[Openswan Users] Openswan to Sonicwall - IKE config incorrect

Peter Butler Peter.Butler at it-freedom.com
Wed Jan 13 23:12:12 EST 2010


A very late followup to this, I finally got Openswan working with
Sonicwall, working behind NAT on a dynamic IP address. Hopefully this
will help someone else. Thanks to all who responded to my questions
(particularly Peter McGill, who very patiently helped me learn the
intricacies of Openswan configuration).

I'm on Ubuntu 9.10, here's how I did it:

1.	Become root: sudo -s (or better, "sudo passwd" and create a
password for root, then use "su" to become root)

2.	Install Openswan:

apt-get install openswan

3.	Uncomment the following line in /etc/sysctl.conf to enable IP
forwarding:

net.ipv4.ip_forward=1

Also do the following from the command line so that forwarding works for
your current session:

sysctl -w net.ipv4.ip_forward=1

4.	Enter the following into /etc/ipsec.conf (move the existing
ipsec.conf out of the way or delete the contents):

config setup
        nat_traversal=yes
        nhelpers=0
        protostack=netkey

conn sonicwall
        type=tunnel

        leftid=@ClientVPNId
        left=192.168.0.1 <- This needs to be your current IP address on
the local LAN
        leftsubnet=0.0.0.0/0.0.0.0
        leftxauthclient=yes

        rightid=@ServerVPNId
        right=44.44.44.44 <- This is the public IP address of the
Sonicwall
        rightsubnet=10.210.0.0/16 <- This is the subnet of the network
behind the Sonicwall
        rightxauthserver=yes

        authby=secret
        auto=add
        auth=esp

        ike=3des-md5-modp1024
        phase2alg=3des-sha1
        pfs=no

        aggrmode=yes
        rekey=yes

Note that the IP address in "left" above needs to be the actual IP
address of the client box (i.e. the DHCP-assigned address on your local
network). If you do "ifconfig" you should be able to see the ip address
that you're using. If this address changes then you'll need to change
ipsec.conf, unfortunately I haven't figured out a way to do this
automatically.

These settings have to match your Sonicwall settings exactly or nothing
will work. In particular, the ike and phase2alg sections have to match,
as does the right subnet. I used Wireshark to track down what Sonicwall
was expecting for the IKE and the server VPN id.

5.	Enter the following into /etc/ipsec.secrets (delete or move the
existing ipsec.secrets out of the way):

@ClientVPNId @ServerVPNId : PSK "ABCDEF012345678"

Once you have done this, do /etc/init.d/ipsec restart to reload
ipsec.secrets. Note that you need to get the PSK from the Sonicwall
configuration, it's not available in the Sonicwall Windows client XML
config.

6.	Enter the following commands:

ipsec auto --add sonicwall
ipsec auto --up sonicwall

It should then prompt you on the command line for a username and
password - this is the username/password that you use in the Sonicwall
windows client. Once you've entered these you should be all set - you
should see a message saying "IPsec SA established tunnel mode". Note
that it doesn't set the network up properly so you'll have to use an
/etc/hosts file that contains all the names and IP addresses of the
machines you want to access on the remote network. When you want to take
the IPsec connection down, use:

ipsec auto --down sonicwall

Cheers

Peter Butler

-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Peter McGill
Sent: Friday, March 13, 2009 2:16 AM
To: Peter Butler; users at openswan.org
Subject: Re: [Openswan Users] Openswan to Sonicwall - IKE config
incorrect

It would really help to see your ipsec logs.
grep 'pluto' /var/log/* > ipseclog.txt

Peter McGill
IT Systems Analyst
Gra Ham Energy Limited 

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of Peter Butler
> Sent: March 12, 2009 1:54 PM
> To: users at openswan.org
> Subject: Re: [Openswan Users] Openswan to Sonicwall - IKE 
> config incorrect
> 
> I think you're right. I've just run wireshark on the Openswan 
> box and I
> can see packets coming back from Sonicwall. I guess this 
> means that NAT
> is working at least. However, Sonicwall is still only giving me the
> "NO-PROPOSAL-CHOSEN" response. 
> 
> Cheers
> 
> Peter
> 
> -----Original Message-----
> From: Lawrence Manning [mailto:lawrence.manning at smoothwall.net] 
> Sent: 12 March 2009 17:33
> To: Peter Butler
> Cc: users at openswan.org
> Subject: Re: [Openswan Users] Openswan to Sonicwall - IKE config
> incorrect
> 
> 
> On 12 Mar 2009, at 17:24, Peter Butler wrote:
> 
> > Ah, I think NAT might be the problem. According to this, my network
> > provider (Vodafone UK) uses NAT and port address translation:
> >
> > http://forum.vodafone.co.uk/index.php?showtopic=7813
> >
> > Does this mean I won't be able to use Openswan (or any other IPSec
> > client) with this network provider?
> 
> NAT-T mode IPSec (network packets encapsulated in UDP packets as  
> opposed to ESP) should pass through vodafone's NATing gateway just  
> nicely.
> 
> Openswan (and other 'swans) support NAT-T, assuming the config as  
> "nat_traversal=yes".
> 
> Hope that helps,
> 
> -- 
> 
> Lawrence Manning
> Lead Developer
> Smoothwall Ltd. -  http://www.smoothwall.net/
> 
> SmoothWall Limited
> 1 John Charles Way
> Leeds LS12 6QA
> United Kingdom
> 
> Phone:
> 1 800 959 3760 (USA, Canada and North America)
> 0870 1 999 500 (United Kingdom)
> +44 870 1 999 500 (all other countries)
> Fax:
> +44 870 1 991 399
> 
> SmoothWall Limited is registered in England, Company Number: 4298247
> 
> This email and any attachments transmitted with it are 
> confidential to  
> the intended recipient(s) and may not be communicated to any other  
> person or published by any means without the permission of 
> SmoothWall  
> Limited.  Any opinions stated in this message are solely 
> those of the  
> author.  See: http://smoothwall.net/company/email.php for the full  
> text of this notice.
> 
> 
> 
> 
> 
> 
> ______________________________________________________________
> _________
> The information contained in this e-mail is confidential and 
> may be privileged. It is intended for the addressee only. If 
> you are not the intended recipient, please delete this e-mail 
> immediately. The contents of this e-mail must not be 
> disclosed or copied without the sender's consent. The 
> statements and opinions expressed in this message are those 
> of the author and do not necessarily reflect those of the 
> company. The company does not take any responsibility for the 
> views of the author.
> 
> Registered Office: IT-Freedom Limited, 9 Minster Court, 
> Tuscam Way, Camberley, Surrey GU15 3YY 
> Registered in England, Number: 04500346
> ______________________________________________________________
> _________
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155

_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

_______________________________________________________________________
The information contained in this e-mail is confidential and may be privileged. It is intended for the addressee only. If you are not the intended recipient, please delete this e-mail immediately. The contents of this e-mail must not be disclosed or copied without the sender's consent. The statements and opinions expressed in this message are those of the author and do not necessarily reflect those of the company. The company does not take any responsibility for the views of the author.

Registered Office: IT-Freedom Limited, 9 Minster Court, Tuscam Way, Camberley, Surrey GU15 3YY 
Registered in England, Number: 04500346
_______________________________________________________________________


More information about the Users mailing list