[Openswan Users] OpenSwan L2TP client to Sonicwall 2040

Paul Wouters paul at xelerance.com
Thu May 17 11:36:12 EDT 2007


On Wed, 16 May 2007, Gaiseric Vandal wrote:

> The configuration is as follows (the remote user is "left.")
> __________________________________________________
> conn l2tp1
> type=transport
> #left=%defaultroute
> left=192.168.1.52
> leftsubnet=192.168.1.0/24

l2tp is a transport mode host-host connection, you should not
be specifying any leftsubnet= parameters, except for nat-t:

leftsubnet=vhost:%priv,%no

and make sure nat_traversal=yes in config setup.

> #leftsubnet=192.168.100.0/24
> leftid=@GroupVPN
> # For updated Windows 2000/XP clients,
> # to support old clients as well, use leftprotoport=17/%any
> #leftprotoport=17/1701
> #old style
> leftprotoport=17/0
> #leftprotoport=17/%any

Use leftprotoport=17/1701 because xl2tpd will only use port 1701.

> #leftid=@bugsy.ssci.com
> #right=%any
> right=sonicwall.public.ip.address
> rightsubnet=192.168.0.0/24


> rightid=@pro2040
> rightprotoport=17/1701
> keyingtries=0

comment out the keyingtries.

> pfs=no
> auto=add
> auth=esp
> esp=3des-sha1
> ike=3des-sha1-modp1024
> authby=secret
> #rekey=no

You should have rekey=yes if this is the roadwarrior

> #left=%defaultroute
> aggrmode=no

If you are not doing X.509 certificates, you probably need to set both
a leftid= and rightid=. I have no idea how well this works, as I do not
use PSK with roadwarriors.

> STATE_QUICK_I1. No acceptable response to our first Quick Mode
> message: perhaps peer likes no proposal

Indeed, it does not.

> I never get prompted for a user name and password. And I never get
> passed phase 1. Main mode seems more reliable than aggressive mode, I
> am not using PFS, and I am using DH Group 2 (modp1024.)

Note that this only gives you the IPsec part of an "l2tp tunnel". You
should also be running an l2tp client to actually do the l2tp inside
the ipsec tunnel. You can use xl2tpd as a client.

> IKE Responder: Received Quick Mode Request (Phase 2)
> IKE Responder: Mode 3 - not transport mode. Xauth is required but not
> supported by peer.
> IKE Responder: IPSec proposal does not match (Phase 2)

I am nto sure why you are connecting without transport mode with
type=transport. Are you sure your logs match your reloaded configs?

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list