[Openswan Users] openswan xauth problem with sonicwall

Paul Wouters paul at xelerance.com
Wed Jul 22 17:41:51 EDT 2009 

On Wed, 22 Jul 2009, Amlan Mandal wrote:

> I love linux. I really do. I know it is open source, lot of people has contributed voluntarily to make it better. But some time it does not meet the basic standards. I am sorry that I made the statement. But that is how it is. I am trying

Perhaps we should adhere to the basic standards of commercial products and
commercial support then. Where you must pay before you can ask a question......

> After it does
> 004 "sonicwall" #6: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1536}
>
> I guess it should as xauth authentication after this. Nothing happens it just gets stuck then I get
> 003 "sonicwall" #6: next payload type of ISAKMP Hash Payload has an unknown value: 164
> 003 "sonicwall" #6: malformed payload in packet
> 002 "sonicwall" #6: sending notification PAYLOAD_MALFORMED to xxx.xxx.xxx.xxx:4500

You should get a user/pass prompt. Something is going wrong.

> I have tried all possible config it JUST does not work. After 5 days of work I could not make it work.
>
> conn sonicwall
>    type=tunnel
>    left=10.0.0.2
>    leftid=@GroupVPN
>    leftxauthclient=yes
>    rightxauthclient=yes
>    right=x.x.x.x
>    rightsubnet=192.168.1.0/24
>    rightxauthserver=yes
>    leftxauthserver=yes
>    rightid=@xxxxxxxxxxx
>    keyingtries=1
>    pfs=yes
>    aggrmode=no
>    auto=add
>    auth=esp
>    esp=3des-sha1
>    ike=3des-sha1-modp1536
>    authby=secret
>    xauth=yes

If you read the fine manual that ships with our software, you would see that
you canont have leftxauthclient=yes with leftxauthserver=yes. You are
either an XAUTH server demanding authentication, or an XAUTH client supplying
identification.

It is also very likely that the sysadmin want you to use aggressive mode, and
perhaps even worse pfs=no. But I recommend first changing your config to use:

leftxauthclient=yes
rightxauthserver=yes

I have also no idea why you have keyingtries=1. This means you will just stop
trying after 1 attempt.

Note that XAUTH with PSK is the most insecure method you can be running, as
anyone with the PSK (which is shared with all clients) can inpersonate being
the server to take the user/password credentials of real clients connecting
to them.

> Is it ever going to work????

Was this response time as fast as the support call you put in at SonicWall?

Your donations are welcome,

Paul

More information about the Users mailing list