.  The model is TZ 170 Enhanced.  I have
also included the sonicwall log files.

Here is the modified config and the resultant log files.  We're
definitely getting farther.

config setup
        interfaces="ipsec0=eth0"
        nat_traversal=yes
        nhelpers=0
        #klipsdebug=all
        #plutodebug=all
        klipsdebug=none
        plutodebug=none
        
conn sonicwall
        type=tunnel
        left=VALIDIP
        leftnexthop=VALIDGWIP
        leftsubnet=10.9.9.0/24
        leftid=@sonicwall
        right=VALIDIP
        rightsubnet=192.168.0.0/16
        rightid=@0006B13517B4
        keyingtries=0
        pfs=no
        aggrmode=no
        auto=start
        auth=esp
        ike=aes128-sha1
        esp=aes128-sha1
        authby=secret
        xauth=no
        keyexchange=ike

May  2 10:59:57 OPENSWANTEST pluto[21064]: "sonicwall" #1: initiating
Main Mode
May  2 10:59:57 OPENSWANTEST pluto[21064]: "sonicwall" #1: ignoring
unknown Vendor ID payload [5b362bc820f60003]
May  2 10:59:57 OPENSWANTEST pluto[21064]: "sonicwall" #1: received
Vendor ID payload [RFC 3947] method set to=110 
May  2 10:59:57 OPENSWANTEST pluto[21064]: "sonicwall" #1: enabling
possible NAT-traversal with method RFC 3947 (NAT-Traversal)
May  2 10:59:57 OPENSWANTEST pluto[21064]: "sonicwall" #1: transition
from state STATE_MAIN_I1 to state STATE_MAIN_I2
May  2 10:59:57 OPENSWANTEST pluto[21064]: "sonicwall" #1:
STATE_MAIN_I2: sent MI2, expecting MR2
May  2 10:59:58 OPENSWANTEST pluto[21064]: "sonicwall" #1: ignoring
unknown Vendor ID payload [404bf439522ca3f6]
May  2 10:59:58 OPENSWANTEST pluto[21064]: "sonicwall" #1: received
Vendor ID payload [XAUTH]
May  2 10:59:58 OPENSWANTEST pluto[21064]: "sonicwall" #1: received
Vendor ID payload [Dead Peer Detection]
May  2 10:59:58 OPENSWANTEST pluto[21064]: "sonicwall" #1: I did not
send a certificate because I do not have one.
May  2 10:59:58 OPENSWANTEST pluto[21064]: "sonicwall" #1:
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
May  2 10:59:58 OPENSWANTEST pluto[21064]: "sonicwall" #1: transition
from state STATE_MAIN_I2 to state STATE_MAIN_I3
May  2 10:59:58 OPENSWANTEST pluto[21064]: "sonicwall" #1:
STATE_MAIN_I3: sent MI3, expecting MR3
May  2 10:59:58 OPENSWANTEST pluto[21064]: "sonicwall" #1: next payload
type of ISAKMP Hash Payload has an unknown value: 67
May  2 10:59:58 OPENSWANTEST pluto[21064]: "sonicwall" #1: malformed
payload in packet
May  2 10:59:58 OPENSWANTEST pluto[21064]: | payload malformed after IV
May  2 10:59:58 OPENSWANTEST pluto[21064]: |   63 a1 22 94  16 48 bb 85
cb 30 1b 62  b9 84 96 92
May  2 10:59:58 OPENSWANTEST pluto[21064]: "sonicwall" #1: sending
notification PAYLOAD_MALFORMED to VALIDIP:500
May  2 11:00:08 OPENSWANTEST pluto[21064]: "sonicwall" #1: ignoring
informational payload, type INVALID_COOKIE
May  2 11:00:08 OPENSWANTEST pluto[21064]: "sonicwall" #1: received and
ignored informational message

1 05/02/2007 11:09:16.864 Warning VPN IKE IKE Responder: Proposed IKE ID
mismatch ValidIP, 500 ValidIP, 500 VPN Policy: WAN GroupVPN;    
2 05/02/2007 11:09:16.112 Info VPN IKE IKE Responder: Received Main Mode
request (Phase 1) ValidIP, 500 ValidIP, 500    
5 05/02/2007 11:08:05.832 Warning VPN IKE IKE Responder: Proposed IKE ID
mismatch ValidIP, 500 ValidIP, 500 VPN Policy: WAN GroupVPN;    
6 05/02/2007 11:08:05.080 Info VPN IKE IKE Responder: Received Main Mode
request (Phase 1) ValidIP, 500 ValidIP, 500

Any ideas?

More information about the Users mailing list