[Openswan Users] Openswan <-> SonicWall TZ107 Roadwarrior
Peter McGill
petermcgill at goco.net
Tue Nov 27 09:31:27 EST 2007
Well you turn on aggressive mode by adding this to the conn...
aggrmode=yes
It's off by default because it makes the connection less secure, so it's better to turn off on both sides.
I'm forwarding back to the list to see if anyone else knows what's happening with your FQDN mismatch.
Peter McGill
_____
From: David L. Cathey [mailto:davidc at montagar.com]
Sent: November 26, 2007 8:41 PM
To: petermcgill at goco.net
Subject: RE: [Openswan Users] Openswan <-> SonicWall TZ107 Roadwarrior
On Mon, 2007-11-26 at 09:51 -0500, Peter McGill wrote:
Can you set the id in the shorewall or does the shorewall have a static ip?
The id must match the id used by the shorewall.
The default is to set to match the ip address but you can't do that with dynamic ip.
I've set that before, and it correctly finds the PSK. Figured out it needs to be aggressive mode to work. However, refine_host_connection() is unable to find the matching connection to complete the tunnel. From the log (with plutodebug=control,controlmore. It's 2.4.9, which a couple of DBG() changes so I can see more of what's going on. Namely the output of match_id() to display the kind of peer and why it's failing the test.
So far, it fails getting the connection right since it's confused between the ID types of FQDN (openswan side) and USER_FQDN (Sonicwall side).
Nov 26 14:22:21 iptables pluto[4381]: | refine_connection: starting with Sonic168
Nov 26 14:22:21 iptables pluto[4381]: | started looking for secret for @TSP168->@Sonic168 of kind PPK_PSK
Nov 26 14:22:21 iptables pluto[4381]: | actually looking for secret for @TSP168->@Sonic168 of kind PPK_PSK
Nov 26 14:22:21 iptables pluto[4381]: | 1: compared PSK @Sonic168 to @TSP168 / @Sonic168 -> 2
Nov 26 14:22:21 iptables pluto[4381]: | 2: compared PSK @TSP168 to @TSP168 / @Sonic168 -> 6
Nov 26 14:22:21 iptables pluto[4381]: | best_match 0>6 best=0x842b0a0 (line=17)
Nov 26 14:22:21 iptables pluto[4381]: | concluding with best_match=6 best=0x842b0a0 (lineno=17)
Nov 26 14:22:21 iptables pluto[4381]: | match_id a=@Sonic168, kind=3
Nov 26 14:22:21 iptables pluto[4381]: | b=@Sonic168, kind=2
Nov 26 14:22:21 iptables pluto[4381]: | results fail
Nov 26 14:22:21 iptables pluto[4381]: | trusted_ca called with a=(empty) b=(empty)
Nov 26 14:22:21 iptables pluto[4381]: | refine_connection: checking Sonic168 against Sonic168, best=(none) with match=0(id=0/ca=1/reqca=1)
Nov 26 14:22:21 iptables pluto[4381]: | find_host_pair: comparing to xx.xx.79.53:500 xx.xx.118.247:500
Nov 26 14:22:21 iptables pluto[4381]: | find_host_pair: comparing to xx.xx.79.53:500 0.0.0.0:500
Nov 26 14:22:21 iptables pluto[4381]: | find_host_pair_conn (refine_host_connection): xx.xx.79.53:500 %any:500 -> hp:Sonic168
Nov 26 14:22:21 iptables pluto[4381]: | match_id a=@Sonic168, kind=3
Nov 26 14:22:21 iptables pluto[4381]: | b=@Sonic168, kind=2
Nov 26 14:22:21 iptables pluto[4381]: | results fail
Nov 26 14:22:21 iptables pluto[4381]: | trusted_ca called with a=(empty) b=(empty)
Nov 26 14:22:21 iptables pluto[4381]: | refine_connection: checking Sonic168 against Sonic168, best=(none) with match=0(id=0/ca=1/reqca=1)
Nov 26 14:22:21 iptables pluto[4381]: "Sonic168"[1] xx.xx.118.247 #898: no suitable connection for peer '@Sonic168'
So, it's in refine_connection, but match_id() is failing since the peer kind's aren't the same. I guess I need to Sonicwall to use FQDN or convince openswan that the leftid is a user FQDN.
Also if you can turn on pfs on both sides, that will result in a more secure connection.
Agreed - but I'd like to get something working first!
Peter McGill
> -----Original Message-----
> From: users-bounces at openswan.org
> [mailto:users-bounces at openswan.org] On Behalf Of David L. Cathey
> Sent: November 23, 2007 5:59 PM
> To: users at openswan.org
> Subject: [Openswan Users] Openswan <-> SonicWall TZ107 Roadwarrior
>
> I'm trying to set up a SonicWall TZ107 as a Roadwarrior against an
> openswan server (Fedora 6, openswan 2.4.9 built from source).
>
> Sonic168.conf:
> conn Sonic168
> type=tunnel
> auto=add
> auth=esp
> pfs=no
> authby=secret
> keyingtries=1
> left=66.60.79.53 #
> leftid=@TSP168 # Local information
> leftsubnet=192.168.2.0/24
> leftnexthop=%defaultroute
> right=%any # Remote information
> #rightid=@Sonic168 #
> rightsubnet=192.168.168.0/24 #
> esp=3des-md5
> ike=3des-md5
> keyexchange=ike
>
> ipsec.secrets:
> @TSP168 %any : PSK "CominationForMyLuggage" # Not the real PSK!
>
> This gets me to (several of these from ipsec auto --status):
> 000 #nnn: "Sonic168"[1] 72.64.118.247:500 STATE_MAIN_R3 (sent MR3,
> ISAKMP SA established); EVENT_SA_REPLACE in 2596s; nodpd
>
> I end up with openswan sending INVALID_ID_INFORMATION back to the
> SonicWall. The SonicWall log also shows this(Start Quick Mode (Phase
> 2), followed by Received notify: INVALID_ID_INFO).
>
> If I change the config to uncomment the rightid, it never gets a
> connection (visible with plutodebug="all"):
> concluding with best_match=6 best=0x812fb360 (lineno=29)
> match_id a=72.64.118.247
> b=@Sonic168
> results fail
> Since it thinks Sonic168 is a of kind ID_FQDN, and will not wildcard
> with the connection, even though right=%any. Unless I just hack id.c
> and have match_id() return true anyway (but that would be bad).
>
> Can this work, since I can't see what I'm missing here...
>
> --
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> - - - - -
> David L. Cathey |Inet: davidc at montagar.com
> Montagar Software, Inc. |Fone: (972)-423-5224
> P. O. Box 260772, Plano, TX 75026 |http://www.montagar.com
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155
--
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
David L. Cathey |Inet: davidc at montagar.com
Montagar Software, Inc. |Fone: (972)-423-5224
P. O. Box 260772, Plano, TX 75026 |http://www.montagar.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20071127/281d0d25/attachment.html
More information about the Users
mailing list