[Openswan Users] Openswan to Sonicwall - IKE config incorrect

Peter Butler Peter.Butler at it-freedom.com
Thu Mar 12 12:13:41 EDT 2009


Thanks again. I've changed the leftid setting as advised but it still
gives me NO_PROPOSAL_CHOSEN.

Sorry, I've mis-redacted ipsec.conf, it's actually:

right=y.y.y.y
rightsubnet=z.z.z.z/16

Where y.y.y.y is the external IP address of the Sonicwall appliance and
z.z.z.z is the internal subnet that Sonicwall sits on. Is this the right
way to configure it?

Cheers

Peter


-----Original Message-----
From: Peter McGill [mailto:petermcgill at goco.net] 
Sent: 12 March 2009 15:27
To: Peter Butler; users at openswan.org
Subject: RE: [Openswan Users] Openswan to Sonicwall - IKE config
incorrect

Two things here:
1) Openswan leftid= should match your Sonicwall ID:
@peterbutler.dnsalias.com
2) I don't see y.y.y.y/16 anywhere in your Sonicwall config, it should
be there somewhere.
   Possibly you just didn't copy it to the email, in which case there is
no problem.


Peter McGill
IT Systems Analyst
Gra Ham Energy Limited 

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of Peter Butler
> Sent: March 12, 2009 10:44 AM
> To: users at openswan.org
> Subject: Re: [Openswan Users] Openswan to Sonicwall - IKE 
> config incorrect
> 
> Thanks for your reply. From what I can see everything is matching
> between Sonicwall and my ipsec setups. Would you mind having a look at
> my settings and see if you can spot anything?
> 
> Here are the Sonicwall settings:
> 
> Authentication Mode: IKE using PSK
> Name: Peter Butler
> IPSec gateway: peterbutler.dnsalias.com
> IPSec secondary gateway: 0.0.0.0
> Local IKE ID: Sonicwall ID XXXXXXXXXXX
> Peer IKE ID: Domain name peterbutler.dnsalias.com
> 
> IKE Proposal
> Exchange: Main Mode
> DH Group: Group 2
> Encryption: 3DES
> Authentication: SHA1
> Lifetime: 28800
> 
> IPSec Proposal
> Protocol: ESP
> Encryption: 3DES
> Authentication SHA1
> Enable PFS: on
> DH Group: Group 2
> Lifetime: 28800
> 
> Enable Keep Alive: on
> Suppress automatic access rules creation for VPN policy: off
> Require XAUTH: off
> Enable NetBIOS: off
> Enable Multicast: off
> Apply NAT Policies: off
> Default LAN Gateway: 0.0.0.0
> VPN Policy bound to: Zone WAN
> 
> And here are my ipsec.conf settings:
> 
> config setup
> 	nat_traversal=yes
> 	nhelpers=1
> 	interfaces="ipsec0=ppp0"
> 
> conn home
> 	type=tunnel
> 	leftid=@SharedVPN
> 	left=x.x.x.x
> 	leftsubnet=x.x.x.x/32
> 	rightid=@XXXXXXXXXXX
> 	right=y.y.y.y
> 	rightsubnet=y.y.y.y/16
> 	authby=secret
> 	auto=add
> 	auth=esp
> 	esp=3des-sha1
> 	keyexchange=ike
> 	ike=3des-sha1-modp1024
> 	pfs=yes
> 	keyingtries=1
> 	aggrmode=no
> 
> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf
> 
> One more thing: I'm attempting this using a 3G connection 
> (Vodafone UK).
> I'm not sure if this would cause any problems. 
> 
> Cheers
> 
> Peter
> 
> -----Original Message-----
> From: Peter McGill [mailto:petermcgill at goco.net] 
> Sent: 12 March 2009 13:17
> To: Peter Butler
> Cc: users at openswan.org
> Subject: Re: [Openswan Users] Openswan to Sonicwall - IKE config
> incorrect
> 
> This isn't the problem, it found 3des-sha1-modp1024 just as you 
> requested. Those are not error messages, just info messages.
> The NO_PROPOSAL_CHOSEN is generally a configuration mismatch.
> 
> Check that your settings match those on the Sonicwall.
> Is it using 3DES SHA1 Diffie-Hellman (DH) Group 2 (1024 bit)?
> Does your Perfect Forward Secrecy (pfs) match? On is best.
> Do you ip addresses, id's and subnets match?
> Does your Aggressive Mode (aggrmode) match? Off/Main Mode is best.
> 
> Peter McGill
> 
> Peter Butler wrote:
> > Hi There
> > 
> > I'm trying to connect from Openswan (version 2.4.12) on Ubuntu
> Intrepid
> > (Kernel 2.6.27-11) to a Sonicwall LS2400 and I am getting a
> > NO_PROPOSAL_CHOSEN response from Sonicwall. When I run ipsec auto
> > --status I get the following as part of the output:
> > 
> > 000 "home":   IKE algorithms wanted:
> > 3DES_CBC(5)_000-SHA1(2)-MODP1024(2); flags=strict
> > 000 "home":   IKE algorithms found:
> > 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
> > 000 "home":   ESP algorithms wanted: 3DES(3)_000-SHA1(2); 
> flags=strict
> > 000 "home":   ESP algorithms loaded: 3DES(3)_000-SHA1(2); 
> flags=strict
> > 
> >>From what I can see Openswan is trying to use a different algorithm
> for
> > IKE from what Sonicwall is expecting. My ipsec.conf contains:
> > 
> > ike=3des-sha1-modp1024
> > 
> > What should I be using for this instead? Is there any way to disable
> > "strict"? Any help would be greatly appreciated. I can post 
> the output
> > of "ipsec barf" if anyone wants to take a closer look.
> > 
> > Cheers
> > 
> > Peter
> > 
> >
> ______________________________________________________________
> _________
> > The information contained in this e-mail is confidential and may be
> privileged. It is intended for the addressee only. If you are not the
> intended recipient, please delete this e-mail immediately. 
> The contents
> of this e-mail must not be disclosed or copied without the sender's
> consent. The statements and opinions expressed in this 
> message are those
> of the author and do not necessarily reflect those of the company. The
> company does not take any responsibility for the views of the author.
> > 
> > Registered Office: IT-Freedom Limited, 9 Minster Court, Tuscam Way,
> Camberley, Surrey GU15 3YY 
> > Registered in England, Number: 04500346
> >
> ______________________________________________________________
> _________
> > _______________________________________________
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
> > Building and Integrating Virtual Private Networks with Openswan: 
> >
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155
> > 
> 
> ______________________________________________________________
> _________
> The information contained in this e-mail is confidential and 
> may be privileged. It is intended for the addressee only. If 
> you are not the intended recipient, please delete this e-mail 
> immediately. The contents of this e-mail must not be 
> disclosed or copied without the sender's consent. The 
> statements and opinions expressed in this message are those 
> of the author and do not necessarily reflect those of the 
> company. The company does not take any responsibility for the 
> views of the author.
> 
> Registered Office: IT-Freedom Limited, 9 Minster Court, 
> Tuscam Way, Camberley, Surrey GU15 3YY 
> Registered in England, Number: 04500346
> ______________________________________________________________
> _________
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155


_______________________________________________________________________
The information contained in this e-mail is confidential and may be privileged. It is intended for the addressee only. If you are not the intended recipient, please delete this e-mail immediately. The contents of this e-mail must not be disclosed or copied without the sender's consent. The statements and opinions expressed in this message are those of the author and do not necessarily reflect those of the company. The company does not take any responsibility for the views of the author.

Registered Office: IT-Freedom Limited, 9 Minster Court, Tuscam Way, Camberley, Surrey GU15 3YY 
Registered in England, Number: 04500346
_______________________________________________________________________


More information about the Users mailing list