[Openswan Users] openswan with sonicwall, payload malformed]

Marius Schrecker marius at schrecker.org
Wed Oct 3 05:19:52 EDT 2007 

Sorry! Incomplete message. Completion follows:

> I've posted a working config in the past. I was never able to get DHCP over
> VPN working at all.
>
> http://lists.openswan.org/pipermail/users/2007-March/012092.html
>
> If you use Ubuntu, do NOT install Racoon. It screwed things up in the
end and isn't needed as far as I can tell.
>
> On 10/2/07, Marius Schrecker <marius at schrecker.org> wrote:
>>
>> > -----BEGIN PGP SIGNED MESSAGE-----
>> > Hash: SHA1
>> >
>> > Hello Paul W,
>> >
>> > Thank you for the suggestions, unfortunately, upgrading to 2.4.9 did
>> not
>> > change the behaviour.
>> >
>> > I also tried the modecfgpull=yes ( I also tried adding
>> > leftmodecfgclient=yes ) but no luck with either of these.
>> >
>> > I still see the "Mode Config message is unacceptable..."; This might
indicate that modecfgpull is not going to work?
>> >
>> > ipsec verify asked me to turn off "enforced SElinux mode" which I
also tried.
>> >
>> > I will check the Sonicwall f/w version at work Monday.
>> >
>> > Thanks again for the suggestions;
>> >
>> > PdP
>> >
>> > Paul Wouters wrote:
>> >> On Sat, 29 Sep 2007, paul pantages wrote:
>> >>
>> >>> [root at rigel pdp]# ipsec verify
>> >>> Checking your system to see if IPsec got installed and started
correctly:
>> >>> Version check and ipsec on-path                                
[OK] Linux Openswan U2.4.5/K2.6.20-1.2962.fc6 (netkey)
>> >>
>> >> You should upgrade and try this with openswan 2.4.9.
>> >>
>> >>> conn myclient
>> >>>       left=172.16.1.35
>> >>>       leftsubnet=172.16.1.35/32
>> >>
>> >> Leave out the leftsubnet. Otherwise it seems fine.
>> >> You could try adding modecfgpull=yes?
>> >>
>> >>> STATE_MAIN_I3
>> >>> 108 "myclient" #1: STATE_MAIN_I3: sent MI3, expecting MR3
>> >>> 003 "myclient" #1: Mode Config message is unacceptable because it
is for
>> >>> an incomplete ISAKMP SA (state=STATE_MAIN_I3)
>> >>
>> >> Odd. That might to suggest a buggy implementation on the Sonic Wall.
>> Can
>> >> you see if you are running the latest firmware?
>> >>
>> >> Paul
>> >
>> I'm having trouble configuring vpn from OpenSwan to Sonicwall TZ 170
fw: 3.1.0.12-86s,so am interested in hearing from anyone who has a
working
>> configuration.
>>
>> My problem is that the OpenSwan client doesn't get an IP on the vpn
subnet. Was interested to read (above) that "leftsubnet" should be left
out.
>>
>> Does anyone have a working config (preferably for an OpenSwan
>> RoadWarrior
>> authenticating against SonicWall OS standard?
>>
>> Cheers
>>
>> Marius
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
Thanks for the link to the forum thread. I've followed the config as best
I can. Here are the points of divergence:
  ->using Xauth and agr. mode
  ->"set default route as this gateway" not available together with
     DefaultRoute 0.0.0.0 in SonicOS standard. Therefore not set.
  ->"Allow connections to Split Tunnels" to allow simultaneous internet
     and VPN access

I've tried both with and without leftsubnet in ipsec.my_connection.conf
leaving it out causes phase 2 to time out.

With leftsubnet in place I get complete authentication, but no
communication through VPN (no IP?)

I have tried doing a
# ip addr add 172.16.2.3/24  dev eth0 (yes, 255.255.255.0)
# ip route change default dev eth0 src 172.16.2.3

Doing a route I see a problem for the 172.16.2.0 network (of which VPN is
a part). Getting:

Destination    Gateway      Genmask        Flags Metric Ref Use Iface
172.16.2.0     192.168.1.1  255.255.255.0  UG    0      0   0   eth0
172.16.2.0     *            255.255.255.0  U     0      0   0   eth0
192.168.1.0    *            255.255.255.0  U     0      0   0   eth0
loopback       *            255.0.0.0      U     0      0   0   lo
default        *            0.0.0.0        U     0      0   0   eth0


The gateway to the top 172.16.2.0 route is obviously wrong and I'm
guessing that this effects all traffic.

Guessing also that my ipsec.my_connection.conf is setting this:

type=tunnel
left=192.168.1.109 [where I am now, used for testing...%default has also
                    worked up to he same point]
leftsubnet=192.168.1.0/24 [where I am now]
leftid=@GroupVPN
leftxauthclient=yes
leftnexthop=192.168.1.1 [I'm guessing this is the problem. Set to my
                         default gateway in the network I'm in now]
right=my_Sonicwall_WAN_interface
rightsubnet=172.16.2.0/24
rightid=@my_Sonicwall_ID
rightxauthserver=yes
keyingtries=0
pfs=no
auto=add
auth=esp
esp=3des-sha1-96
ike=3des-sha1-modp1536
xauth=yes
authby=secret
aggrmode=yes


Ipsec 2.4.9, kernel 2.6.22, Gentoo linux (VM)(Also have a Ubuntu Feisty VM
but have so far failed to start OpenSwan. Haven't found out how to set up
my filepaths for ipsec/OpenSwan)
I'm not (knowingly) using modecfg, as I haven't found a howto yet.
Can anyone cast any more light on this?

Cheers!
Marius

More information about the Users mailing list