[Openswan Users] XAUTH problem

Bill Carlson billcarlson at wkks.org
Mon Sep 22 15:24:45 EDT 2008 

Hello,

I'm setting up OpenSwan 2.4.6 (Ubuntu 7.04) and attempting a 
Roadwarrior VPN to a Sonicwall NSA 4500.

I've read several different scenarios and configuration guides, both from 
OpenSwan and Sonicwall.

My key problem: XAUTH

When I bring up the connection via ipsec auto --up or ipsec whack --name 
blahblah --initiate, I expect to get prompted for a username and password, 
but never do. Why is that?

Sample output from my latest attempt:


---
root at limper:/etc/ipsec.d# ipsec whack --name sonicwall --initiate
002 "sonicwall" #1: initiating Main Mode
104 "sonicwall" #1: STATE_MAIN_I1: initiate
003 "sonicwall" #1: ignoring unknown Vendor ID payload [5b362bc820f60007]
003 "sonicwall" #1: received Vendor ID payload [RFC 3947] method set 
to=110 
002 "sonicwall" #1: enabling possible NAT-traversal with method 3
002 "sonicwall" #1: transition from state STATE_MAIN_I1 to state 
STATE_MAIN_I2
106 "sonicwall" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "sonicwall" #1: ignoring unknown Vendor ID payload [404bf439522ca3f6]
003 "sonicwall" #1: received Vendor ID payload [XAUTH]
003 "sonicwall" #1: received Vendor ID payload [Dead Peer Detection]
002 "sonicwall" #1: I did not send a certificate because I do not have 
one.
003 "sonicwall" #1: NAT-Traversal: Result using 3: i am NATed
002 "sonicwall" #1: transition from state STATE_MAIN_I2 to state 
STATE_MAIN_I3
108 "sonicwall" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "sonicwall" #1: Mode Config message is unacceptable because it is for 
an incomplete ISAKMP SA (state=STATE_MAIN_I3)
010 "sonicwall" #1: STATE_MAIN_I3: retransmission; will wait 20s for 
response
010 "sonicwall" #1: STATE_MAIN_I3: retransmission; will wait 40s for 
response
003 "sonicwall" #1: Mode Config message is unacceptable because it is for 
an incomplete ISAKMP SA (state=STATE_MAIN_I3)
031 "sonicwall" #1: max number of retransmissions (2) reached 
STATE_MAIN_I3.  Possible authentication failure: no acceptable response to 
our first encrypted message
-- 

My config:

---
conn sonicwall
        type=tunnel
        left=192.168.X.YY
        leftsubnet=192.168.X.YY/32
        leftid=@GroupVPN
        leftxauthclient=yes
        leftsendcert=no
        leftrsasigkey=%none
        right=<protected>
        rightsubnet=<protected>
        rightxauthserver=yes
        rightid=@<protected>
        keyingtries=1
        pfs=no
        aggrmode=no
        auto=add
        auth=esp
        authby=secret
        esp=3des-sha1
        ike=3des-sha1
        keyexchange=ike
        xauth=yes
---


ipsec.conf
---
config setup
	nat_traversal=yes
	nhelpers=1
	interfaces="ipsec0=eth0"
---


Thanks,

Bill Carlson

Anything is possible, given Time and Money.

More information about the Users mailing list