[Openswan Users] Sonicwall TZ170 to OpenSWAN peer's ID_USER_FQDN contains no @
Mike A. Leonetti
mleonetti at evolutionce.com
Wed Apr 28 12:13:30 EDT 2010
Paul Wouters wrote:
> On Wed, 28 Apr 2010, Mike A. Leonetti wrote:
>
>>>> And then
>>>> Apr 28 09:08:32 fortissimo pluto[23745]: packet from y.y.y.y:500:
>>>> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
>>>> Apr 28 09:08:32 fortissimo pluto[23745]: packet from y.y.y.y:500:
>>>> ignoring Vendor ID payload [Sonicwall 1 (TZ 170 Standard?)]
>>>> Apr 28 09:08:32 fortissimo pluto[23745]: packet from y.y.y.y:500:
>>>> ignoring Vendor ID payload [Sonicwall 2 (3.1.0.12-86s?)]
>>>> Apr 28 09:08:32 fortissimo pluto[23745]: packet from y.y.y.y:500:
>>>> received Vendor ID payload [XAUTH]
>>>> Apr 28 09:08:32 fortissimo pluto[23745]: packet from y.y.y.y:500:
>>>> initial Aggressive Mode message from y.y.y.y but no (wildcard)
>>>> connection has been configured with policy=PSK+AGGRESSIVE
>>>
>>> Try using right=%any
>>>
>>>> But it never comes up.
>>>>
>> It isn't very happy with that.
>>
>> Apr 28 11:56:56 fortissimo pluto[25359]: "andree": deleting connection
>> Apr 28 11:56:56 fortissimo pluto[25359]: "andree" #37: deleting state
>> (STATE_AGGR_I1)
>> Apr 28 11:56:57 fortissimo pluto[28651]: added connection description
>> "andree"
>> Apr 28 11:56:57 fortissimo ipsec__plutorun: 002 added connection
>> description "andree"
>> Apr 28 11:56:58 fortissimo pluto[28651]: "andree": cannot initiate
>> connection without knowing peer IP address (kind=CK_TEMPLATE)
>> Apr 28 11:56:58 fortissimo ipsec__plutorun: 029 "andree": cannot
>> initiate connection without knowing peer IP address (kind=CK_TEMPLATE)
>
> Yes you can only respond when using %any, not initiate.
>
> I guess I'm just confused what the intention here is, and if one or both
> endpoints are behind nat.
>
> Paul
>
The intention here is to initiate and keep up a VPN between OpenSWAN and
an older style Sonicwall device. The Sonicwall device doesn't have a
place to put in the IKE ID for the local or remote connexion. This is
really the only thing that differs from the newer Sonicwall is that and
we do have three VPNs with newer Sonicwalls already working on the Linux
side and one on the older Sonicwall side (that we are trying to VPN into).
None of the firewalls are behind a NAT in this scenario.
More information about the Users
mailing list