[Openswan Users] sonicwall PRO interop question
Doug Rorem
rorem at ai.uic.edu
Thu May 10 15:55:38 EDT 2007
10-may
Hello..
I'm trying to setup an Openswan client connection to
a Sonicwall 5060Pro system (running SonicOS Enhanced
3.5.0.1-35e). I've tried following the Sonicwall
Tech Note on this:
http://www.sonicwall.com/downloads/SonicOS_Standard_to_Openswan_Using_GroupVPN_with_XAUTH.pdf
I've turned up Pluto logging a bit:
plutodebug="control parsing emitting"
ipsec.conf file:
conn group
type=tunnel
left=aa.bb.cc.dd
leftsubnet=aa.bb.cc.dd/32
leftid=@GroupVPN
leftxauthclient=yes
right=ee.ff.gg.hh
rightsubnet=ee.ff.gg.hh/28
rightid=@000xxxxxxxxx
rightxauthserver=yes
keyingtries=0
pfs=no
auto=add
auth=esp
esp=3des-sha1
ike=3des-sha1-modp1536
xauth=yes
authby=secret
aggrmode=yes
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
What's strange is that the /var/log/auth.log file has
this early on:
May 10 13:00:36 ozzie pluto[6037]: | from whack: got --esp=3des-sha1
May 10 13:00:36 ozzie pluto[6037]: | esp string values:
3DES(3)_000-SHA1(2), flags=strict
May 10 13:00:36 ozzie pluto[6037]: | from whack: got
--ike=3des-sha1-modp1536
May 10 13:00:36 ozzie pluto[6037]: | ike string values:
IDEA(5)_000-SHA1(2)-5, flags=strict
Any idea why pluto is changing the IKE string from 3des
to IDEA?? I imagine that's causing problems further down
since the response I get from the Sonicwall eventually
is ignored by Openswan:
packet from ee.ff.gg.hh:500: phase 1 message is part of an unknown exchange
The Sonicwall repeats this response several times, but
its rejected by Openswan and phase 1 doesn't progress.
Maybe related.. my client is a laptop [Intel Core2 duo
w/ 1Gb memory] (I'm just using it for testing - the final
client is a Dell server) and I do get this error (in auth.log):
system too busy
just before I get the first response back from the
Sonicwall.
thanks in advance,
Doug Rorem
More information about the Users
mailing list