[Openswan Users] Anyone? Anyone? "Roadwarrior" to SonicWall VPNrouting issues
Peter McGill
petermcgill at goco.net
Fri Apr 25 13:35:13 EDT 2008
Well I've never worked with XAUTH or a SonicWall specifically, but two general suggestions.
1) This might just be an email typo, but...
conn net2
rightsubnet=192.168.2.0
should be
rightsubnet=192.168.2.0/24
Otherwise from the information provided, I cannot see any problems, so...
2) Give us more information.
The output of...
ipsec barf
Preferably in an attachment and not the email body.
Note from man ipsec_barf:
Barf censors its output, replacing keys and secrets with brief check-
sums to avoid revealing sensitive information.
Also send us the SonicWall configuration information (without keys of course).
As for your firewall question, You need to allow the following in/out connections:
udp/isakmp (proto 17 port 500)
esp (proto 50)
And if using NAT-T
udp/4500 (proto 17 port 4500)
If the firewall is on the same computer as IPSec, then you'll also need to allow,
the private tunnelled traffic ie) to/from 192.168.1.0/24 and 192.168.2.0/24.
If your using SNAT or MASQUERADE on your IPSec device, you'll need to exempt,
the private tunnelled traffic from that.
If the firewall is on a different computer between IPSec endpoints, then you'll need to
forward the above isakmp, esp and possibly NAT-T inbound to the IPSec router to accept
connections from the other side.
Peter McGill
_____
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Chris Zimmerman
Sent: April 25, 2008 1:00 PM
To: users at openswan.org
Subject: [Openswan Users] Anyone? Anyone? "Roadwarrior" to SonicWall VPNrouting issues
I'm not trying to be a pest, but I have to get this working:
I have been fighting through this setup for more than a week now and I'm at a brick wall.
My setup:
my.ip-----------{internet}-----1.1.1.1(sonicwall)192.168.1.254========[192.168.1.0/24
[--------[192.168.1.1
<http://192.168.1.1/> (router)192.168.2.1 <http://192.168.2.1/> ]----------192.168.2.0/24
I am connected to the internet over an aircard using Ubuntu, so no NAT'ing is in the way on my end. I need to establish a tunnel
from my machine to the sonicwall to gain access to the 192.168.1.0 <http://192.168.1.0/> AND 192.168.2.0 <http://192.168.2.0/>
networks. I am using XAUTH on the Sonicwall and it has NAT traverse enabled. I can successfully authenticate and connect to the
192.168.1.0 <http://192.168.1.0/> network and I can ping 192.168.1.1 <http://192.168.1.1/> . I can also ping 192.168.2.1
<http://192.168.2.1/> (other interface on the router) but I cannot ping any other IP's on the 2.0 network. This connection is
using the GroupVPN SA on the Standard OS Sonicwall. How do I configure this?
Here's my ipsec.conf config:
config setup
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
conn net1
left=my.ip
leftid=@home
leftxauthclient=yes
right=ip.sonicwall (internet)
rightsubnet=192.168.1.0/24
rightxauthserver=yes
rightid=@sonicwall identifier
<snip auth lines>
conn net2
left=my.ip
leftid=@home
leftxauthclient=yes
right=ip.sonicwall (internet)
rightsubnet=192.168.2.0 <http://192.168.2.0/>
rightxauthserver=yes
rightid=@sonicwall identifier
<snip auth lines>
I've read through countless mailing lists and google links and the openswan wiki, but I cannot figure out how to get this working.
It has to be a routing issue but I am still unfamiliar with ipsec so I am unsure of what to change.
ANY assistance would be great!!
I would also like to know what, if anything, would need to change for me to connect this tunnel when my machine (laptop) is behind a
firewall, too.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080425/14a0bf38/attachment.html
More information about the Users
mailing list