[Openswan Users] Tunnel initiates to Sonicwall but cannot reach anything inside network

Randy Wyatt rwyatt at nvtl.com
Mon Feb 15 21:11:08 EST 2010


Have you run ipsec verify?

What does your tcpdump or wireshark trace show?

Have you set up masquerading correctly?


What version of openswan?
-----Original Message-----
From: users-bounces at openswan.org on behalf of Michael Leonetti
Sent: Mon 2/15/2010 5:27 PM
To: users at openswan.org
Subject: [Openswan Users] Tunnel initiates to Sonicwall but cannot reach anything inside network
 
I set up a connection to a Sonicwall system with the current config:

 

conn sonicwall
        left=(leftip)
        leftsubnet=10.1.1.0/24
        leftid=(leftid)
        right=(rightip)
        rightsubnet=10.10.12.0/24
        rightid=(rightid)
        keyingtries=0
        pfs=no
        aggrmode=yes
        auto=add
        auth=esp
        esp=3des-sha1
        ike=3des-sha1
        authby=secret
        xauth=no
        keyexchange=ike

 

And I can get it up just fine:

fortissimo linux # ipsec auto --up sonicwall
003 "sonicwall" #5: multiple transforms were set in aggressive mode. Only first one used.
003 "sonicwall" #5: transform (5,2,2,0) ignored.
003 "sonicwall" #5: multiple transforms were set in aggressive mode. Only first one used.
003 "sonicwall" #5: transform (5,2,2,0) ignored.
112 "sonicwall" #5: STATE_AGGR_I1: initiate
003 "sonicwall" #5: ignoring unknown Vendor ID payload [404bf439522ca3f6]
003 "sonicwall" #5: ignoring unknown Vendor ID payload [5b362bc820f60007]
003 "sonicwall" #5: received Vendor ID payload [RFC 3947] method set to=109
003 "sonicwall" #5: received Vendor ID payload [Dead Peer Detection]
003 "sonicwall" #5: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
004 "sonicwall" #5: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1536}
117 "sonicwall" #6: STATE_QUICK_I1: initiate
004 "sonicwall" #6: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x97b8d6ff <0x0eb44887 xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}
 

000 interface lo/lo 127.0.0.1                                                                                                                 
000 interface lo/lo 127.0.0.1                                                                                                                 
000 interface eth0/eth0 (leftip)                                                                                                         
000 interface eth0/eth0 (leftip)                                                                                                         
000 interface br0/br0 10.1.1.1                                                                                                                
000 interface br0/br0 10.1.1.1                                                                                                                
000 %myid = (none)                                                                                                                            
000 debug none                                                                                                                                
000                                                                                                                                           
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64                                                          
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192                                                       
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448                                                    
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0                                                          
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256                                                       
000 algorithm ESP encrypt: id=22, name=(null), ivlen=8, keysizemin=128, keysizemax=256                                                        
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256                                                  
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256                                                  
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128                                               
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160                                              
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256                                          
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128                                                
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0                                                                  
000                                                                                                                                           
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192                                                             
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128                                                             
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16                                                                                    
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20                                                                                   
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024                                                                       
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536                                                                       
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048                                                                      
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072                                                                      
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096                                                                      
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144                                                                      
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192                                                                      
000                                                                                                                                           
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,4,64} trans={0,4,960} attrs={0,4,320}                                            
000
000 "sonicwall": 10.1.1.0/24===(leftip)...(rightip)===10.10.12.0/24; erouted; eroute owner: #6
000 "sonicwall":     srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "sonicwall":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "sonicwall":   policy: PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE; prio: 24,24; interface: eth0; encap: esp;
000 "sonicwall":   newest ISAKMP SA: #5; newest IPsec SA: #6;
000 "sonicwall":   IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)-MODP1536(5), 3DES_CBC(5)_000-SHA1(2)-MODP1024(2); flags=strict
000 "sonicwall":   IKE algorithms found: 3DES_CBC(5)_192-SHA1(2)_160-MODP1536(5), 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
000 "sonicwall":   IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1536
000 "sonicwall":   ESP algorithms wanted: 3DES(3)_000-SHA1(2); flags=strict
000 "sonicwall":   ESP algorithms loaded: 3DES(3)_000-SHA1(2); flags=strict
000 "sonicwall":   ESP algorithm newest: 3DES_0-HMAC_SHA1; pfsgroup=<N/A>
000
000 #6: "sonicwall":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 28036s; newest IPSEC; eroute owner
000 #6: "sonicwall" esp.97b8d6ff@(rightip) esp.eb44887 at 72.68.153.122 tun.0@(rightip) tun.0@(leftip)
000 #5: "sonicwall":500 STATE_AGGR_I2 (sent AI2, ISAKMP SA established); EVENT_SA_REPLACE in 2554s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
000
 

When I try to reach anything in the network:

fortissimo linux # ping 10.10.12.199
PING 10.10.12.199 (10.10.12.199) 56(84) bytes of data.
>From 130.81.12.202 icmp_seq=6 Destination Net Unreachable
>From 130.81.12.202 icmp_seq=12 Destination Net Unreachable
 

But I can reach:

fortissimo linux # ping 10.10.12.1
PING 10.10.12.1 (10.10.12.1) 56(84) bytes of data.
64 bytes from 10.10.12.1: icmp_seq=1 ttl=243 time=21.1 ms
64 bytes from 10.10.12.1: icmp_seq=2 ttl=243 time=12.2 ms
 

But the problem is that when I stop ipsec I can still ping 10.10.12.1 even though it's not defined anywhere else :X.  I'm actually not even sure if I got an IP on the remote side.  DHCP isn't even enabled on the remote side so I'm not sure what IP I'd get or if I even need one.

 

Thanks.

 


 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100215/a731ec5d/attachment-0001.html 


More information about the Users mailing list