[Openswan Users] openswan with sonicwall, payload malformed

Marius Schrecker marius at schrecker.org
Tue Oct 2 08:49:41 EDT 2007


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello Paul W,
>
> Thank you for the suggestions, unfortunately, upgrading to 2.4.9 did not
> change the behaviour.
>
> I also tried the modecfgpull=yes ( I also tried adding
> leftmodecfgclient=yes ) but no luck with either of these.
>
> I still see the "Mode Config message is unacceptable..."; This might
> indicate that modecfgpull is not going to work?
>
> ipsec verify asked me to turn off "enforced SElinux mode" which I also
> tried.
>
> I will check the Sonicwall f/w version at work Monday.
>
> Thanks again for the suggestions;
>
> PdP
>
> Paul Wouters wrote:
>> On Sat, 29 Sep 2007, paul pantages wrote:
>>
>>> [root at rigel pdp]# ipsec verify
>>> Checking your system to see if IPsec got installed and started
>>> correctly:
>>> Version check and ipsec on-path                                 [OK]
>>> Linux Openswan U2.4.5/K2.6.20-1.2962.fc6 (netkey)
>>
>> You should upgrade and try this with openswan 2.4.9.
>>
>>> conn myclient
>>>       left=172.16.1.35
>>>       leftsubnet=172.16.1.35/32
>>
>> Leave out the leftsubnet. Otherwise it seems fine.
>> You could try adding modecfgpull=yes?
>>
>>> STATE_MAIN_I3
>>> 108 "myclient" #1: STATE_MAIN_I3: sent MI3, expecting MR3
>>> 003 "myclient" #1: Mode Config message is unacceptable because it is
>>> for
>>> an incomplete ISAKMP SA (state=STATE_MAIN_I3)
>>
>> Odd. That might to suggest a buggy implementation on the Sonic Wall. Can
>> you see if you are running the latest firmware?
>>
>> Paul
>
I'm having trouble configuring vpn from OpenSwan to Sonicwall TZ 170
fw: 3.1.0.12-86s,so am interested in hearing from anyone who has a working
configuration.

 My problem is that the OpenSwan client doesn't get an IP on the vpn
subnet. Was interested to read (above) that "leftsubnet" should be left
out.

Does anyone have a working config (preferably for an OpenSwan RoadWarrior
authenticating against SonicWall OS standard?

Cheers

Marius


More information about the Users mailing list