[Openswan Users] PSK VPN

Troy Telford ttelford.groups at gmail.com
Wed Sep 15 07:57:15 EDT 2010

On 2010-09-14 18:49:13 -0600, Michael DiMartino said:

> I am attempting unsuccessfully to set up a site to site PSK VPN w/ my
> Sonicwall.
> Any help with this will be greatly appreciated. I have included my
> config and the logs.

I can't claim to be anythine more than a novice...

Have you read the following thread in the list archive?


Things I've noticed are wrong are below:

> Leftside (openswan)
>     Inside IP:  (eth1)
>     Outsite IP :  (eth0)
> Rightside (sonicwall)
>     Inside subnet:
>     Outside IP:
> My ipsec.conf file
> config setup
>   nat_traversal=yes
>   nhelpers=0

>   interfaces="ipsec0=eth0"
This particular line is only valid if you're using the KLIPS (or mast) 
IPsec stack.  Your logs indicate that you're using NETKEY:  (000 using 
kernel interface: netkey)

I'm not positive, but I think

would be the right choice - it's valid, at least.

> conn sonicwall
>     type=tunnel
>     left= #Inside IP of Openswan server.
>     leftid=@cloud
>     leftxauthclient=yes
>     right= #IP address of your sonicwall router
>     rightsubnet= # inside subnet of sonicwall
>     rightxauthserver=yes
>     rightid=@sonicwall.unique.identifier
>     keyingtries=0
>     pfs=yes

>     aggrmode=yes

Everything I've read says aggrmode=yes isn't a good idea.  I'm not sure 
if it's causing your particular problem, however.

>     auto=add
>     auth=esp
>     esp=3DES-SHA1
>     ike=3DES-SHA1
>     authby=secret
>     #xauth=yes

As far as your logs go:  What OS/Linux distribution are you using?  The 
contents of 'ipsec auto --status' are useful, but what do the actual 
logfiles in /var/log say?

(it helps to use 'grep' to filter out only the entries from 'pluto'; 
ie. 'cat /var/log/syslog | grep pluto')

Troy Telford

More information about the Users mailing list