[Openswan Users] openswan with sonicwall, payload malformed
Marius Schrecker
marius at schrecker.org
Wed Oct 3 04:41:51 EDT 2007
> I've posted a working config in the past. I was never able to get DHCP
> over
> VPN working at all.
>
> http://lists.openswan.org/pipermail/users/2007-March/012092.html
>
> If you use Ubuntu, do NOT install Racoon. It screwed things up in the end
> and isn't needed as far as I can tell.
>
> On 10/2/07, Marius Schrecker <marius at schrecker.org> wrote:
>>
>> > -----BEGIN PGP SIGNED MESSAGE-----
>> > Hash: SHA1
>> >
>> > Hello Paul W,
>> >
>> > Thank you for the suggestions, unfortunately, upgrading to 2.4.9 did
>> not
>> > change the behaviour.
>> >
>> > I also tried the modecfgpull=yes ( I also tried adding
>> > leftmodecfgclient=yes ) but no luck with either of these.
>> >
>> > I still see the "Mode Config message is unacceptable..."; This might
>> > indicate that modecfgpull is not going to work?
>> >
>> > ipsec verify asked me to turn off "enforced SElinux mode" which I also
>> > tried.
>> >
>> > I will check the Sonicwall f/w version at work Monday.
>> >
>> > Thanks again for the suggestions;
>> >
>> > PdP
>> >
>> > Paul Wouters wrote:
>> >> On Sat, 29 Sep 2007, paul pantages wrote:
>> >>
>> >>> [root at rigel pdp]# ipsec verify
>> >>> Checking your system to see if IPsec got installed and started
>> >>> correctly:
>> >>> Version check and ipsec on-path [OK]
>> >>> Linux Openswan U2.4.5/K2.6.20-1.2962.fc6 (netkey)
>> >>
>> >> You should upgrade and try this with openswan 2.4.9.
>> >>
>> >>> conn myclient
>> >>> left=172.16.1.35
>> >>> leftsubnet=172.16.1.35/32
>> >>
>> >> Leave out the leftsubnet. Otherwise it seems fine.
>> >> You could try adding modecfgpull=yes?
>> >>
>> >>> STATE_MAIN_I3
>> >>> 108 "myclient" #1: STATE_MAIN_I3: sent MI3, expecting MR3
>> >>> 003 "myclient" #1: Mode Config message is unacceptable because it is
>> >>> for
>> >>> an incomplete ISAKMP SA (state=STATE_MAIN_I3)
>> >>
>> >> Odd. That might to suggest a buggy implementation on the Sonic Wall.
>> Can
>> >> you see if you are running the latest firmware?
>> >>
>> >> Paul
>> >
>> I'm having trouble configuring vpn from OpenSwan to Sonicwall TZ 170
>> fw: 3.1.0.12-86s,so am interested in hearing from anyone who has a
>> working
>> configuration.
>>
>> My problem is that the OpenSwan client doesn't get an IP on the vpn
>> subnet. Was interested to read (above) that "leftsubnet" should be left
>> out.
>>
>> Does anyone have a working config (preferably for an OpenSwan
>> RoadWarrior
>> authenticating against SonicWall OS standard?
>>
>> Cheers
>>
>> Marius
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
Thanks for the link to the forum thread. I've followed the config as best
I can. Here are the points of divergence:
->using Xauth and agr. mode
->"set default route as this gateway" not available together with
DefaultRoute 0.0.0.0 in SonicOS standard. Therefore not set.
->"Allow connections to Split Tunnels" to allow simultaneous internet
and VPN access
I've tried both with and without leftsubnet in ipsec.my_connection.conf
leaving it out causes phase 2 to time out.
With leftsubnet in place I get complete authentication, but no
communication through VPN (no IP?)
I have tried doing a
# ip addr add 172.16.2.3/24 dev eth0 (yes, 255.255.255.0)
# ip route change default dev eth0 src 172.16.2.3
Doing a route I see a problem for the 172.16.2.0 network (of which VPN is
a part). Getting:
Destination
More information about the Users
mailing list