[Openswan Users] Anyone? Anyone? "Roadwarrior" to SonicWall VPNrouting issues

Peter McGill petermcgill at goco.net
Fri Apr 25 13:35:13 EDT 2008

Well I've never worked with XAUTH or a SonicWall specifically, but two general suggestions.
1) This might just be an email typo, but...
conn net2
should be
Otherwise from the information provided, I cannot see any problems, so...
2) Give us more information.
The output of...
ipsec barf
Preferably in an attachment and not the email body.
Note from man ipsec_barf:
    Barf  censors  its output, replacing keys and secrets with brief check-
    sums to avoid revealing sensitive information.
Also send us the SonicWall configuration information (without keys of course).
As for your firewall question, You need to allow the following in/out connections:
udp/isakmp (proto 17 port 500)
esp (proto 50)
And if using NAT-T
udp/4500 (proto 17 port 4500)
If the firewall is on the same computer as IPSec, then you'll also need to allow,
the private tunnelled traffic ie) to/from and
If your using SNAT or MASQUERADE on your IPSec device, you'll need to exempt,
the private tunnelled traffic from that.
If the firewall is on a different computer between IPSec endpoints, then you'll need to
forward the above isakmp, esp and possibly NAT-T inbound to the IPSec router to accept
connections from the other side.
Peter McGill


From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Chris Zimmerman
Sent: April 25, 2008 1:00 PM
To: users at openswan.org
Subject: [Openswan Users] Anyone? Anyone? "Roadwarrior" to SonicWall VPNrouting issues

I'm not trying to be a pest, but I have to get this working:

I have been fighting through this setup for more than a week now and I'm at a brick wall.  

My setup:


<> (router) <> ]----------

I am connected to the internet over an aircard using Ubuntu, so no NAT'ing is in the way on my end.  I need to establish a tunnel
from my machine to the sonicwall to gain access to the <>  AND <>
networks.  I am using XAUTH on the Sonicwall and it has NAT traverse enabled.  I can successfully authenticate and connect to the <>  network and I can ping <> .  I can also ping
<>  (other interface on the router) but I cannot ping any other IP's on the 2.0 network.  This connection is
using the GroupVPN SA on the Standard OS Sonicwall.  How do I configure this?  

Here's my ipsec.conf config:

config setup

conn block
conn private
conn private-or-clear
conn clear-or-private
conn clear
conn packetdefault

conn net1
     right=ip.sonicwall (internet)
     rightid=@sonicwall identifier
     <snip auth lines>

conn net2
     right=ip.sonicwall (internet)
     rightsubnet= <> 
     rightid=@sonicwall identifier
     <snip auth lines>

I've read through countless mailing lists and google links and the openswan wiki, but I cannot figure out how to get this working.
It has to be a routing issue but I am still unfamiliar with ipsec so I am unsure of what to change.

ANY assistance would be great!!

I would also like to know what, if anything, would need to change for me to connect this tunnel when my machine (laptop) is behind a
firewall, too.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080425/14a0bf38/attachment.html 

More information about the Users mailing list