[Openswan Users] Anyone? Anyone? "Roadwarrior" to SonicWall VPNrouting issues

Chris Zimmerman czimmer at wczimmerman.dyndns.org
Fri Apr 25 16:17:34 EDT 2008


The remote Sonicwall doesn't support L2TP (from what I can tell in the
administration).  Is there a way that I can "fake" the IP stack out to use a
remote IP locally?  Perhaps with some sort of smoke and mirrors with tun/tap
devices and some hard routes (proxy arp,too)?  I have tried doing device
aliases but that does not seem to work (i.e. if my internet device is ppp0,
configuring a ppp0:0 with 192.168.1.152/24).

>From what I can tell with the feedback I've been given, this issue looks
like a routing problem on the devices on the 192.168.2.0 network.  In other
words, if I try to ping 192.168.2.85 the device cannot reply back to me
because I'm connected with my internet address and the device will try to
reply using it's normal default gw.

Grasping at straws here...

On Fri, Apr 25, 2008 at 12:29 PM, Peter McGill <petermcgill at goco.net> wrote:

>  Only way I know of using openswan is to use xl2tpd.
> IPSec doesn't handle virtual IPs.
> L2TP does.
> That's how Windows IPSec works, it's actually L2TP/IPSec.
> L2TP running on top of IPSec for security.
> Look for Jacco's docs on setting up l2tp client with ipsec.
> Specifically it's recommended to use xl2tpd (from xelerance,
> the makers of openswan) with openswan.
> Note that I haven't done this myself, so I'm cc'ing the list, in
> case someone else has better or more specific advice here.
>
> Note, your openswan version is a little out of date...
> I think 2.4.11 is the official stable version.
>
> Peter McGill
>
>
>  ------------------------------
> *From:* Chris Zimmerman [mailto:czimmer at wczimmerman.dyndns.org]
> *Sent:* April 25, 2008 3:15 PM
>
> *To:* petermcgill at goco.net
> *Subject:* Re: [Openswan Users] Anyone? Anyone? "Roadwarrior" to SonicWall
> VPNrouting issues
>
> Ah-then that may be the issue.  My presence on the remote LAN is with my
> Internet IP.  The other Windows clients that connect to this VPN using the
> Sonicwall client are assigned a dynamic address which is on the local LAN
> (192.168.1.x) and the client also creates routes at connection time to allow
> them to navigate through to the 192.168.2.0/24 and other remote networks.
>
>
> So-how can I assign a "local" ip to my connection?  Is this even possible?
>
>
> Thanks so much again for your help.
>
> On Fri, Apr 25, 2008 at 12:10 PM, Peter McGill <petermcgill at goco.net>
> wrote:
>
>>  I cannot see anything wrong here, everything looks correct.
>> Your connections are connected successfully,
>> You have not firewall rules blocking traffic,
>> The routes have been put in by IPSec.
>> Are you sure it's not a routing problem on the other side of the
>> SonicWall?
>> Ie) The computers in the 2.0 net and/or their gateway, will need to know
>> to send
>> Traffic destined for your ip address (68.27..) to the SonicWall (or 1.0
>> net) for delivery,
>> And not to their usual internet connection (assuming it isn't the
>> SonicWall.)
>> Try sniffing the traffic at the lan side of the SonicWall do your tests
>> for 2.0 appear but
>> Without responses?
>>
>> Peter McGill
>>
>>
>>     _____________________________________________
>>    *From:  * Chris Zimmerman [*mailto:czimmer at wczimmerman.dyndns.org*<czimmer at wczimmerman.dyndns.org>]
>>
>>    *Sent:  * April 25, 2008 2:27 PM
>>    *To:    * petermcgill at goco.net
>>    *Subject:       * Re: [Openswan Users] Anyone? Anyone? "Roadwarrior"
>>    to SonicWall VPNrouting issues
>>
>>    See attached.
>>
>>    I did scrub the file a bit (to protect the innocent) and the only
>>    deviation from my original post/IP's is that my Sonicwall device is
>>    *63.63.63.63* <http://63.63.63.63> in the output file rather than *
>>    1.1.1.1* <http://1.1.1.1>.  If the scrubbing makes things more
>>    confusing, then I can send the original output to you as well.  I wasn't
>>    comfortable with sending that info to the whole list.
>>
>>    Thanks!
>>
>>
>>
>>
>>    On Fri, Apr 25, 2008 at 11:23 AM, Peter McGill <*petermcgill at goco.net*<petermcgill at goco.net>>
>>    wrote:
>>
>>       Other people might appreciate not receiving a large barf, so it may
>>       be best to try just me
>>       first, unless I cannot resolve your problem.
>>
>>       Peter McGill
>>
>>
>>       *  _____
>>    *
>>
>>          *From:* Chris Zimmerman [mailto:HYPERLINK
>>          "mailto:czimmer at wczimmerman.dyndns.org" \\n*
>>          czimmer at wczimmerman.dyndns.org* <HYPERLINK>]
>>           *Sent:* April 25, 2008 2:16 PM
>>          *To:*
>>          *petermcgill at goco.net* <petermcgill at goco.net>
>>
>>
>>          *Subject:* Re: [Openswan Users] Anyone? Anyone? "Roadwarrior" to
>>          SonicWall VPNrouting issues
>>
>>
>>          Would you rather I post the output of ipsec barf on the list or
>>          to you directly?
>>
>>          Thanks!
>>
>>
>>          On Fri, Apr 25, 2008 at 10:35 AM, Peter McGill <*
>>          petermcgill at goco.net* <petermcgill at goco.net>> wrote:
>>
>>             Well I've never worked with XAUTH or a SonicWall
>>             specifically, but two general suggestions.
>>             1) This might just be an email typo, but...
>>             conn net2
>>                 rightsubnet=*192.168.2.0* <http://192.168.2.0>
>>             should be
>>                 rightsubnet=*192.168.2.0/24* <http://192.168.2.0/24>
>>
>>             Otherwise from the information provided, I cannot see any
>>             problems, so...
>>             2) Give us more information.
>>             The output of...
>>             ipsec barf
>>             Preferably in an attachment and not the email body.
>>             Note from man ipsec_barf:
>>
>>                 Barf  censors  its output, replacing keys and secrets
>>             with brief check-
>>                 sums to avoid revealing sensitive information.
>>             Also send us the SonicWall configuration information (without
>>             keys of course).
>>
>>             As for your firewall question, You need to allow the
>>             following in/out connections:
>>             udp/isakmp (proto 17 port 500)
>>             esp (proto 50)
>>             And if using NAT-T
>>             udp/4500 (proto 17 port 4500)
>>             If the firewall is on the same computer as IPSec, then you'll
>>             also need to allow,
>>             the private tunnelled traffic ie) to/from *192.168.1.0/24*<http://192.168.1.0/24>and
>>             *192.168.2.0/24* <http://192.168.2.0/24>.
>>             If your using SNAT or MASQUERADE on your IPSec device, you'll
>>             need to exempt,
>>             the private tunnelled traffic from that.
>>             If the firewall is on a different computer between IPSec
>>             endpoints, then you'll need to
>>             forward the above isakmp, esp and possibly NAT-T inbound to
>>             the IPSec router to accept
>>             connections from the other side.
>>
>>             Peter McGill
>>
>>
>>             *  _____
>>    *
>>
>>                *From:* *users-bounces at openswan.org*<users-bounces at openswan.org>[mailto:HYPERLINK
>>                "mailto:users-bounces at openswan.org" \\n*
>>                users-bounces at openswan.org* <HYPERLINK>]* On Behalf Of* Chris
>>                Zimmerman
>>                 *Sent:* April 25, 2008 1:00 PM
>>                *To:*
>>                *users at openswan.org* <users at openswan.org>
>>
>>
>>                *Subject:* [Openswan Users] Anyone? Anyone? "Roadwarrior"
>>                to SonicWall VPNrouting issues
>>
>>
>>                I'm not trying to be a pest, but I have to get this
>>                working:
>>
>>                I have been fighting through this setup for more than a
>>                week now and I'm at a brick wall.
>>
>>                My setup:
>>
>>                my.ip-----------{internet}-----*1.1.1.1* <http://1.1.1.1>
>>                (sonicwall)*192.168.1.254* <http://192.168.1.254>========[
>>                *192.168.1.0/24* <http://192.168.1.0/24>
>>
>>
>>                [--------[*192.168.1.1* <http://192.168.1.1/>(router)*
>>                192.168.2.1* <http://192.168.2.1/>]----------*
>>                192.168.2.0/24* <http://192.168.2.0/24>
>>
>>
>>                I am connected to the internet over an aircard using
>>                Ubuntu, so no NAT'ing is in the way on my end.  I need to establish a tunnel
>>                from my machine to the sonicwall to gain access to the *
>>                192.168.1.0* <http://192.168.1.0/> AND *192.168.2.0*<http://192.168.2.0/>networks.  I am using XAUTH on the Sonicwall and it has NAT traverse
>>                enabled.  I can successfully authenticate and connect to the
>>                *192.168.1.0* <http://192.168.1.0/> network and I can ping
>>                *192.168.1.1* <http://192.168.1.1/>.  I can also ping *
>>                192.168.2.1* <http://192.168.2.1/> (other interface on the
>>                router) but I cannot ping any other IP's on the 2.0 network.  This
>>                connection is using the GroupVPN SA on the Standard OS Sonicwall.  How do I
>>                configure this?
>>
>>                Here's my ipsec.conf config:
>>
>>                config setup
>>
>>                conn block
>>                    auto=ignore
>>                conn private
>>                    auto=ignore
>>                conn private-or-clear
>>                    auto=ignore
>>                conn clear-or-private
>>                    auto=ignore
>>                conn clear
>>                    auto=ignore
>>                conn packetdefault
>>                    auto=ignore
>>
>>                conn net1
>>                     left=my.ip
>>                     leftid=@home
>>                     leftxauthclient=yes
>>                     right=ip.sonicwall (internet)
>>                     rightsubnet=*192.168.1.0/24* <http://192.168.1.0/24>
>>                     rightxauthserver=yes
>>                     rightid=@sonicwall identifier
>>                     <snip auth lines>
>>
>>
>>                conn net2
>>                     left=my.ip
>>                     leftid=@home
>>                     leftxauthclient=yes
>>                     right=ip.sonicwall (internet)
>>                     rightsubnet=*192.168.2.0* <http://192.168.2.0/>
>>                     rightxauthserver=yes
>>                     rightid=@sonicwall identifier
>>                     <snip auth lines>
>>
>>                I've read through countless mailing lists and google links
>>                and the openswan wiki, but I cannot figure out how to get this working.  It
>>                has to be a routing issue but I am still unfamiliar with ipsec so I am
>>                unsure of what to change.
>>
>>                ANY assistance would be great!!
>>
>>                I would also like to know what, if anything, would need to
>>                change for me to connect this tunnel when my machine (laptop) is behind a
>>                firewall, too.
>>
>>
>>                * << File: ipsec.barf.output >> *
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080425/81447b3e/attachment-0001.html 


More information about the Users mailing list