[Openswan Users] Openswan <-> SonicWall TZ107 Roadwarrior

David L. Cathey davidc at montagar.com
Fri Nov 23 17:58:56 EST 2007


I'm trying to set up a SonicWall TZ107 as a Roadwarrior against an
openswan server (Fedora 6, openswan 2.4.9 built from source).

Sonic168.conf:
conn Sonic168
    type=tunnel
    auto=add
    auth=esp
    pfs=no
    authby=secret
    keyingtries=1
    left=66.60.79.53                    # 
    leftid=@TSP168                     # Local information
    leftsubnet=192.168.2.0/24
    leftnexthop=%defaultroute
    right=%any                          # Remote information
    #rightid=@Sonic168                  #
    rightsubnet=192.168.168.0/24        #
    esp=3des-md5
    ike=3des-md5
    keyexchange=ike

ipsec.secrets:
@TSP168 %any : PSK "CominationForMyLuggage" # Not the real PSK!

This gets me to (several of these from ipsec auto --status):
000 #nnn: "Sonic168"[1] 72.64.118.247:500 STATE_MAIN_R3 (sent MR3,
ISAKMP SA established); EVENT_SA_REPLACE in 2596s; nodpd

I end up with openswan sending INVALID_ID_INFORMATION back to the
SonicWall.  The SonicWall log also shows this(Start Quick Mode (Phase
2), followed by Received notify: INVALID_ID_INFO).

If I change the config to uncomment the rightid, it never gets a
connection (visible with plutodebug="all"):
concluding with best_match=6 best=0x812fb360 (lineno=29)
    match_id a=72.64.118.247
             b=@Sonic168
    results  fail
Since it thinks Sonic168 is a of kind ID_FQDN, and will not wildcard
with the connection, even though right=%any.  Unless I just hack id.c
and have match_id() return true anyway (but that would be bad).

Can this work, since I can't see what I'm missing here...

-- 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
David L. Cathey                      |Inet: davidc at montagar.com
Montagar Software, Inc.              |Fone: (972)-423-5224
P. O. Box 260772, Plano, TX 75026    |http://www.montagar.com



More information about the Users mailing list