[Openswan Users] sonicwall PRO interop question

Aaron Kincer kincera at gmail.com
Thu May 10 16:33:08 EDT 2007


I've got Openswan connecting to a Sonicwall 2040Pro running SonicOS 
Enhanced and there are a few things I ran into that may or may not help you.

aggrmode -- turn it off. I never got it working and it was singularly a 
point of spectacular failure. You may find setting this to "no" fixes 
your issue by itself.
xauth -- I never got xauth working right and found I HAD to turn it off.
DHCP over VPN -- allow static IPs. Forcing DHCP caused failure every 
single time.

I hope that helps.

Good luck,

Aaron Kincer

Doug Rorem wrote:
> 10-may
>
> Hello..
>
> I'm trying to setup an Openswan client connection to
> a Sonicwall 5060Pro system (running SonicOS Enhanced
> 3.5.0.1-35e). I've tried following the Sonicwall
> Tech Note on this:
> http://www.sonicwall.com/downloads/SonicOS_Standard_to_Openswan_Using_GroupVPN_with_XAUTH.pdf
>
> I've turned up Pluto logging a bit:
> plutodebug="control parsing emitting"
>
> ipsec.conf file:
>
> conn group
>         type=tunnel
>         left=aa.bb.cc.dd
>         leftsubnet=aa.bb.cc.dd/32
>         leftid=@GroupVPN
>         leftxauthclient=yes
>         right=ee.ff.gg.hh
>         rightsubnet=ee.ff.gg.hh/28
>         rightid=@000xxxxxxxxx
>         rightxauthserver=yes
>         keyingtries=0
>         pfs=no
>         auto=add
>         auth=esp
>         esp=3des-sha1
>         ike=3des-sha1-modp1536
>         xauth=yes
>         authby=secret
>         aggrmode=yes
> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf
>
> What's strange is that the /var/log/auth.log file has
> this early on:
>
> May 10 13:00:36 ozzie pluto[6037]: | from whack: got --esp=3des-sha1
> May 10 13:00:36 ozzie pluto[6037]: | esp string values: 
> 3DES(3)_000-SHA1(2), flags=strict
> May 10 13:00:36 ozzie pluto[6037]: | from whack: got 
> --ike=3des-sha1-modp1536
> May 10 13:00:36 ozzie pluto[6037]: | ike string values: 
> IDEA(5)_000-SHA1(2)-5, flags=strict
>
> Any idea why pluto is changing the IKE string from 3des
> to IDEA??  I imagine that's causing problems further down
> since the response I get from the Sonicwall eventually
> is ignored by Openswan:
>  packet from ee.ff.gg.hh:500: phase 1 message is part of an unknown exchange
>
> The Sonicwall repeats this response several times, but
> its rejected by Openswan and phase 1 doesn't progress.
>
> Maybe related.. my client is a laptop [Intel Core2 duo
> w/ 1Gb memory] (I'm just using it for testing - the final
> client is a Dell server) and I do get this error (in auth.log):
> system too busy
>
> just before I get the first response back from the
> Sonicwall.
>
>
> thanks in advance,
> Doug Rorem
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>   



More information about the Users mailing list