[Openswan Users] openswan with sonicwall, payload malformed

Aaron Kincer kincera at gmail.com
Wed Oct 3 08:34:09 EDT 2007


Geez. I forgot that xauth ALSO caused that error. Been a while since I went
down that road.

xauth on Sonicwall does not play well with Openswan. I spent a long time
trying to get it to work, but never could. I shut it off and it worked.

If turning of xauth fixes it, try turning DHCP back on and see if that works
for you. It didn't for me.

On 10/3/07, Marius Schrecker <marius at schrecker.org> wrote:
>
> > I've posted a working config in the past. I was never able to get DHCP
> > over
> > VPN working at all.
> >
> > http://lists.openswan.org/pipermail/users/2007-March/012092.html
> >
> > If you use Ubuntu, do NOT install Racoon. It screwed things up in the
> end
> > and isn't needed as far as I can tell.
> >
> > On 10/2/07, Marius Schrecker <marius at schrecker.org> wrote:
> >>
> >> > -----BEGIN PGP SIGNED MESSAGE-----
> >> > Hash: SHA1
> >> >
> >> > Hello Paul W,
> >> >
> >> > Thank you for the suggestions, unfortunately, upgrading to 2.4.9 did
> >> not
> >> > change the behaviour.
> >> >
> >> > I also tried the modecfgpull=yes ( I also tried adding
> >> > leftmodecfgclient=yes ) but no luck with either of these.
> >> >
> >> > I still see the "Mode Config message is unacceptable..."; This might
> >> > indicate that modecfgpull is not going to work?
> >> >
> >> > ipsec verify asked me to turn off "enforced SElinux mode" which I
> also
> >> > tried.
> >> >
> >> > I will check the Sonicwall f/w version at work Monday.
> >> >
> >> > Thanks again for the suggestions;
> >> >
> >> > PdP
> >> >
> >> > Paul Wouters wrote:
> >> >> On Sat, 29 Sep 2007, paul pantages wrote:
> >> >>
> >> >>> [root at rigel pdp]# ipsec verify
> >> >>> Checking your system to see if IPsec got installed and started
> >> >>> correctly:
> >> >>> Version check and ipsec on-path
> [OK]
> >> >>> Linux Openswan U2.4.5/K2.6.20-1.2962.fc6 (netkey)
> >> >>
> >> >> You should upgrade and try this with openswan 2.4.9.
> >> >>
> >> >>> conn myclient
> >> >>>       left=172.16.1.35
> >> >>>       leftsubnet=172.16.1.35/32
> >> >>
> >> >> Leave out the leftsubnet. Otherwise it seems fine.
> >> >> You could try adding modecfgpull=yes?
> >> >>
> >> >>> STATE_MAIN_I3
> >> >>> 108 "myclient" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> >> >>> 003 "myclient" #1: Mode Config message is unacceptable because it
> is
> >> >>> for
> >> >>> an incomplete ISAKMP SA (state=STATE_MAIN_I3)
> >> >>
> >> >> Odd. That might to suggest a buggy implementation on the Sonic Wall.
> >> Can
> >> >> you see if you are running the latest firmware?
> >> >>
> >> >> Paul
> >> >
> >> I'm having trouble configuring vpn from OpenSwan to Sonicwall TZ 170
> >> fw: 3.1.0.12-86s,so am interested in hearing from anyone who has a
> >> working
> >> configuration.
> >>
> >> My problem is that the OpenSwan client doesn't get an IP on the vpn
> >> subnet. Was interested to read (above) that "leftsubnet" should be left
> >> out.
> >>
> >> Does anyone have a working config (preferably for an OpenSwan
> >> RoadWarrior
> >> authenticating against SonicWall OS standard?
> >>
> >> Cheers
> >>
> >> Marius
> >> _______________________________________________
> >> Users at openswan.org
> >> http://lists.openswan.org/mailman/listinfo/users
> >> Building and Integrating Virtual Private Networks with Openswan:
> >>
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> >>
> Thanks for the link to the forum thread. I've followed the config as best
> I can. Here are the points of divergence:
>   ->using Xauth and agr. mode
>   ->"set default route as this gateway" not available together with
>      DefaultRoute 0.0.0.0 in SonicOS standard. Therefore not set.
>   ->"Allow connections to Split Tunnels" to allow simultaneous internet
>      and VPN access
>
> I've tried both with and without leftsubnet in ipsec.my_connection.conf
> leaving it out causes phase 2 to time out.
>
> With leftsubnet in place I get complete authentication, but no
> communication through VPN (no IP?)
>
> I have tried doing a
> # ip addr add 172.16.2.3/24  dev eth0 (yes, 255.255.255.0)
> # ip route change default dev eth0 src 172.16.2.3
>
> Doing a route I see a problem for the 172.16.2.0 network (of which VPN is
> a part). Getting:
>
> Destination
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20071003/277fd033/attachment.html 


More information about the Users mailing list