[Openswan Users] sonicwall roadwarrior

Iain Pople iain at brunny.com
Mon Sep 20 20:27:35 EDT 2010 

Hi,

I have a working config to connect to a Sonicwall NSA 3500. The problem is I
can only ping the Sonicwall itself (10.23.0.254), not any of the hosts
behind it (10.23.0.0/24). When using the windows sonicwall client i am
assigned an IP address in the 10.23.0.0/24 range via DHCP. I assume this is
the reason why I am unable to contact any hosts using openswan. What is the
correct way to do this using the netkey driver? I understand that netkey
doesn't actually setup a virtual network interface with an IP, so how do I
get a valid IP address?

# ipsec auto --up melbourne
112 "melbourne" #1: STATE_AGGR_I1: initiate
003 "melbourne" #1: ignoring Vendor ID payload [Sonicwall 1 (TZ 170
Standard?)]
003 "melbourne" #1: ignoring unknown Vendor ID payload [5b362bc820f60007]
003 "melbourne" #1: received Vendor ID payload [RFC 3947] method set to=109
003 "melbourne" #1: received Vendor ID payload [Dead Peer Detection]
003 "melbourne" #1: received Vendor ID payload [XAUTH]
003 "melbourne" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal):
both are NATed
004 "melbourne" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1024}
004 "melbourne" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
003 "melbourne" #1: ignoring informational payload, type
IPSEC_INITIAL_CONTACT msgid=00000000
003 "melbourne" #1: received and ignored informational message
004 "melbourne" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
117 "melbourne" #2: STATE_QUICK_I1: initiate
004 "melbourne" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel
mode {ESP=>0xed3ae2ea <0x833df1ed xfrm=3DES_0-HMAC_SHA1 NATOA=none
NATD=xx.xx.xx.xx:4500 DPD=none}

Here is my ipsec.conf:

config setup
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    oe=off
    protostack=netkey

conn melbourne
    aggrmode=yes
    authby=secret
    auto=add
    ike=3des-sha1-modp1024
    phase2=esp
    phase2alg=3des-sha1
    pfs=no
    ikelifetime=28800s
    keyingtries=1
    left=%defaultroute
    leftid=@GroupVPN
    leftxauthclient=yes
    leftxauthusername=username
    right=xx.xx.xx.xx
    rightid=@sonicwallid
    rightsubnet=10.23.0.0/24
    rightxauthserver=yes

ipsec.secrets:

@GroupVPN @sonicwallid : PSK "xxxxxxxxxxxxxx"
@username : XAUTH "xxxxxxxxxx"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100921/307e1bc2/attachment-0001.html

More information about the Users mailing list