[Openswan Users] openswan with sonicwall, payload malformed
Marius Schrecker
marius at schrecker.org
Tue Oct 2 10:01:19 EDT 2007
> Oh and you can use %defaultroute instead of your current IP address in
> case
> you are using DHCP on your local LAN.
>
> On 10/2/07, Marius Schrecker <marius at schrecker.org> wrote:
>>
>> > -----BEGIN PGP SIGNED MESSAGE-----
>> > Hash: SHA1
>> >
>> > Hello Paul W,
>> >
>> > Thank you for the suggestions, unfortunately, upgrading to 2.4.9 did
>> not
>> > change the behaviour.
>> >
>> > I also tried the modecfgpull=yes ( I also tried adding
>> > leftmodecfgclient=yes ) but no luck with either of these.
>> >
>> > I still see the "Mode Config message is unacceptable..."; This might
>> > indicate that modecfgpull is not going to work?
>> >
>> > ipsec verify asked me to turn off "enforced SElinux mode" which I also
>> > tried.
>> >
>> > I will check the Sonicwall f/w version at work Monday.
>> >
>> > Thanks again for the suggestions;
>> >
>> > PdP
>> >
>> > Paul Wouters wrote:
>> >> On Sat, 29 Sep 2007, paul pantages wrote:
>> >>
>> >>> [root at rigel pdp]# ipsec verify
>> >>> Checking your system to see if IPsec got installed and started
>> >>> correctly:
>> >>> Version check and ipsec on-path [OK]
>> >>> Linux Openswan U2.4.5/K2.6.20-1.2962.fc6 (netkey)
>> >>
>> >> You should upgrade and try this with openswan 2.4.9.
>> >>
>> >>> conn myclient
>> >>> left=172.16.1.35
>> >>> leftsubnet=172.16.1.35/32
>> >>
>> >> Leave out the leftsubnet. Otherwise it seems fine.
>> >> You could try adding modecfgpull=yes?
>> >>
>> >>> STATE_MAIN_I3
>> >>> 108 "myclient" #1: STATE_MAIN_I3: sent MI3, expecting MR3
>> >>> 003 "myclient" #1: Mode Config message is unacceptable because it is
>> >>> for
>> >>> an incomplete ISAKMP SA (state=STATE_MAIN_I3)
>> >>
>> >> Odd. That might to suggest a buggy implementation on the Sonic Wall.
>> Can
>> >> you see if you are running the latest firmware?
>> >>
>> >> Paul
>> >
>> I'm having trouble configuring vpn from OpenSwan to Sonicwall TZ 170
>> fw: 3.1.0.12-86s,so am interested in hearing from anyone who has a
>> working
>> configuration.
>>
>> My problem is that the OpenSwan client doesn't get an IP on the vpn
>> subnet. Was interested to read (above) that "leftsubnet" should be left
>> out.
>>
>> Does anyone have a working config (preferably for an OpenSwan
>> RoadWarrior
>> authenticating against SonicWall OS standard?
>>
Thanks for useful pointers. Time to try again :-)
Oh, and sorry to hijack the thread!!
Marius
>
More information about the Users
mailing list