[Openswan Users] Openswan to Sonicwall - IKE config incorrect

Peter Butler Peter.Butler at it-freedom.com
Thu Mar 12 13:24:26 EDT 2009


Ah, I think NAT might be the problem. According to this, my network
provider (Vodafone UK) uses NAT and port address translation:

http://forum.vodafone.co.uk/index.php?showtopic=7813

Does this mean I won't be able to use Openswan (or any other IPSec
client) with this network provider?

Cheers

Peter

-----Original Message-----
From: Peter McGill [mailto:petermcgill at goco.net] 
Sent: 12 March 2009 16:39
To: Peter Butler; users at openswan.org
Subject: RE: [Openswan Users] Openswan to Sonicwall - IKE config
incorrect

Yes that is correct, assuming:
A) The Sonicwall owns the y.y.y.y IP and the Openswan machine owns the
x.x.x.x IP,
   and both addresses are publicly accessible internet addresses. (Not
NATed.)
   The Openswan logs or barf would help determine this here.
and
B) z.z.z.z/16 is setup in the Sonicwall to be accessible to the IPSec
connection.
   I've never used a Sonicwall so I cannot tell you how this is done,
but there
   should be a way to configure subnets on the Sonicwall that are
assigned to each
   side of the IPSec connection. They must match the ones listed in
Openswan.
   You can test if this configuration is missing by commenting out the
line in your
   ipsec.conf as follows: #rightsubnet=... If it connects fine, you know
this is
   your problem.


Peter McGill
IT Systems Analyst
Gra Ham Energy Limited 

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of Peter Butler
> Sent: March 12, 2009 12:14 PM
> To: users at openswan.org
> Subject: Re: [Openswan Users] Openswan to Sonicwall - IKE 
> config incorrect
> 
> Thanks again. I've changed the leftid setting as advised but it still
> gives me NO_PROPOSAL_CHOSEN.
> 
> Sorry, I've mis-redacted ipsec.conf, it's actually:
> 
> right=y.y.y.y
> rightsubnet=z.z.z.z/16
> 
> Where y.y.y.y is the external IP address of the Sonicwall 
> appliance and
> z.z.z.z is the internal subnet that Sonicwall sits on. Is 
> this the right
> way to configure it?
> 
> Cheers
> 
> Peter
> 
> 
> -----Original Message-----
> From: Peter McGill [mailto:petermcgill at goco.net] 
> Sent: 12 March 2009 15:27
> To: Peter Butler; users at openswan.org
> Subject: RE: [Openswan Users] Openswan to Sonicwall - IKE config
> incorrect
> 
> Two things here:
> 1) Openswan leftid= should match your Sonicwall ID:
> @peterbutler.dnsalias.com
> 2) I don't see y.y.y.y/16 anywhere in your Sonicwall config, it should
> be there somewhere.
>    Possibly you just didn't copy it to the email, in which 
> case there is
> no problem.
> 
> 
> Peter McGill
> IT Systems Analyst
> Gra Ham Energy Limited 
> 
> > -----Original Message-----
> > From: users-bounces at openswan.org 
> > [mailto:users-bounces at openswan.org] On Behalf Of Peter Butler
> > Sent: March 12, 2009 10:44 AM
> > To: users at openswan.org
> > Subject: Re: [Openswan Users] Openswan to Sonicwall - IKE 
> > config incorrect
> > 
> > Thanks for your reply. From what I can see everything is matching
> > between Sonicwall and my ipsec setups. Would you mind 
> having a look at
> > my settings and see if you can spot anything?
> > 
> > Here are the Sonicwall settings:
> > 
> > Authentication Mode: IKE using PSK
> > Name: Peter Butler
> > IPSec gateway: peterbutler.dnsalias.com
> > IPSec secondary gateway: 0.0.0.0
> > Local IKE ID: Sonicwall ID XXXXXXXXXXX
> > Peer IKE ID: Domain name peterbutler.dnsalias.com
> > 
> > IKE Proposal
> > Exchange: Main Mode
> > DH Group: Group 2
> > Encryption: 3DES
> > Authentication: SHA1
> > Lifetime: 28800
> > 
> > IPSec Proposal
> > Protocol: ESP
> > Encryption: 3DES
> > Authentication SHA1
> > Enable PFS: on
> > DH Group: Group 2
> > Lifetime: 28800
> > 
> > Enable Keep Alive: on
> > Suppress automatic access rules creation for VPN policy: off
> > Require XAUTH: off
> > Enable NetBIOS: off
> > Enable Multicast: off
> > Apply NAT Policies: off
> > Default LAN Gateway: 0.0.0.0
> > VPN Policy bound to: Zone WAN
> > 
> > And here are my ipsec.conf settings:
> > 
> > config setup
> > 	nat_traversal=yes
> > 	nhelpers=1
> > 	interfaces="ipsec0=ppp0"
> > 
> > conn home
> > 	type=tunnel
> > 	leftid=@SharedVPN
> > 	left=x.x.x.x
> > 	leftsubnet=x.x.x.x/32
> > 	rightid=@XXXXXXXXXXX
> > 	right=y.y.y.y
> > 	rightsubnet=y.y.y.y/16
> > 	authby=secret
> > 	auto=add
> > 	auth=esp
> > 	esp=3des-sha1
> > 	keyexchange=ike
> > 	ike=3des-sha1-modp1024
> > 	pfs=yes
> > 	keyingtries=1
> > 	aggrmode=no
> > 
> > #Disable Opportunistic Encryption
> > include /etc/ipsec.d/examples/no_oe.conf
> > 
> > One more thing: I'm attempting this using a 3G connection 
> > (Vodafone UK).
> > I'm not sure if this would cause any problems. 
> > 
> > Cheers
> > 
> > Peter
> > 
> > -----Original Message-----
> > From: Peter McGill [mailto:petermcgill at goco.net] 
> > Sent: 12 March 2009 13:17
> > To: Peter Butler
> > Cc: users at openswan.org
> > Subject: Re: [Openswan Users] Openswan to Sonicwall - IKE config
> > incorrect
> > 
> > This isn't the problem, it found 3des-sha1-modp1024 just as you 
> > requested. Those are not error messages, just info messages.
> > The NO_PROPOSAL_CHOSEN is generally a configuration mismatch.
> > 
> > Check that your settings match those on the Sonicwall.
> > Is it using 3DES SHA1 Diffie-Hellman (DH) Group 2 (1024 bit)?
> > Does your Perfect Forward Secrecy (pfs) match? On is best.
> > Do you ip addresses, id's and subnets match?
> > Does your Aggressive Mode (aggrmode) match? Off/Main Mode is best.
> > 
> > Peter McGill
> > 
> > Peter Butler wrote:
> > > Hi There
> > > 
> > > I'm trying to connect from Openswan (version 2.4.12) on Ubuntu
> > Intrepid
> > > (Kernel 2.6.27-11) to a Sonicwall LS2400 and I am getting a
> > > NO_PROPOSAL_CHOSEN response from Sonicwall. When I run ipsec auto
> > > --status I get the following as part of the output:
> > > 
> > > 000 "home":   IKE algorithms wanted:
> > > 3DES_CBC(5)_000-SHA1(2)-MODP1024(2); flags=strict
> > > 000 "home":   IKE algorithms found:
> > > 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
> > > 000 "home":   ESP algorithms wanted: 3DES(3)_000-SHA1(2); 
> > flags=strict
> > > 000 "home":   ESP algorithms loaded: 3DES(3)_000-SHA1(2); 
> > flags=strict
> > > 
> > >>From what I can see Openswan is trying to use a different 
> algorithm
> > for
> > > IKE from what Sonicwall is expecting. My ipsec.conf contains:
> > > 
> > > ike=3des-sha1-modp1024
> > > 
> > > What should I be using for this instead? Is there any way 
> to disable
> > > "strict"? Any help would be greatly appreciated. I can post 
> > the output
> > > of "ipsec barf" if anyone wants to take a closer look.
> > > 
> > > Cheers
> > > 
> > > Peter
> > > 
> > >
> > ______________________________________________________________
> > _________
> > > The information contained in this e-mail is confidential 
> and may be
> > privileged. It is intended for the addressee only. If you 
> are not the
> > intended recipient, please delete this e-mail immediately. 
> > The contents
> > of this e-mail must not be disclosed or copied without the sender's
> > consent. The statements and opinions expressed in this 
> > message are those
> > of the author and do not necessarily reflect those of the 
> company. The
> > company does not take any responsibility for the views of 
> the author.
> > > 
> > > Registered Office: IT-Freedom Limited, 9 Minster Court, 
> Tuscam Way,
> > Camberley, Surrey GU15 3YY 
> > > Registered in England, Number: 04500346
> > >
> > ______________________________________________________________
> > _________
> > > _______________________________________________
> > > Users at openswan.org
> > > http://lists.openswan.org/mailman/listinfo/users
> > > Building and Integrating Virtual Private Networks with Openswan: 
> > >
> > http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> > 7?n=283155
> > > 
> > 
> > ______________________________________________________________
> > _________
> > The information contained in this e-mail is confidential and 
> > may be privileged. It is intended for the addressee only. If 
> > you are not the intended recipient, please delete this e-mail 
> > immediately. The contents of this e-mail must not be 
> > disclosed or copied without the sender's consent. The 
> > statements and opinions expressed in this message are those 
> > of the author and do not necessarily reflect those of the 
> > company. The company does not take any responsibility for the 
> > views of the author.
> > 
> > Registered Office: IT-Freedom Limited, 9 Minster Court, 
> > Tuscam Way, Camberley, Surrey GU15 3YY 
> > Registered in England, Number: 04500346
> > ______________________________________________________________
> > _________
> > _______________________________________________
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
> > Building and Integrating Virtual Private Networks with Openswan: 
> > http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> > 7?n=283155
> 
> 
> ______________________________________________________________
> _________
> The information contained in this e-mail is confidential and 
> may be privileged. It is intended for the addressee only. If 
> you are not the intended recipient, please delete this e-mail 
> immediately. The contents of this e-mail must not be 
> disclosed or copied without the sender's consent. The 
> statements and opinions expressed in this message are those 
> of the author and do not necessarily reflect those of the 
> company. The company does not take any responsibility for the 
> views of the author.
> 
> Registered Office: IT-Freedom Limited, 9 Minster Court, 
> Tuscam Way, Camberley, Surrey GU15 3YY 
> Registered in England, Number: 04500346
> ______________________________________________________________
> _________
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155


_______________________________________________________________________
The information contained in this e-mail is confidential and may be privileged. It is intended for the addressee only. If you are not the intended recipient, please delete this e-mail immediately. The contents of this e-mail must not be disclosed or copied without the sender's consent. The statements and opinions expressed in this message are those of the author and do not necessarily reflect those of the company. The company does not take any responsibility for the views of the author.

Registered Office: IT-Freedom Limited, 9 Minster Court, Tuscam Way, Camberley, Surrey GU15 3YY 
Registered in England, Number: 04500346
_______________________________________________________________________


More information about the Users mailing list