[Openswan Users] Openswan to Sonicwall - IKE config incorrect
Peter.Butler at it-freedom.com
Thu Mar 12 10:44:19 EDT 2009
Thanks for your reply. From what I can see everything is matching
between Sonicwall and my ipsec setups. Would you mind having a look at
my settings and see if you can spot anything?
Here are the Sonicwall settings:
Authentication Mode: IKE using PSK
Name: Peter Butler
IPSec gateway: peterbutler.dnsalias.com
IPSec secondary gateway: 0.0.0.0
Local IKE ID: Sonicwall ID XXXXXXXXXXX
Peer IKE ID: Domain name peterbutler.dnsalias.com
Exchange: Main Mode
DH Group: Group 2
Enable PFS: on
DH Group: Group 2
Enable Keep Alive: on
Suppress automatic access rules creation for VPN policy: off
Require XAUTH: off
Enable NetBIOS: off
Enable Multicast: off
Apply NAT Policies: off
Default LAN Gateway: 0.0.0.0
VPN Policy bound to: Zone WAN
And here are my ipsec.conf settings:
#Disable Opportunistic Encryption
One more thing: I'm attempting this using a 3G connection (Vodafone UK).
I'm not sure if this would cause any problems.
From: Peter McGill [mailto:petermcgill at goco.net]
Sent: 12 March 2009 13:17
To: Peter Butler
Cc: users at openswan.org
Subject: Re: [Openswan Users] Openswan to Sonicwall - IKE config
This isn't the problem, it found 3des-sha1-modp1024 just as you
requested. Those are not error messages, just info messages.
The NO_PROPOSAL_CHOSEN is generally a configuration mismatch.
Check that your settings match those on the Sonicwall.
Is it using 3DES SHA1 Diffie-Hellman (DH) Group 2 (1024 bit)?
Does your Perfect Forward Secrecy (pfs) match? On is best.
Do you ip addresses, id's and subnets match?
Does your Aggressive Mode (aggrmode) match? Off/Main Mode is best.
Peter Butler wrote:
> Hi There
> I'm trying to connect from Openswan (version 2.4.12) on Ubuntu
> (Kernel 2.6.27-11) to a Sonicwall LS2400 and I am getting a
> NO_PROPOSAL_CHOSEN response from Sonicwall. When I run ipsec auto
> --status I get the following as part of the output:
> 000 "home": IKE algorithms wanted:
> 3DES_CBC(5)_000-SHA1(2)-MODP1024(2); flags=strict
> 000 "home": IKE algorithms found:
> 000 "home": ESP algorithms wanted: 3DES(3)_000-SHA1(2); flags=strict
> 000 "home": ESP algorithms loaded: 3DES(3)_000-SHA1(2); flags=strict
>>From what I can see Openswan is trying to use a different algorithm
> IKE from what Sonicwall is expecting. My ipsec.conf contains:
> What should I be using for this instead? Is there any way to disable
> "strict"? Any help would be greatly appreciated. I can post the output
> of "ipsec barf" if anyone wants to take a closer look.
> The information contained in this e-mail is confidential and may be
privileged. It is intended for the addressee only. If you are not the
intended recipient, please delete this e-mail immediately. The contents
of this e-mail must not be disclosed or copied without the sender's
consent. The statements and opinions expressed in this message are those
of the author and do not necessarily reflect those of the company. The
company does not take any responsibility for the views of the author.
> Registered Office: IT-Freedom Limited, 9 Minster Court, Tuscam Way,
Camberley, Surrey GU15 3YY
> Registered in England, Number: 04500346
> Users at openswan.org
> Building and Integrating Virtual Private Networks with Openswan:
The information contained in this e-mail is confidential and may be privileged. It is intended for the addressee only. If you are not the intended recipient, please delete this e-mail immediately. The contents of this e-mail must not be disclosed or copied without the sender's consent. The statements and opinions expressed in this message are those of the author and do not necessarily reflect those of the company. The company does not take any responsibility for the views of the author.
Registered Office: IT-Freedom Limited, 9 Minster Court, Tuscam Way, Camberley, Surrey GU15 3YY
Registered in England, Number: 04500346
More information about the Users