[Openswan Users] openswan with sonicwall, payload malformed

Marius Schrecker marius at schrecker.org
Tue Oct 2 08:49:41 EDT 2007

> Hash: SHA1
> Hello Paul W,
> Thank you for the suggestions, unfortunately, upgrading to 2.4.9 did not
> change the behaviour.
> I also tried the modecfgpull=yes ( I also tried adding
> leftmodecfgclient=yes ) but no luck with either of these.
> I still see the "Mode Config message is unacceptable..."; This might
> indicate that modecfgpull is not going to work?
> ipsec verify asked me to turn off "enforced SElinux mode" which I also
> tried.
> I will check the Sonicwall f/w version at work Monday.
> Thanks again for the suggestions;
> PdP
> Paul Wouters wrote:
>> On Sat, 29 Sep 2007, paul pantages wrote:
>>> [root at rigel pdp]# ipsec verify
>>> Checking your system to see if IPsec got installed and started
>>> correctly:
>>> Version check and ipsec on-path                                 [OK]
>>> Linux Openswan U2.4.5/K2.6.20-1.2962.fc6 (netkey)
>> You should upgrade and try this with openswan 2.4.9.
>>> conn myclient
>>>       left=
>>>       leftsubnet=
>> Leave out the leftsubnet. Otherwise it seems fine.
>> You could try adding modecfgpull=yes?
>>> 108 "myclient" #1: STATE_MAIN_I3: sent MI3, expecting MR3
>>> 003 "myclient" #1: Mode Config message is unacceptable because it is
>>> for
>>> an incomplete ISAKMP SA (state=STATE_MAIN_I3)
>> Odd. That might to suggest a buggy implementation on the Sonic Wall. Can
>> you see if you are running the latest firmware?
>> Paul
I'm having trouble configuring vpn from OpenSwan to Sonicwall TZ 170
fw:,so am interested in hearing from anyone who has a working

 My problem is that the OpenSwan client doesn't get an IP on the vpn
subnet. Was interested to read (above) that "leftsubnet" should be left

Does anyone have a working config (preferably for an OpenSwan RoadWarrior
authenticating against SonicWall OS standard?



More information about the Users mailing list