[Openswan Users] Openswan to Sonicwall

Michael DiMartino michael at hudsonstreet.us
Fri Sep 10 15:45:55 EDT 2010


My goal is to setup a SITE to SITE vpn using Pre-Shared-Key. between
my openswan box and my Sonicwall.
I have been going at this for sometime and now I am just moving in
circles. Any help will be greatly appreciated.

Leftside (openswan)
     Inside IP: 10.179.168.101/19  (eth1)
     Outsite IP : 185.107.225.171/24  (eth0)

Rightside (sonicwall)
     Inside subnet: 192.168.168.0/24
     Outside IP: 217.58.22.147

My ipsec.conf file

config setup
   nat_traversal=yes
   nhelpers=0
   interfaces="ipsec0=eth0"

conn sonicwall
     type=tunnel
     left=10.179.168.101 #Inside IP of Openswan server.
     leftid=@cloud
     leftxauthclient=yes
     right=217.58.22.147 #IP address of your sonicwall router
     rightsubnet=192.168.168.0/24 # inside subnet of sonicwall
     rightxauthserver=yes
     rightid=@sonicwall.unique.identifier
     keyingtries=0
     pfs=yes
     aggrmode=yes
     auto=add
     auth=esp
     esp=3DES-SHA1
     ike=3DES-SHA1
     authby=secret
     #xauth=yes


Results of starting the site to site
[root at FTOpenSwan etc]# ipsec auto --up sonicwall
003 "sonicwall" #1: multiple transforms were set in aggressive mode.
Only first one used.
003 "sonicwall" #1: transform (5,2,2,0) ignored.
003 "sonicwall": pluto_do_crypto: helper (-1) is  exiting
003 "sonicwall" #1: multiple transforms were set in aggressive mode.
Only first one used.
003 "sonicwall" #1: transform (5,2,2,0) ignored.
112 "sonicwall" #1: STATE_AGGR_I1: initiate
010 "sonicwall" #1: STATE_AGGR_I1: retransmission; will wait 20s for response

STATUS

[root at FTOpenSwan ~]# ipsec auto --status
000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 185.107.225.171
000 interface eth0/eth0 185.107.225.171
000 interface eth1/eth1 10.179.168.101
000 interface eth1/eth1 10.179.168.101
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 0 subnets:
000 - disallowed 0 subnets:
000 WARNING: Either virtual_private= was not specified, or there was a syntax
000          error in that line. 'left/rightsubnet=%priv' will not work!
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,
keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8,
keysizemin=40, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0,
keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384,
keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512,
keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC,
blocksize=8, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC,
blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC,
blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH,
blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,1,64}
trans={0,1,3072} attrs={0,1,2048}
000
000 "sonicwall":
10.179.168.101<10.179.168.101>[@cloud,+XC+S=C]...217.58.22.147<217.58.22.147>[@0017C55C5692,+XS+S=C]===192.168.168.0/24;
unrouted; eroute owner: #0
000 "sonicwall":     myip=unset; hisip=unset;
000 "sonicwall":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "sonicwall":   policy:
PSK+ENCRYPT+TUNNEL+PFS+UP+AGGRESSIVE+IKEv2ALLOW+lKOD+rKOD; prio:
32,24; interface: eth1;
000 "sonicwall":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "sonicwall":   IKE algorithms wanted:
3DES_CBC(5)_000-SHA1(2)-MODP1536(5),
3DES_CBC(5)_000-SHA1(2)-MODP1024(2); flags=-strict
000 "sonicwall":   IKE algorithms found:
3DES_CBC(5)_192-SHA1(2)_160-5, 3DES_CBC(5)_192-SHA1(2)_160-2,
000 "sonicwall":   ESP algorithms wanted: 3DES(3)_000-SHA1(2); flags=-strict
000 "sonicwall":   ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160
000
000 #1: "sonicwall":500 STATE_AGGR_I1 (sent AI1, expecting AR1);
EVENT_RETRANSMIT in 18s; nodpd; idle; import:admin initiate
000 #1: pending Phase 2 for "sonicwall" replacing #0



-- 
--
Regards,
Michael Di Martino
Principle
Hudson Street Technology Group
m: +1631.988.6060
michael at hudsonstreet.us
http://hudsonstreet.us


More information about the Users mailing list