[Openswan Users] openswan with sonicwall, payload malformed]
marius at schrecker.org
Wed Oct 3 05:19:52 EDT 2007
Sorry! Incomplete message. Completion follows:
> I've posted a working config in the past. I was never able to get DHCP over
> VPN working at all.
> If you use Ubuntu, do NOT install Racoon. It screwed things up in the
end and isn't needed as far as I can tell.
> On 10/2/07, Marius Schrecker <marius at schrecker.org> wrote:
>> > -----BEGIN PGP SIGNED MESSAGE-----
>> > Hash: SHA1
>> > Hello Paul W,
>> > Thank you for the suggestions, unfortunately, upgrading to 2.4.9 did
>> > change the behaviour.
>> > I also tried the modecfgpull=yes ( I also tried adding
>> > leftmodecfgclient=yes ) but no luck with either of these.
>> > I still see the "Mode Config message is unacceptable..."; This might
indicate that modecfgpull is not going to work?
>> > ipsec verify asked me to turn off "enforced SElinux mode" which I
>> > I will check the Sonicwall f/w version at work Monday.
>> > Thanks again for the suggestions;
>> > PdP
>> > Paul Wouters wrote:
>> >> On Sat, 29 Sep 2007, paul pantages wrote:
>> >>> [root at rigel pdp]# ipsec verify
>> >>> Checking your system to see if IPsec got installed and started
>> >>> Version check and ipsec on-path
[OK] Linux Openswan U2.4.5/K2.6.20-1.2962.fc6 (netkey)
>> >> You should upgrade and try this with openswan 2.4.9.
>> >>> conn myclient
>> >>> left=172.16.1.35
>> >>> leftsubnet=172.16.1.35/32
>> >> Leave out the leftsubnet. Otherwise it seems fine.
>> >> You could try adding modecfgpull=yes?
>> >>> STATE_MAIN_I3
>> >>> 108 "myclient" #1: STATE_MAIN_I3: sent MI3, expecting MR3
>> >>> 003 "myclient" #1: Mode Config message is unacceptable because it
>> >>> an incomplete ISAKMP SA (state=STATE_MAIN_I3)
>> >> Odd. That might to suggest a buggy implementation on the Sonic Wall.
>> >> you see if you are running the latest firmware?
>> >> Paul
>> I'm having trouble configuring vpn from OpenSwan to Sonicwall TZ 170
fw: 18.104.22.168-86s,so am interested in hearing from anyone who has a
>> My problem is that the OpenSwan client doesn't get an IP on the vpn
subnet. Was interested to read (above) that "leftsubnet" should be left
>> Does anyone have a working config (preferably for an OpenSwan
>> authenticating against SonicWall OS standard?
>> Users at openswan.org
>> Building and Integrating Virtual Private Networks with Openswan:
Thanks for the link to the forum thread. I've followed the config as best
I can. Here are the points of divergence:
->using Xauth and agr. mode
->"set default route as this gateway" not available together with
DefaultRoute 0.0.0.0 in SonicOS standard. Therefore not set.
->"Allow connections to Split Tunnels" to allow simultaneous internet
and VPN access
I've tried both with and without leftsubnet in ipsec.my_connection.conf
leaving it out causes phase 2 to time out.
With leftsubnet in place I get complete authentication, but no
communication through VPN (no IP?)
I have tried doing a
# ip addr add 172.16.2.3/24 dev eth0 (yes, 255.255.255.0)
# ip route change default dev eth0 src 172.16.2.3
Doing a route I see a problem for the 172.16.2.0 network (of which VPN is
a part). Getting:
Destination Gateway Genmask Flags Metric Ref Use Iface
172.16.2.0 192.168.1.1 255.255.255.0 UG 0 0 0 eth0
172.16.2.0 * 255.255.255.0 U 0 0 0 eth0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
loopback * 255.0.0.0 U 0 0 0 lo
default * 0.0.0.0 U 0 0 0 eth0
The gateway to the top 172.16.2.0 route is obviously wrong and I'm
guessing that this effects all traffic.
Guessing also that my ipsec.my_connection.conf is setting this:
left=192.168.1.109 [where I am now, used for testing...%default has also
worked up to he same point]
leftsubnet=192.168.1.0/24 [where I am now]
leftnexthop=192.168.1.1 [I'm guessing this is the problem. Set to my
default gateway in the network I'm in now]
Ipsec 2.4.9, kernel 2.6.22, Gentoo linux (VM)(Also have a Ubuntu Feisty VM
but have so far failed to start OpenSwan. Haven't found out how to set up
my filepaths for ipsec/OpenSwan)
I'm not (knowingly) using modecfg, as I haven't found a howto yet.
Can anyone cast any more light on this?
More information about the Users