[Openswan Users] Openswan <-> SonicWall TZ107 Roadwarrior

Peter McGill petermcgill at goco.net
Mon Nov 26 09:51:54 EST 2007 

Can you set the id in the shorewall or does the shorewall have a static ip?
The id must match the id used by the shorewall.
The default is to set to match the ip address but you can't do that with dynamic ip.

Also if you can turn on pfs on both sides, that will result in a more secure connection.

Peter McGill
 

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of David L. Cathey
> Sent: November 23, 2007 5:59 PM
> To: users at openswan.org
> Subject: [Openswan Users] Openswan <-> SonicWall TZ107 Roadwarrior
> 
> I'm trying to set up a SonicWall TZ107 as a Roadwarrior against an
> openswan server (Fedora 6, openswan 2.4.9 built from source).
> 
> Sonic168.conf:
> conn Sonic168
>     type=tunnel
>     auto=add
>     auth=esp
>     pfs=no
>     authby=secret
>     keyingtries=1
>     left=66.60.79.53                    # 
>     leftid=@TSP168                     # Local information
>     leftsubnet=192.168.2.0/24
>     leftnexthop=%defaultroute
>     right=%any                          # Remote information
>     #rightid=@Sonic168                  #
>     rightsubnet=192.168.168.0/24        #
>     esp=3des-md5
>     ike=3des-md5
>     keyexchange=ike
> 
> ipsec.secrets:
> @TSP168 %any : PSK "CominationForMyLuggage" # Not the real PSK!
> 
> This gets me to (several of these from ipsec auto --status):
> 000 #nnn: "Sonic168"[1] 72.64.118.247:500 STATE_MAIN_R3 (sent MR3,
> ISAKMP SA established); EVENT_SA_REPLACE in 2596s; nodpd
> 
> I end up with openswan sending INVALID_ID_INFORMATION back to the
> SonicWall.  The SonicWall log also shows this(Start Quick Mode (Phase
> 2), followed by Received notify: INVALID_ID_INFO).
> 
> If I change the config to uncomment the rightid, it never gets a
> connection (visible with plutodebug="all"):
> concluding with best_match=6 best=0x812fb360 (lineno=29)
>     match_id a=72.64.118.247
>              b=@Sonic168
>     results  fail
> Since it thinks Sonic168 is a of kind ID_FQDN, and will not wildcard
> with the connection, even though right=%any.  Unless I just hack id.c
> and have match_id() return true anyway (but that would be bad).
> 
> Can this work, since I can't see what I'm missing here...
> 
> -- 
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
> - - - - -
> David L. Cathey                      |Inet: davidc at montagar.com
> Montagar Software, Inc.              |Fone: (972)-423-5224
> P. O. Box 260772, Plano, TX 75026    |http://www.montagar.com
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155

More information about the Users mailing list