[Openswan Users] openswan with sonicwall, payload malformed
Aaron Kincer
kincera at gmail.com
Wed Oct 3 10:16:23 EDT 2007
Can you send me the log when you try to initiate a tunnel? Sanitize it if
you need to.
On 10/3/07, Marius Schrecker <marius at schrecker.org> wrote:
>
> > Geez. I forgot that xauth ALSO caused that error. Been a while since I
> > went
> > down that road.
> >
> > xauth on Sonicwall does not play well with Openswan. I spent a long time
> > trying to get it to work, but never could. I shut it off and it worked.
>
> Aargh! Still no joy. Tried turning off xauth. Same problem as before
> except with one less security phase.
>
> So frustrating to get through both phases of the security to be stumped by
> something as apparently simple as an IP address.
>
> Cheers!
>
> Marius
> >
> > If turning of xauth fixes it, try turning DHCP back on and see if that
> > works
> > for you. It didn't for me.
> >
> > On 10/3/07, Marius Schrecker <marius at schrecker.org> wrote:
> >>
> >> > I've posted a working config in the past. I was never able to get
> DHCP
> >> > over
> >> > VPN working at all.
> >> >
> >> > http://lists.openswan.org/pipermail/users/2007-March/012092.html
> >> >
> >> > If you use Ubuntu, do NOT install Racoon. It screwed things up in the
> >> end
> >> > and isn't needed as far as I can tell.
> >> >
> >> > On 10/2/07, Marius Schrecker <marius at schrecker.org> wrote:
> >> >>
> >> >> > -----BEGIN PGP SIGNED MESSAGE-----
> >> >> > Hash: SHA1
> >> >> >
> >> >> > Hello Paul W,
> >> >> >
> >> >> > Thank you for the suggestions, unfortunately, upgrading to 2.4.9
> >> did
> >> >> not
> >> >> > change the behaviour.
> >> >> >
> >> >> > I also tried the modecfgpull=yes ( I also tried adding
> >> >> > leftmodecfgclient=yes ) but no luck with either of these.
> >> >> >
> >> >> > I still see the "Mode Config message is unacceptable..."; This
> >> might
> >> >> > indicate that modecfgpull is not going to work?
> >> >> >
> >> >> > ipsec verify asked me to turn off "enforced SElinux mode" which I
> >> also
> >> >> > tried.
> >> >> >
> >> >> > I will check the Sonicwall f/w version at work Monday.
> >> >> >
> >> >> > Thanks again for the suggestions;
> >> >> >
> >> >> > PdP
> >> >> >
> >> >> > Paul Wouters wrote:
> >> >> >> On Sat, 29 Sep 2007, paul pantages wrote:
> >> >> >>
> >> >> >>> [root at rigel pdp]# ipsec verify
> >> >> >>> Checking your system to see if IPsec got installed and started
> >> >> >>> correctly:
> >> >> >>> Version check and ipsec on-path
> >> [OK]
> >> >> >>> Linux Openswan U2.4.5/K2.6.20-1.2962.fc6 (netkey)
> >> >> >>
> >> >> >> You should upgrade and try this with openswan 2.4.9.
> >> >> >>
> >> >> >>> conn myclient
> >> >> >>> left=172.16.1.35
> >> >> >>> leftsubnet=172.16.1.35/32
> >> >> >>
> >> >> >> Leave out the leftsubnet. Otherwise it seems fine.
> >> >> >> You could try adding modecfgpull=yes?
> >> >> >>
> >> >> >>> STATE_MAIN_I3
> >> >> >>> 108 "myclient" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> >> >> >>> 003 "myclient" #1: Mode Config message is unacceptable because
> it
> >> is
> >> >> >>> for
> >> >> >>> an incomplete ISAKMP SA (state=STATE_MAIN_I3)
> >> >> >>
> >> >> >> Odd. That might to suggest a buggy implementation on the Sonic
> >> Wall.
> >> >> Can
> >> >> >> you see if you are running the latest firmware?
> >> >> >>
> >> >> >> Paul
> >> >> >
> >> >> I'm having trouble configuring vpn from OpenSwan to Sonicwall TZ 170
> >> >> fw: 3.1.0.12-86s,so am interested in hearing from anyone who has a
> >> >> working
> >> >> configuration.
> >> >>
> >> >> My problem is that the OpenSwan client doesn't get an IP on the vpn
> >> >> subnet. Was interested to read (above) that "leftsubnet" should be
> >> left
> >> >> out.
> >> >>
> >> >> Does anyone have a working config (preferably for an OpenSwan
> >> >> RoadWarrior
> >> >> authenticating against SonicWall OS standard?
> >> >>
> >> >> Cheers
> >> >>
> >> >> Marius
> >> >> _______________________________________________
> >> >> Users at openswan.org
> >> >> http://lists.openswan.org/mailman/listinfo/users
> >> >> Building and Integrating Virtual Private Networks with Openswan:
> >> >>
> >>
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> >> >>
> >> Thanks for the link to the forum thread. I've followed the config as
> >> best
> >> I can. Here are the points of divergence:
> >> ->using Xauth and agr. mode
> >> ->"set default route as this gateway" not available together with
> >> DefaultRoute 0.0.0.0 in SonicOS standard. Therefore not set.
> >> ->"Allow connections to Split Tunnels" to allow simultaneous internet
> >> and VPN access
> >>
> >> I've tried both with and without leftsubnet in ipsec.my_connection.conf
> >> leaving it out causes phase 2 to time out.
> >>
> >> With leftsubnet in place I get complete authentication, but no
> >> communication through VPN (no IP?)
> >>
> >> I have tried doing a
> >> # ip addr add 172.16.2.3/24 dev eth0 (yes, 255.255.255.0)
> >> # ip route change default dev eth0 src 172.16.2.3
> >>
> >> Doing a route I see a problem for the 172.16.2.0 network (of which VPN
> >> is
> >> a part). Getting:
> >>
> >> Destination
> >>
> >> _______________________________________________
> >> Users at openswan.org
> >> http://lists.openswan.org/mailman/listinfo/users
> >> Building and Integrating Virtual Private Networks with Openswan:
> >>
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> >>
> >
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20071003/81c68efc/attachment.html
More information about the Users
mailing list