[Openswan Users] Anyone? Anyone? "Roadwarrior" to SonicWall VPNrouting issues
Peter McGill
petermcgill at goco.net
Fri Apr 25 15:29:24 EDT 2008
Only way I know of using openswan is to use xl2tpd.
IPSec doesn't handle virtual IPs.
L2TP does.
That's how Windows IPSec works, it's actually L2TP/IPSec.
L2TP running on top of IPSec for security.
Look for Jacco's docs on setting up l2tp client with ipsec.
Specifically it's recommended to use xl2tpd (from xelerance,
the makers of openswan) with openswan.
Note that I haven't done this myself, so I'm cc'ing the list, in
case someone else has better or more specific advice here.
Note, your openswan version is a little out of date...
I think 2.4.11 is the official stable version.
Peter McGill
_____
From: Chris Zimmerman [mailto:czimmer at wczimmerman.dyndns.org]
Sent: April 25, 2008 3:15 PM
To: petermcgill at goco.net
Subject: Re: [Openswan Users] Anyone? Anyone? "Roadwarrior" to SonicWall VPNrouting issues
Ah-then that may be the issue. My presence on the remote LAN is with my Internet IP. The other Windows clients that connect to
this VPN using the Sonicwall client are assigned a dynamic address which is on the local LAN (192.168.1.x) and the client also
creates routes at connection time to allow them to navigate through to the 192.168.2.0/24 and other remote networks.
So-how can I assign a "local" ip to my connection? Is this even possible?
Thanks so much again for your help.
On Fri, Apr 25, 2008 at 12:10 PM, Peter McGill <petermcgill at goco.net> wrote:
I cannot see anything wrong here, everything looks correct.
Your connections are connected successfully,
You have not firewall rules blocking traffic,
The routes have been put in by IPSec.
Are you sure it's not a routing problem on the other side of the SonicWall?
Ie) The computers in the 2.0 net and/or their gateway, will need to know to send
Traffic destined for your ip address (68.27..) to the SonicWall (or 1.0 net) for delivery,
And not to their usual internet connection (assuming it isn't the SonicWall.)
Try sniffing the traffic at the lan side of the SonicWall do your tests for 2.0 appear but
Without responses?
Peter McGill
_____________________________________________
From: Chris Zimmerman [ <mailto:czimmer at wczimmerman.dyndns.org> mailto:czimmer at wczimmerman.dyndns.org]
Sent: April 25, 2008 2:27 PM
To: petermcgill at goco.net
Subject: Re: [Openswan Users] Anyone? Anyone? "Roadwarrior" to SonicWall VPNrouting issues
See attached.
I did scrub the file a bit (to protect the innocent) and the only deviation from my original post/IP's is that my Sonicwall
device is
<http://63.63.63.63> 63.63.63.63 in the output file rather than <http://1.1.1.1> 1.1.1.1. If the scrubbing makes things
more confusing, then I can send the original output to you as well. I wasn't comfortable with sending that info to the whole list.
Thanks!
On Fri, Apr 25, 2008 at 11:23 AM, Peter McGill < <mailto:petermcgill at goco.net> petermcgill at goco.net> wrote:
Other people might appreciate not receiving a large barf, so it may be best to try just me
first, unless I cannot resolve your problem.
Peter McGill
_____
From: Chris Zimmerman [ <mailto:HYPERLINK> mailto:HYPERLINK "mailto:czimmer at wczimmerman.dyndns.org"
\\nczimmer at wczimmerman.dyndns.org]
Sent: April 25, 2008 2:16 PM
To:
<mailto:petermcgill at goco.net> petermcgill at goco.net
Subject: Re: [Openswan Users] Anyone? Anyone? "Roadwarrior" to SonicWall VPNrouting issues
Would you rather I post the output of ipsec barf on the list or to you directly?
Thanks!
On Fri, Apr 25, 2008 at 10:35 AM, Peter McGill < <mailto:petermcgill at goco.net> petermcgill at goco.net> wrote:
Well I've never worked with XAUTH or a SonicWall specifically, but two general suggestions.
1) This might just be an email typo, but...
conn net2
rightsubnet= <http://192.168.2.0> 192.168.2.0
should be
rightsubnet= <http://192.168.2.0/24> 192.168.2.0/24
Otherwise from the information provided, I cannot see any problems, so...
2) Give us more information.
The output of...
ipsec barf
Preferably in an attachment and not the email body.
Note from man ipsec_barf:
Barf censors its output, replacing keys and secrets with brief check-
sums to avoid revealing sensitive information.
Also send us the SonicWall configuration information (without keys of course).
As for your firewall question, You need to allow the following in/out connections:
udp/isakmp (proto 17 port 500)
esp (proto 50)
And if using NAT-T
udp/4500 (proto 17 port 4500)
If the firewall is on the same computer as IPSec, then you'll also need to allow,
the private tunnelled traffic ie) to/from <http://192.168.1.0/24> 192.168.1.0/24 and <http://192.168.2.0/24> 192.168.2.0/24.
If your using SNAT or MASQUERADE on your IPSec device, you'll need to exempt,
the private tunnelled traffic from that.
If the firewall is on a different computer between IPSec endpoints, then you'll need to
forward the above isakmp, esp and possibly NAT-T inbound to the IPSec router to accept
connections from the other side.
Peter McGill
_____
From: <mailto:users-bounces at openswan.org> users-bounces at openswan.org [ <mailto:HYPERLINK> mailto:HYPERLINK
"mailto:users-bounces at openswan.org" \\nusers-bounces at openswan.org] On Behalf Of Chris Zimmerman
Sent: April 25, 2008 1:00 PM
To:
<mailto:users at openswan.org> users at openswan.org
Subject: [Openswan Users] Anyone? Anyone? "Roadwarrior" to SonicWall VPNrouting issues
I'm not trying to be a pest, but I have to get this working:
I have been fighting through this setup for more than a week now and I'm at a brick wall.
My setup:
my.ip-----------{internet}----- <http://1.1.1.1> 1.1.1.1(sonicwall) <http://192.168.1.254> 192.168.1.254========[
<http://192.168.1.0/24> 192.168.1.0/24
[--------[ <http://192.168.1.1/>
192.168.1.1(router) <http://192.168.2.1/> 192.168.2.1]---------- <http://192.168.2.0/24> 192.168.2.0/24
I am connected to the internet over an aircard using Ubuntu, so no NAT'ing is in the way on my end. I need to establish a tunnel
from my machine to the sonicwall to gain access to the <http://192.168.1.0/> 192.168.1.0 AND <http://192.168.2.0/> 192.168.2.0
networks. I am using XAUTH on the Sonicwall and it has NAT traverse enabled. I can successfully authenticate and connect to the
<http://192.168.1.0/> 192.168.1.0 network and I can ping <http://192.168.1.1/> 192.168.1.1. I can also ping <http://192.168.2.1/>
192.168.2.1 (other interface on the router) but I cannot ping any other IP's on the 2.0 network. This connection is using the
GroupVPN SA on the Standard OS Sonicwall. How do I configure this?
Here's my ipsec.conf config:
config setup
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
conn net1
left=my.ip
leftid=@home
leftxauthclient=yes
right=ip.sonicwall (internet)
rightsubnet= <http://192.168.1.0/24> 192.168.1.0/24
rightxauthserver=yes
rightid=@sonicwall identifier
<snip auth lines>
conn net2
left=my.ip
leftid=@home
leftxauthclient=yes
right=ip.sonicwall (internet)
rightsubnet= <http://192.168.2.0/> 192.168.2.0
rightxauthserver=yes
rightid=@sonicwall identifier
<snip auth lines>
I've read through countless mailing lists and google links and the openswan wiki, but I cannot figure out how to get this working.
It has to be a routing issue but I am still unfamiliar with ipsec so I am unsure of what to change.
ANY assistance would be great!!
I would also like to know what, if anything, would need to change for me to connect this tunnel when my machine (laptop) is behind a
firewall, too.
<< File: ipsec.barf.output >>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080425/34602edf/attachment-0001.html
More information about the Users
mailing list