[Openswan Users] openswan with sonicwall, payload malformed

Aaron Kincer kincera at gmail.com
Tue Oct 2 09:12:57 EDT 2007


Set DHCP over VPN to optional (can't remember exact setting) and allow
static IPs. Openswan doesn't seem to like the DHCP packet Sonicwall spits
out. If I remember correctly, DHCP over VPN is required by default on
Sonicwall. That's what was wrong on my setup and caused the same message.

On 10/1/07, paul pantages <pdp at centinasystems.com> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello Paul W,
>
> Thank you for the suggestions, unfortunately, upgrading to 2.4.9 did not
> change the behaviour.
>
> I also tried the modecfgpull=yes ( I also tried adding
> leftmodecfgclient=yes ) but no luck with either of these.
>
> I still see the "Mode Config message is unacceptable..."; This might
> indicate that modecfgpull is not going to work?
>
> ipsec verify asked me to turn off "enforced SElinux mode" which I also
> tried.
>
> I will check the Sonicwall f/w version at work Monday.
>
> Thanks again for the suggestions;
>
> PdP
>
> Paul Wouters wrote:
> > On Sat, 29 Sep 2007, paul pantages wrote:
> >
> >> [root at rigel pdp]# ipsec verify
> >> Checking your system to see if IPsec got installed and started
> correctly:
> >> Version check and ipsec on-path                                 [OK]
> >> Linux Openswan U2.4.5/K2.6.20-1.2962.fc6 (netkey)
> >
> > You should upgrade and try this with openswan 2.4.9.
> >
> >> conn myclient
> >>       left=172.16.1.35
> >>       leftsubnet=172.16.1.35/32
> >
> > Leave out the leftsubnet. Otherwise it seems fine.
> > You could try adding modecfgpull=yes?
> >
> >> STATE_MAIN_I3
> >> 108 "myclient" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> >> 003 "myclient" #1: Mode Config message is unacceptable because it is
> for
> >> an incomplete ISAKMP SA (state=STATE_MAIN_I3)
> >
> > Odd. That might to suggest a buggy implementation on the Sonic Wall. Can
> > you see if you are running the latest firmware?
> >
> > Paul
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFHAH1uGpzL0LBlXDcRAhmuAKC1OGg6H6V1rgiMuK6rBJNefq8KngCg+ERq
> axiLVgGeK6pO82qj7x91+KY=
> =Ddif
> -----END PGP SIGNATURE-----
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20071002/d38159b8/attachment.html 


More information about the Users mailing list