[Openswan Users] openswan with sonicwall, payload malformed

Aaron Kincer kincera at gmail.com
Tue Oct 2 09:22:20 EDT 2007


I've posted a working config in the past. I was never able to get DHCP over
VPN working at all.

http://lists.openswan.org/pipermail/users/2007-March/012092.html

If you use Ubuntu, do NOT install Racoon. It screwed things up in the end
and isn't needed as far as I can tell.

On 10/2/07, Marius Schrecker <marius at schrecker.org> wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Hello Paul W,
> >
> > Thank you for the suggestions, unfortunately, upgrading to 2.4.9 did not
> > change the behaviour.
> >
> > I also tried the modecfgpull=yes ( I also tried adding
> > leftmodecfgclient=yes ) but no luck with either of these.
> >
> > I still see the "Mode Config message is unacceptable..."; This might
> > indicate that modecfgpull is not going to work?
> >
> > ipsec verify asked me to turn off "enforced SElinux mode" which I also
> > tried.
> >
> > I will check the Sonicwall f/w version at work Monday.
> >
> > Thanks again for the suggestions;
> >
> > PdP
> >
> > Paul Wouters wrote:
> >> On Sat, 29 Sep 2007, paul pantages wrote:
> >>
> >>> [root at rigel pdp]# ipsec verify
> >>> Checking your system to see if IPsec got installed and started
> >>> correctly:
> >>> Version check and ipsec on-path                                 [OK]
> >>> Linux Openswan U2.4.5/K2.6.20-1.2962.fc6 (netkey)
> >>
> >> You should upgrade and try this with openswan 2.4.9.
> >>
> >>> conn myclient
> >>>       left=172.16.1.35
> >>>       leftsubnet=172.16.1.35/32
> >>
> >> Leave out the leftsubnet. Otherwise it seems fine.
> >> You could try adding modecfgpull=yes?
> >>
> >>> STATE_MAIN_I3
> >>> 108 "myclient" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> >>> 003 "myclient" #1: Mode Config message is unacceptable because it is
> >>> for
> >>> an incomplete ISAKMP SA (state=STATE_MAIN_I3)
> >>
> >> Odd. That might to suggest a buggy implementation on the Sonic Wall.
> Can
> >> you see if you are running the latest firmware?
> >>
> >> Paul
> >
> I'm having trouble configuring vpn from OpenSwan to Sonicwall TZ 170
> fw: 3.1.0.12-86s,so am interested in hearing from anyone who has a working
> configuration.
>
> My problem is that the OpenSwan client doesn't get an IP on the vpn
> subnet. Was interested to read (above) that "leftsubnet" should be left
> out.
>
> Does anyone have a working config (preferably for an OpenSwan RoadWarrior
> authenticating against SonicWall OS standard?
>
> Cheers
>
> Marius
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20071002/302b83ca/attachment.html 


More information about the Users mailing list