[Openswan Users] Openswan to Sonicwall - IKE config incorrect

Peter Butler Peter.Butler at it-freedom.com
Thu Mar 12 10:44:19 EDT 2009 

Thanks for your reply. From what I can see everything is matching
between Sonicwall and my ipsec setups. Would you mind having a look at
my settings and see if you can spot anything?

Here are the Sonicwall settings:

Authentication Mode: IKE using PSK
Name: Peter Butler
IPSec gateway: peterbutler.dnsalias.com
IPSec secondary gateway: 0.0.0.0
Local IKE ID: Sonicwall ID XXXXXXXXXXX
Peer IKE ID: Domain name peterbutler.dnsalias.com

IKE Proposal
Exchange: Main Mode
DH Group: Group 2
Encryption: 3DES
Authentication: SHA1
Lifetime: 28800

IPSec Proposal
Protocol: ESP
Encryption: 3DES
Authentication SHA1
Enable PFS: on
DH Group: Group 2
Lifetime: 28800

Enable Keep Alive: on
Suppress automatic access rules creation for VPN policy: off
Require XAUTH: off
Enable NetBIOS: off
Enable Multicast: off
Apply NAT Policies: off
Default LAN Gateway: 0.0.0.0
VPN Policy bound to: Zone WAN

And here are my ipsec.conf settings:

config setup
	nat_traversal=yes
	nhelpers=1
	interfaces="ipsec0=ppp0"

conn home
	type=tunnel
	leftid=@SharedVPN
	left=x.x.x.x
	leftsubnet=x.x.x.x/32
	rightid=@XXXXXXXXXXX
	right=y.y.y.y
	rightsubnet=y.y.y.y/16
	authby=secret
	auto=add
	auth=esp
	esp=3des-sha1
	keyexchange=ike
	ike=3des-sha1-modp1024
	pfs=yes
	keyingtries=1
	aggrmode=no

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

One more thing: I'm attempting this using a 3G connection (Vodafone UK).
I'm not sure if this would cause any problems. 

Cheers

Peter

-----Original Message-----
From: Peter McGill [mailto:petermcgill at goco.net] 
Sent: 12 March 2009 13:17
To: Peter Butler
Cc: users at openswan.org
Subject: Re: [Openswan Users] Openswan to Sonicwall - IKE config
incorrect

This isn't the problem, it found 3des-sha1-modp1024 just as you 
requested. Those are not error messages, just info messages.
The NO_PROPOSAL_CHOSEN is generally a configuration mismatch.

Check that your settings match those on the Sonicwall.
Is it using 3DES SHA1 Diffie-Hellman (DH) Group 2 (1024 bit)?
Does your Perfect Forward Secrecy (pfs) match? On is best.
Do you ip addresses, id's and subnets match?
Does your Aggressive Mode (aggrmode) match? Off/Main Mode is best.

Peter McGill

Peter Butler wrote:
> Hi There
> 
> I'm trying to connect from Openswan (version 2.4.12) on Ubuntu
Intrepid
> (Kernel 2.6.27-11) to a Sonicwall LS2400 and I am getting a
> NO_PROPOSAL_CHOSEN response from Sonicwall. When I run ipsec auto
> --status I get the following as part of the output:
> 
> 000 "home":   IKE algorithms wanted:
> 3DES_CBC(5)_000-SHA1(2)-MODP1024(2); flags=strict
> 000 "home":   IKE algorithms found:
> 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
> 000 "home":   ESP algorithms wanted: 3DES(3)_000-SHA1(2); flags=strict
> 000 "home":   ESP algorithms loaded: 3DES(3)_000-SHA1(2); flags=strict
> 
>>From what I can see Openswan is trying to use a different algorithm
for
> IKE from what Sonicwall is expecting. My ipsec.conf contains:
> 
> ike=3des-sha1-modp1024
> 
> What should I be using for this instead? Is there any way to disable
> "strict"? Any help would be greatly appreciated. I can post the output
> of "ipsec barf" if anyone wants to take a closer look.
> 
> Cheers
> 
> Peter
> 
>
_______________________________________________________________________
> The information contained in this e-mail is confidential and may be
privileged. It is intended for the addressee only. If you are not the
intended recipient, please delete this e-mail immediately. The contents
of this e-mail must not be disclosed or copied without the sender's
consent. The statements and opinions expressed in this message are those
of the author and do not necessarily reflect those of the company. The
company does not take any responsibility for the views of the author.
> 
> Registered Office: IT-Freedom Limited, 9 Minster Court, Tuscam Way,
Camberley, Surrey GU15 3YY 
> Registered in England, Number: 04500346
>
_______________________________________________________________________
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
>
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 

_______________________________________________________________________
The information contained in this e-mail is confidential and may be privileged. It is intended for the addressee only. If you are not the intended recipient, please delete this e-mail immediately. The contents of this e-mail must not be disclosed or copied without the sender's consent. The statements and opinions expressed in this message are those of the author and do not necessarily reflect those of the company. The company does not take any responsibility for the views of the author.

Registered Office: IT-Freedom Limited, 9 Minster Court, Tuscam Way, Camberley, Surrey GU15 3YY 
Registered in England, Number: 04500346
_______________________________________________________________________

More information about the Users mailing list