[Openswan Users] Trying to set up Openswan for the SonicWALL Network Security Appliance (NSA) 2400

László Monda laci at monda.hu
Tue Aug 16 15:06:03 EDT 2011 

Dear List,

The company I work for uses the SonicWALL Crapwork... I mean Network
Security Appliance (NSA) 2400 model, Product Code: 5805, Firmware
Version: SonicOS Enhanced 5.8.0.1-31o, URL is
http://www.sonicwall.com/us/products/NSA_2400.html

Most of my colleagues who work from the office which has the VPN
already installed and those who use Mac OS or Android to connect to
the VPN are satisfied with it.  Some of my colleagues however who are
using Linux are truly bothered by the official SonicWall NetExtender
client because of its miserable bandwidth and its flaky connections
and I'm one of those people.

For a while I've been trying to set up Openswan so that I could reach
the company network with a bandwidth that's better than the Internet
of the 90s.  I try to include all the relevant information about my
configuration below hoping that you can help me and some of my
colleagues and make our work a thousand times more pleasurable as a
result.

----

Server configuration web interface:

"General" tab follows

"Security Policy" section follows:
* Authentication Method: IKE using Preshared Secret
* Name: "WAN GroupVPN"
* Shared Secret: "sharedsecret"  # obscured from public

"Proposals" tab follows

"IKE (Phase 1) Proposal" section follows
* DH Group: Group 2
* Encryption: 3DES
* Authentication: SHA1
* Life Time(seconds): 28800

"Ipsec (Phase 2) Proposal" section follows
* Protocol: ESP
* Encryption: 3DES
* Authentication: SHA1
* Enable Perfect Forward Secrecy - unchecked checkbox
* Life Time (seconds): 28800

"Advanced" tab follows

"Advanced Settings" section follows
* Enable Windws Networking (NetBIOS) Broadcast: unchecked checkbox
* Enable Multicast: unchecked checkbox
* Management via this SA: HTTPS
* Default Gateway: 0.0.0.0

"Client Authentication" section follows
* Require authentication of VPN clients by XAUTH: checked checkbox
* User group for XAUTH users: sslvpn-users
* Allow Unauthentication VPN Client Access: inactive combobox
containing "--Select Local Network--"

"Client" tab follows

"User Name and Password Caching" Section follows
* Cache XAUTH User Name and Password on Client: Always

"Client Connections" section follows
* Virtual Adapter settings: DHCP Lease
* Allow Connections to: Split Tunnels
* Set Default Route as this Gateway: unchecked combobox

"Client Initial Provisioning" section follows
* User Default Key for Simple Client Provisioning: unchecked combobox

----

ipsec.conf :

config setup
    nat_traversal=yes
    protostack=netkey
    interfaces=%defaultroute

conn sonicwall
    type=tunnel
    left=%defaultroute
    leftid=@myvpn
    right=vpn.company.com  # obscured from public
    rightsubnet=72.9.41.0/25
    rightxauthserver=yes
    rightid=@company
    pfs=no
    aggrmode=no
    keyexchange=ike
    auto=add
    auth=esp
    esp=3des-sha1
    ike=3des-sha1-modp1024
    authby=secret

----

ipsec.secrets :

@myvpn @company : PSK "sharedsecret"

----

# /etc/init.d/ipsec restart; ipsec setup --start; ipsec whack
--listen; ipsec whack --name sonicwall --initiate
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec U2.6.28/K2.6.38-10-generic...
ipsec_setup: Openswan IPsec apparently already active, start aborted
002 listening for IKE messages
003 NAT-Traversal: Trying new style NAT-T
003 NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family
IPv4 (errno=19)
003 NAT-Traversal: Trying old style NAT-T
002 adding interface eth0/eth0 10.66.67.10:500
002 adding interface eth0/eth0 10.66.67.10:4500
002 adding interface lo/lo 127.0.0.1:500
002 adding interface lo/lo 127.0.0.1:4500
002 adding interface lo/lo ::1:500
002 loading secrets from "/etc/ipsec.secrets"
002 loading secrets from "/var/lib/openswan/ipsec.secrets.inc"
002   loaded private key file '/etc/ipsec.d/private/nitehawkKey.pem'
(1679 bytes)
002 loaded private key for keyid: PPK_RSA:AwEAAdeSE
002 "sonicwall" #1: initiating Main Mode
104 "sonicwall" #1: STATE_MAIN_I1: initiate
003 "sonicwall" #1: ignoring unknown Vendor ID payload [5b362bc820f60007]
003 "sonicwall" #1: received Vendor ID payload [RFC 3947] method set to=109
002 "sonicwall" #1: enabling possible NAT-traversal with method 4
002 "sonicwall" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
106 "sonicwall" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "sonicwall" #1: ignoring Vendor ID payload [Sonicwall 1 (TZ 170 Standard?)]
003 "sonicwall" #1: received Vendor ID payload [XAUTH]
003 "sonicwall" #1: received Vendor ID payload [Dead Peer Detection]
003 "sonicwall" #1: NAT-Traversal: Result using RFC 3947
(NAT-Traversal): i am NATed
002 "sonicwall" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
108 "sonicwall" #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 "sonicwall" #1: received 1 malformed payload notifies
003 "sonicwall" #1: discarding duplicate packet; already STATE_MAIN_I3
010 "sonicwall" #1: STATE_MAIN_I3: retransmission; will wait 20s for response
002 "sonicwall" #1: received 2 malformed payload notifies
003 "sonicwall" #1: discarding duplicate packet; already STATE_MAIN_I3
010 "sonicwall" #1: STATE_MAIN_I3: retransmission; will wait 40s for response
002 "sonicwall" #1: received 3 malformed payload notifies
003 "sonicwall" #1: discarding duplicate packet; already STATE_MAIN_I3
031 "sonicwall" #1: max number of retransmissions (2) reached
STATE_MAIN_I3.  Possible authentication failure: no acceptable
response to our first encrypted message
000 "sonicwall" #1: starting keying attempt 2 of an unlimited number,
but releasing whack

----

So far it seems to me that I've had some moderate success at almost
establishing the IPSec connection but I'm stuck at the STATE_MAIN_I3
stage for some reason.

The weird thing is that some people told me that on Mac OS and Android
one only has to specify some very basic connection information to be
able to connect, namely the username, the password, the hostname and
maybe the shared secret.  That makes me think that some kind of
autoconfiguration mechanism exist for negotiating the encryption
prototocol and maybe other connection parameters that are used with
L2TP.

Any help is truly appreciated.

Thanks in advance!

-- 
László Monda <http://monda.hu>

More information about the Users mailing list