[Openswan Users] Anyone? Anyone? "Roadwarrior" to SonicWall VPNrouting issues
Chris Zimmerman
czimmer at wczimmerman.dyndns.org
Fri Apr 25 19:07:33 EDT 2008
What is the method of using static IP's for VPN clients? Since DHCP clients
are not well supported, how can I assign my IP once the tunnel is
established?
Surely someone has run into this issue...
On Fri, Apr 25, 2008 at 1:17 PM, Chris Zimmerman <
czimmer at wczimmerman.dyndns.org> wrote:
> The remote Sonicwall doesn't support L2TP (from what I can tell in the
> administration). Is there a way that I can "fake" the IP stack out to use a
> remote IP locally? Perhaps with some sort of smoke and mirrors with tun/tap
> devices and some hard routes (proxy arp,too)? I have tried doing device
> aliases but that does not seem to work (i.e. if my internet device is ppp0,
> configuring a ppp0:0 with 192.168.1.152/24).
>
> From what I can tell with the feedback I've been given, this issue looks
> like a routing problem on the devices on the 192.168.2.0 network. In
> other words, if I try to ping 192.168.2.85 the device cannot reply back to
> me because I'm connected with my internet address and the device will try to
> reply using it's normal default gw.
>
> Grasping at straws here...
>
>
> On Fri, Apr 25, 2008 at 12:29 PM, Peter McGill <petermcgill at goco.net>
> wrote:
>
>> Only way I know of using openswan is to use xl2tpd.
>> IPSec doesn't handle virtual IPs.
>> L2TP does.
>> That's how Windows IPSec works, it's actually L2TP/IPSec.
>> L2TP running on top of IPSec for security.
>> Look for Jacco's docs on setting up l2tp client with ipsec.
>> Specifically it's recommended to use xl2tpd (from xelerance,
>> the makers of openswan) with openswan.
>> Note that I haven't done this myself, so I'm cc'ing the list, in
>> case someone else has better or more specific advice here.
>>
>> Note, your openswan version is a little out of date...
>> I think 2.4.11 is the official stable version.
>>
>> Peter McGill
>>
>>
>> ------------------------------
>> *From:* Chris Zimmerman [mailto:czimmer at wczimmerman.dyndns.org]
>> *Sent:* April 25, 2008 3:15 PM
>>
>> *To:* petermcgill at goco.net
>> *Subject:* Re: [Openswan Users] Anyone? Anyone? "Roadwarrior" to
>> SonicWall VPNrouting issues
>>
>> Ah-then that may be the issue. My presence on the remote LAN is with my
>> Internet IP. The other Windows clients that connect to this VPN using the
>> Sonicwall client are assigned a dynamic address which is on the local LAN
>> (192.168.1.x) and the client also creates routes at connection time to allow
>> them to navigate through to the 192.168.2.0/24 and other remote
>> networks.
>>
>> So-how can I assign a "local" ip to my connection? Is this even
>> possible?
>>
>> Thanks so much again for your help.
>>
>> On Fri, Apr 25, 2008 at 12:10 PM, Peter McGill <petermcgill at goco.net>
>> wrote:
>>
>>> I cannot see anything wrong here, everything looks correct.
>>> Your connections are connected successfully,
>>> You have not firewall rules blocking traffic,
>>> The routes have been put in by IPSec.
>>> Are you sure it's not a routing problem on the other side of the
>>> SonicWall?
>>> Ie) The computers in the 2.0 net and/or their gateway, will need to know
>>> to send
>>> Traffic destined for your ip address (68.27..) to the SonicWall (or 1.0
>>> net) for delivery,
>>> And not to their usual internet connection (assuming it isn't the
>>> SonicWall.)
>>> Try sniffing the traffic at the lan side of the SonicWall do your tests
>>> for 2.0 appear but
>>> Without responses?
>>>
>>> Peter McGill
>>>
>>>
>>> _____________________________________________
>>> *From: * Chris Zimmerman [*mailto:czimmer at wczimmerman.dyndns.org*<czimmer at wczimmerman.dyndns.org>]
>>>
>>> *Sent: * April 25, 2008 2:27 PM
>>> *To: * petermcgill at goco.net
>>> *Subject: * Re: [Openswan Users] Anyone? Anyone? "Roadwarrior"
>>> to SonicWall VPNrouting issues
>>>
>>> See attached.
>>>
>>> I did scrub the file a bit (to protect the innocent) and the only
>>> deviation from my original post/IP's is that my Sonicwall device is
>>> *63.63.63.63* <http://63.63.63.63> in the output file rather than *
>>> 1.1.1.1* <http://1.1.1.1>. If the scrubbing makes things more
>>> confusing, then I can send the original output to you as well. I wasn't
>>> comfortable with sending that info to the whole list.
>>>
>>> Thanks!
>>>
>>>
>>>
>>>
>>> On Fri, Apr 25, 2008 at 11:23 AM, Peter McGill <*petermcgill at goco.net
>>> * <petermcgill at goco.net>> wrote:
>>>
>>> Other people might appreciate not receiving a large barf, so it
>>> may be best to try just me
>>> first, unless I cannot resolve your problem.
>>>
>>> Peter McGill
>>>
>>>
>>> * _____
>>> *
>>>
>>> *From:* Chris Zimmerman [mailto:HYPERLINK
>>> "mailto:czimmer at wczimmerman.dyndns.org" \\n*
>>> czimmer at wczimmerman.dyndns.org* <HYPERLINK>]
>>> *Sent:* April 25, 2008 2:16 PM
>>> *To:*
>>> *petermcgill at goco.net* <petermcgill at goco.net>
>>>
>>>
>>> *Subject:* Re: [Openswan Users] Anyone? Anyone? "Roadwarrior"
>>> to SonicWall VPNrouting issues
>>>
>>>
>>> Would you rather I post the output of ipsec barf on the list or
>>> to you directly?
>>>
>>> Thanks!
>>>
>>>
>>> On Fri, Apr 25, 2008 at 10:35 AM, Peter McGill <*
>>> petermcgill at goco.net* <petermcgill at goco.net>> wrote:
>>>
>>> Well I've never worked with XAUTH or a SonicWall
>>> specifically, but two general suggestions.
>>> 1) This might just be an email typo, but...
>>> conn net2
>>> rightsubnet=*192.168.2.0* <http://192.168.2.0>
>>> should be
>>> rightsubnet=*192.168.2.0/24* <http://192.168.2.0/24>
>>>
>>> Otherwise from the information provided, I cannot see any
>>> problems, so...
>>> 2) Give us more information.
>>> The output of...
>>> ipsec barf
>>> Preferably in an attachment and not the email body.
>>> Note from man ipsec_barf:
>>>
>>> Barf censors its output, replacing keys and secrets
>>> with brief check-
>>> sums to avoid revealing sensitive information.
>>> Also send us the SonicWall configuration information
>>> (without keys of course).
>>>
>>> As for your firewall question, You need to allow the
>>> following in/out connections:
>>> udp/isakmp (proto 17 port 500)
>>> esp (proto 50)
>>> And if using NAT-T
>>> udp/4500 (proto 17 port 4500)
>>> If the firewall is on the same computer as IPSec, then
>>> you'll also need to allow,
>>> the private tunnelled traffic ie) to/from *192.168.1.0/24*<http://192.168.1.0/24>and
>>> *192.168.2.0/24* <http://192.168.2.0/24>.
>>> If your using SNAT or MASQUERADE on your IPSec device,
>>> you'll need to exempt,
>>> the private tunnelled traffic from that.
>>> If the firewall is on a different computer between IPSec
>>> endpoints, then you'll need to
>>> forward the above isakmp, esp and possibly NAT-T inbound to
>>> the IPSec router to accept
>>> connections from the other side.
>>>
>>> Peter McGill
>>>
>>>
>>> * _____
>>> *
>>>
>>> *From:* *users-bounces at openswan.org*<users-bounces at openswan.org>[mailto:HYPERLINK
>>> "mailto:users-bounces at openswan.org" \\n*
>>> users-bounces at openswan.org* <HYPERLINK>]* On Behalf Of* Chris
>>> Zimmerman
>>> *Sent:* April 25, 2008 1:00 PM
>>> *To:*
>>> *users at openswan.org* <users at openswan.org>
>>>
>>>
>>> *Subject:* [Openswan Users] Anyone? Anyone? "Roadwarrior"
>>> to SonicWall VPNrouting issues
>>>
>>>
>>> I'm not trying to be a pest, but I have to get this
>>> working:
>>>
>>> I have been fighting through this setup for more than a
>>> week now and I'm at a brick wall.
>>>
>>> My setup:
>>>
>>> my.ip-----------{internet}-----*1.1.1.1* <http://1.1.1.1>
>>> (sonicwall)*192.168.1.254* <http://192.168.1.254>
>>> ========[*192.168.1.0/24* <http://192.168.1.0/24>
>>>
>>>
>>> [--------[*192.168.1.1* <http://192.168.1.1/>(router)*
>>> 192.168.2.1* <http://192.168.2.1/>]----------*
>>> 192.168.2.0/24* <http://192.168.2.0/24>
>>>
>>>
>>> I am connected to the internet over an aircard using
>>> Ubuntu, so no NAT'ing is in the way on my end. I need to establish a tunnel
>>> from my machine to the sonicwall to gain access to the *
>>> 192.168.1.0* <http://192.168.1.0/> AND *192.168.2.0*<http://192.168.2.0/>networks. I am using XAUTH on the Sonicwall and it has NAT traverse
>>> enabled. I can successfully authenticate and connect to the
>>> *192.168.1.0* <http://192.168.1.0/> network and I can
>>> ping *192.168.1.1* <http://192.168.1.1/>. I can also
>>> ping *192.168.2.1* <http://192.168.2.1/> (other interface
>>> on the router) but I cannot ping any other IP's on the 2.0 network. This
>>> connection is using the GroupVPN SA on the Standard OS Sonicwall. How do I
>>> configure this?
>>>
>>> Here's my ipsec.conf config:
>>>
>>> config setup
>>>
>>> conn block
>>> auto=ignore
>>> conn private
>>> auto=ignore
>>> conn private-or-clear
>>> auto=ignore
>>> conn clear-or-private
>>> auto=ignore
>>> conn clear
>>> auto=ignore
>>> conn packetdefault
>>> auto=ignore
>>>
>>> conn net1
>>> left=my.ip
>>> leftid=@home
>>> leftxauthclient=yes
>>> right=ip.sonicwall (internet)
>>> rightsubnet=*192.168.1.0/24* <http://192.168.1.0/24>
>>> rightxauthserver=yes
>>> rightid=@sonicwall identifier
>>> <snip auth lines>
>>>
>>>
>>> conn net2
>>> left=my.ip
>>> leftid=@home
>>> leftxauthclient=yes
>>> right=ip.sonicwall (internet)
>>> rightsubnet=*192.168.2.0* <http://192.168.2.0/>
>>> rightxauthserver=yes
>>> rightid=@sonicwall identifier
>>> <snip auth lines>
>>>
>>> I've read through countless mailing lists and google
>>> links and the openswan wiki, but I cannot figure out how to get this
>>> working. It has to be a routing issue but I am still unfamiliar with ipsec
>>> so I am unsure of what to change.
>>>
>>> ANY assistance would be great!!
>>>
>>> I would also like to know what, if anything, would need
>>> to change for me to connect this tunnel when my machine (laptop) is behind a
>>> firewall, too.
>>>
>>>
>>> * << File: ipsec.barf.output >> *
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080425/f89b1f76/attachment-0001.html
More information about the Users
mailing list