[Openswan Users] XAUTH problem

Dave Vree mailing51 at hotmail.com
Mon Sep 22 21:06:47 EDT 2008 

I had EXACTLY this same problem, except with a Sonicwall 4100. I posted 
the question and got the answer a couple weeks back.

I got past it by adding "aggrmode=yes" to my connection definition.

Here's a few other things I did:

a) Named the leftid "GroupVPN" -- if I name the leftID anything else, 
sonicwall won't connect...and yes I changed it in the secrets files too.

b) Took out leftsubnet in config file...not needed....leftIP/32 is default

c) Took out interfaces= in config file...not needed with netkey which is 
default in Ubuntu with its 2.6 kernel

d) Took RSA line out of secrets file

e) left=%defaultroute

f) Took out xauth=yes as is no longer used 
(http://readlist.com/lists/openswan.org/users/0/622.html)

g) CRITICAL: Go into the Sonicwall configuration utility and set the 
following: VPN -> Settings -> GroupVPN configure -> Client tab->"Virtual 
Adapter Settings" from "DHCP lease" to "DHCP lease or Manual Configuration"


Here is my config:

version 2.0 # conforms to second version of ipsec.conf specification

config setup
nat_traversal=yes
nhelpers=0

conn SonicWallOffice
type=tunnel # Needed for host-to-subnet
left=%defaultroute # this computer's external internet address
leftid=@GroupVPN # Can't be anything...needed to be this for Sonicwall
leftxauthclient=yes # Indicates the left side asks to be xauth authenticated
right= XX.YY.ZZ.AA # WAN IP address of SonicWALL
rightsubnet= 192.168.253.1/24 # Destination network (usually LAN subnet 
of SonicWALL)
rightid=@blahblahblah # Peer ID - SonicWALL’s Unique Firewall Identifier
rightxauthserver=yes # Indicates the right side does the xauth 
authentication
keyingtries=0 # Number of times ipsec should try to obtain a key 0=infinite
keyexchange=ike # This is the default (and only) value, here for 
completeness
pfs=no # Perfect Forward Secrecy, default=yes (?????? why no)
auto=add # authorizes but doesn't start this connection at startup
auth=esp # Authenticate over ESP protocol (the default) as opposed to AH
esp=3des-md5 # ????????????? IKE Phase II Settings????
ike=3des-md5-modp1024 # ????????????? IKE Phase I Settings??? -modp1024 
= DH group 2
authby=secret # Authenticate By - Preshared Secret (needed for sonicwall)
aggrmode=yes # Aggressive Mode Phase 1 negotiations (requires use of IKE)

include /etc/ipsec.d/examples/no_oe.conf


_________________________________________________________________
See how Windows connects the people, information, and fun that are part of your life.
http://clk.atdmt.com/MRT/go/msnnkwxp1020093175mrt/direct/01/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080922/4f66b694/attachment.html

More information about the Users mailing list