[Openswan Users] Openswan to Sonicwall

Hot Mailing mailing51 at hotmail.com
Mon Sep 15 12:01:24 EDT 2008 

I am have trouble connecting my laptop running Ubuntu 8.04 from home to 
our office at work. I have googling and reading for weeks to get this 
running with no success. I think I am getting close, but am currently 
stumped. Any help is greatly appreciated as I am really new to all this 
stuff.

At home, my laptop is behind a firewall and gets a dynamic IP address 
from my DHCP server. At the office, we are running a Sonicwall Pro 4100 
running Sonicwall OS 4.0.0.2-51E. The sonicwall has a static IP address 
and is configured as follows:

IPSec with IKE v1
Pre-shared key
Domain based xauth
Proposals:
IKE Phase I
DH Group: Group 2
Encryption: 3DES
Authentication: MD5
Lifetime (seconds): 28800
IKE Phase II
Protocol: ESP
Encryption: 3DES
Authentication: MD5
PFS: Disabled

My /etc/ipsec.conf settings are as follows:

config setup
nat_traversal=yes # yes by default, needed if you are behind NAT
nhelpers=0 # this was 0 by default...no idea what it does
interfaces="ipsec0=eth0" # needed to added this according to ubuntu thread


conn WorkOffice
type=tunnel # Needed for host-to-subnet
left=192.168.1.109 # this computer's external internet address
leftsubnet=192.168.1.109/32 # private local address/netmask 32=this 
machine only (UBUNTU LEFT THIS OUT)
leftid=@GroupVPN # ????????????? can this be anything?????
leftxauthclient=yes # Indicates the left side asks to be xauth authenticated
right= [filtered from email posting] # WAN IP address of SonicWALL
rightsubnet= 192.168.253.1/24 # Destination network (usually LAN subnet 
of SonicWALL)
rightid=@[filtered from email posting] # Peer ID - SonicWALL’s Unique 
Firewall Identifier
rightxauthserver=yes # Indicates the right side does the xauth 
authentication
keyingtries=0 # Number of times ipsec should try to obtain a key 0=infinite
pfs=no # Perfect Forward Secrecy, default=yes (?????? why no)
auto=add # authorizes but doesn't start this connection at startup
auth=esp # Authenticate over ESP protocol (the default) as opposed to AH
esp=3des-md5 # IKE Phase II Settings????
ike=3des-md5-modp1024 # IKE Phase I Settings??? -modp1024 = DH group 2
xauth=yes # IKE Extended Authentication (needed to authenticate as YOU)
authby=secret # Authenticate By - Preshared Secret (needed for sonicwall)
aggrmode=no # Aggressive Mode Phase 1 negotiations (requires use of IKE)


I have disabled ICMP redirects as follows:
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0> $f; done
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0> $f; done

I have enabled IP forwarding as follows:
sysctl -w net.ipv4.ip_forward=1

I have tried to establish the connection, with two different commands 
that both fail in the same way. The commands are:
ipsec whack --name WorkOffice --initiate
ipsec auto --up WorkOffice


The whack command just hangs, but the auto up command gives the 
following output:

104 "WorkOffice" #1: STATE_MAIN_I1: initiate
003 "WorkOffice" #1: ignoring unknown Vendor ID payload [5b362bc820f60006]
003 "WorkOffice" #1: received Vendor ID payload [RFC 3947] method set 
to=110
106 "WorkOffice" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "WorkOffice" #1: ignoring unknown Vendor ID payload [404bf439522ca3f6]
003 "WorkOffice" #1: received Vendor ID payload [XAUTH]
003 "WorkOffice" #1: received Vendor ID payload [Dead Peer Detection]
003 "WorkOffice" #1: NAT-Traversal: Result using RFC 3947 
(NAT-Traversal): i am NATed
108 "WorkOffice" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "WorkOffice" #1: Mode Config message is unacceptable because it is 
for an incomplete ISAKMP SA (state=STATE_MAIN_I3)
010 "WorkOffice" #1: STATE_MAIN_I3: retransmission; will wait 20s for 
response
010 "WorkOffice" #1: STATE_MAIN_I3: retransmission; will wait 40s for 
response
003 "WorkOffice" #1: Mode Config message is unacceptable because it is 
for an incomplete ISAKMP SA (state=STATE_MAIN_I3)
031 "WorkOffice" #1: max number of retransmissions (2) reached 
STATE_MAIN_I3. Possible authentication failure: no acceptable response 
to our first encrypted message
000 "WorkOffice" #1: starting keying attempt 2 of an unlimited number, 
but releasing whack


Tailing /var/log/auth.log gives me the following output (truncated):

Sep 14 23:57:50 dwv-linux pluto[18408]: "WorkOffice" #2: initiating Main 
Mode to replace #1
Sep 14 23:57:50 dwv-linux pluto[18408]: "WorkOffice" #2: ignoring 
unknown Vendor ID payload [5b362bc820f60006]
Sep 14 23:57:50 dwv-linux pluto[18408]: "WorkOffice" #2: received Vendor 
ID payload [RFC 3947] method set to=110
Sep 14 23:57:50 dwv-linux pluto[18408]: "WorkOffice" #2: enabling 
possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Sep 14 23:57:50 dwv-linux pluto[18408]: "WorkOffice" #2: transition from 
state STATE_MAIN_I1 to state STATE_MAIN_I2
Sep 14 23:57:50 dwv-linux pluto[18408]: "WorkOffice" #2: STATE_MAIN_I2: 
sent MI2, expecting MR2
Sep 14 23:57:50 dwv-linux pluto[18408]: "WorkOffice" #2: ignoring 
unknown Vendor ID payload [404bf439522ca3f6]
Sep 14 23:57:50 dwv-linux pluto[18408]: "WorkOffice" #2: received Vendor 
ID payload [XAUTH]
Sep 14 23:57:50 dwv-linux pluto[18408]: "WorkOffice" #2: received Vendor 
ID payload [Dead Peer Detection]
Sep 14 23:57:50 dwv-linux pluto[18408]: "WorkOffice" #2: I did not send 
a certificate because I do not have one.
Sep 14 23:57:50 dwv-linux pluto[18408]: "WorkOffice" #2: NAT-Traversal: 
Result using RFC 3947 (NAT-Traversal): i am NATed
Sep 14 23:57:50 dwv-linux pluto[18408]: "WorkOffice" #2: transition from 
state STATE_MAIN_I2 to state STATE_MAIN_I3
Sep 14 23:57:50 dwv-linux pluto[18408]: "WorkOffice" #2: STATE_MAIN_I3: 
sent MI3, expecting MR3
Sep 14 23:57:50 dwv-linux pluto[18408]: "WorkOffice" #2: Mode Config 
message is unacceptable because it is for an incomplete ISAKMP SA 
(state=STATE_MAIN_I3)
Sep 14 23:58:00 dwv-linux pluto[18408]: packet from WW.XX.YY.ZZ:4500: 
length of ISAKMP Message is larger than can fit
Sep 14 23:58:00 dwv-linux pluto[18408]: | payload malformed after IV
Sep 14 23:58:00 dwv-linux pluto[18408]: |
Sep 14 23:58:00 dwv-linux pluto[18408]: packet from WW.XX.YY.ZZ:4500: 
sending notification PAYLOAD_MALFORMED to WW.XX.YY.ZZ:4500
Sep 14 23:58:20 dwv-linux pluto[18408]: packet from WW.XX.YY.ZZ:4500: 
length of ISAKMP Message is larger than can fit
Sep 14 23:58:20 dwv-linux pluto[18408]: | payload malformed after IV
Sep 14 23:58:20 dwv-linux pluto[18408]: |
Sep 14 23:58:20 dwv-linux pluto[18408]: packet from WW.XX.YY.ZZ:4500: 
sending notification PAYLOAD_MALFORMED to WW.XX.YY.ZZ:4500
Sep 14 23:58:42 dwv-linux pluto[18408]: packet from WW.XX.YY.ZZ:4500: 
Mode Config message is for a non-existent (expired?) ISAKMP SA
Sep 14 23:58:51 dwv-linux pluto[18408]: "WorkOffice" #2: Mode Config 
message is unacceptable because it is for an incomplete ISAKMP SA 
(state=STATE_MAIN_I3)
Sep 14 23:59:00 dwv-linux pluto[18408]: "WorkOffice" #2: max number of 
retransmissions (2) reached STATE_MAIN_I3. Possible authentication 
failure: no acceptable response to our first encrypted message
Sep 14 23:59:00 dwv-linux pluto[18408]: "WorkOffice" #2: starting keying 
attempt 3 of an unlimited number
Sep 14 23:59:00 dwv-linux pluto[18408]: "WorkOffice" #3: initiating Main 
Mode to replace #2
Sep 14 23:59:00 dwv-linux pluto[18408]: "WorkOffice" #3: ignoring 
unknown Vendor ID payload [5b362bc820f60006]
Sep 14 23:59:00 dwv-linux pluto[18408]: "WorkOffice" #3: received Vendor 
ID payload [RFC 3947] method set to=110
Sep 14 23:59:00 dwv-linux pluto[18408]: "WorkOffice" #3: enabling 
possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Sep 14 23:59:00 dwv-linux pluto[18408]: "WorkOffice" #3: transition from 
state STATE_MAIN_I1 to state STATE_MAIN_I2
Sep 14 23:59:00 dwv-linux pluto[18408]: "WorkOffice" #3: STATE_MAIN_I2: 
sent MI2, expecting MR2
Sep 14 23:59:00 dwv-linux pluto[18408]: "WorkOffice" #3: ignoring 
unknown Vendor ID payload [404bf439522ca3f6]
Sep 14 23:59:00 dwv-linux pluto[18408]: "WorkOffice" #3: received Vendor 
ID payload [XAUTH]
Sep 14 23:59:00 dwv-linux pluto[18408]: "WorkOffice" #3: received Vendor 
ID payload [Dead Peer Detection]
Sep 14 23:59:00 dwv-linux pluto[18408]: "WorkOffice" #3: I did not send 
a certificate because I do not have one.
Sep 14 23:59:00 dwv-linux pluto[18408]: "WorkOffice" #3: NAT-Traversal: 
Result using RFC 3947 (NAT-Traversal): i am NATed
Sep 14 23:59:00 dwv-linux pluto[18408]: "WorkOffice" #3: transition from 
state STATE_MAIN_I2 to state STATE_MAIN_I3
Sep 14 23:59:00 dwv-linux pluto[18408]: "WorkOffice" #3: STATE_MAIN_I3: 
sent MI3, expecting MR3
Sep 14 23:59:00 dwv-linux pluto[18408]: "WorkOffice" #3: Mode Config 
message is unacceptable because it is for an incomplete ISAKMP SA 
(state=STATE_MAIN_I3)
Sep 14 23:59:10 dwv-linux pluto[18408]: packet from WW.XX.YY.ZZ:4500: 
length of ISAKMP Message is larger than can fit
Sep 14 23:59:10 dwv-linux pluto[18408]: | payload malformed after IV
Sep 14 23:59:10 dwv-linux pluto[18408]: |
Sep 14 23:59:10 dwv-linux pluto[18408]: packet from WW.XX.YY.ZZ:4500: 
sending notification PAYLOAD_MALFORMED to WW.XX.YY.ZZ:4500





_________________________________________________________________
Get more out of the Web. Learn 10 hidden secrets of Windows Live.
http://windowslive.com/connect/post/jamiethomson.spaces.live.com-Blog-cns!550F681DAD532637!5295.entry?ocid=TXT_TAGLM_WL_domore_092008
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080915/b9fab350/attachment.html

More information about the Users mailing list