[Openswan Users] openswan with sonicwall, payload malformed

Marius Schrecker marius at schrecker.org
Wed Oct 3 10:04:08 EDT 2007


> Geez. I forgot that xauth ALSO caused that error. Been a while since I
> went
> down that road.
>
> xauth on Sonicwall does not play well with Openswan. I spent a long time
> trying to get it to work, but never could. I shut it off and it worked.

Aargh! Still no joy. Tried turning off xauth. Same problem as before
except with one less security phase.

So frustrating to get through both phases of the security to be stumped by
something as apparently simple as an IP address.

Cheers!

Marius
>
> If turning of xauth fixes it, try turning DHCP back on and see if that
> works
> for you. It didn't for me.
>
> On 10/3/07, Marius Schrecker <marius at schrecker.org> wrote:
>>
>> > I've posted a working config in the past. I was never able to get DHCP
>> > over
>> > VPN working at all.
>> >
>> > http://lists.openswan.org/pipermail/users/2007-March/012092.html
>> >
>> > If you use Ubuntu, do NOT install Racoon. It screwed things up in the
>> end
>> > and isn't needed as far as I can tell.
>> >
>> > On 10/2/07, Marius Schrecker <marius at schrecker.org> wrote:
>> >>
>> >> > -----BEGIN PGP SIGNED MESSAGE-----
>> >> > Hash: SHA1
>> >> >
>> >> > Hello Paul W,
>> >> >
>> >> > Thank you for the suggestions, unfortunately, upgrading to 2.4.9
>> did
>> >> not
>> >> > change the behaviour.
>> >> >
>> >> > I also tried the modecfgpull=yes ( I also tried adding
>> >> > leftmodecfgclient=yes ) but no luck with either of these.
>> >> >
>> >> > I still see the "Mode Config message is unacceptable..."; This
>> might
>> >> > indicate that modecfgpull is not going to work?
>> >> >
>> >> > ipsec verify asked me to turn off "enforced SElinux mode" which I
>> also
>> >> > tried.
>> >> >
>> >> > I will check the Sonicwall f/w version at work Monday.
>> >> >
>> >> > Thanks again for the suggestions;
>> >> >
>> >> > PdP
>> >> >
>> >> > Paul Wouters wrote:
>> >> >> On Sat, 29 Sep 2007, paul pantages wrote:
>> >> >>
>> >> >>> [root at rigel pdp]# ipsec verify
>> >> >>> Checking your system to see if IPsec got installed and started
>> >> >>> correctly:
>> >> >>> Version check and ipsec on-path
>> [OK]
>> >> >>> Linux Openswan U2.4.5/K2.6.20-1.2962.fc6 (netkey)
>> >> >>
>> >> >> You should upgrade and try this with openswan 2.4.9.
>> >> >>
>> >> >>> conn myclient
>> >> >>>       left=172.16.1.35
>> >> >>>       leftsubnet=172.16.1.35/32
>> >> >>
>> >> >> Leave out the leftsubnet. Otherwise it seems fine.
>> >> >> You could try adding modecfgpull=yes?
>> >> >>
>> >> >>> STATE_MAIN_I3
>> >> >>> 108 "myclient" #1: STATE_MAIN_I3: sent MI3, expecting MR3
>> >> >>> 003 "myclient" #1: Mode Config message is unacceptable because it
>> is
>> >> >>> for
>> >> >>> an incomplete ISAKMP SA (state=STATE_MAIN_I3)
>> >> >>
>> >> >> Odd. That might to suggest a buggy implementation on the Sonic
>> Wall.
>> >> Can
>> >> >> you see if you are running the latest firmware?
>> >> >>
>> >> >> Paul
>> >> >
>> >> I'm having trouble configuring vpn from OpenSwan to Sonicwall TZ 170
>> >> fw: 3.1.0.12-86s,so am interested in hearing from anyone who has a
>> >> working
>> >> configuration.
>> >>
>> >> My problem is that the OpenSwan client doesn't get an IP on the vpn
>> >> subnet. Was interested to read (above) that "leftsubnet" should be
>> left
>> >> out.
>> >>
>> >> Does anyone have a working config (preferably for an OpenSwan
>> >> RoadWarrior
>> >> authenticating against SonicWall OS standard?
>> >>
>> >> Cheers
>> >>
>> >> Marius
>> >> _______________________________________________
>> >> Users at openswan.org
>> >> http://lists.openswan.org/mailman/listinfo/users
>> >> Building and Integrating Virtual Private Networks with Openswan:
>> >>
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>> >>
>> Thanks for the link to the forum thread. I've followed the config as
>> best
>> I can. Here are the points of divergence:
>>   ->using Xauth and agr. mode
>>   ->"set default route as this gateway" not available together with
>>      DefaultRoute 0.0.0.0 in SonicOS standard. Therefore not set.
>>   ->"Allow connections to Split Tunnels" to allow simultaneous internet
>>      and VPN access
>>
>> I've tried both with and without leftsubnet in ipsec.my_connection.conf
>> leaving it out causes phase 2 to time out.
>>
>> With leftsubnet in place I get complete authentication, but no
>> communication through VPN (no IP?)
>>
>> I have tried doing a
>> # ip addr add 172.16.2.3/24  dev eth0 (yes, 255.255.255.0)
>> # ip route change default dev eth0 src 172.16.2.3
>>
>> Doing a route I see a problem for the 172.16.2.0 network (of which VPN
>> is
>> a part). Getting:
>>
>> Destination
>>
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>



More information about the Users mailing list