[Openswan Users] Trying to set up Openswan for the SonicWALL Network Security Appliance (NSA) 2400

Neal Murphy neal.p.murphy at alum.wpi.edu
Wed Aug 17 00:21:12 EDT 2011

On Tuesday 16 August 2011 17:16:27 Neal Murphy wrote:
> On Tuesday 16 August 2011 15:06:03 László Monda wrote:
> > Dear List,
> > 
> > The company I work for uses the SonicWALL Crapwork... I mean Network
> > Security Appliance (NSA) 2400 model, Product Code: 5805, Firmware
> > Version: SonicOS Enhanced, URL is
> > http://www.sonicwall.com/us/products/NSA_2400.html
> If you have access to the sonicwall, go through its configs again and pay
> close attention to LANs and local & remote addresses. I think you
> overlooked a couple parameters that aren't obvious (at least until you
> *see* them and cry, "Doh!")

This is for a net-to-net config. I haven't tried a road warrior setup.

On the sonicwall (PRO 1260 Enhanced, running version 3.2) :
Under VPN, Settings, edit your config and in its General tab:
  - primary gateway is your hostname or IP address
  - local IKE ID is its IP address
  - peer IKE ID is your IP address or domain name
Under your config's Network tab:
  - you may have to define a destination network to match your environ
    and select it
Under your config's Proposals tab:
  - your proposals looked OK. But beware:
    o The DH Group may be 5 for each phase
    o The authentication might be MD5 for each phase
Under your config's Advanced tab:
  - Check 'Enable keep-alive
  - If you are going through a NAT router, check 'Apply NAT policies and
    select your defined LAN for the 'Translated Remote Network'

Under VPN, Advanced, you may need:
  - Dead Peer Detection
  - Enable fragmented packet handling
  - Enable NAT traversal
  - Clean up active tunnels when host name resolves to a different address

Under Network, Address Objects, you may need to define objects for your 
network to use in the settings, network and advanced tabs, above.

That's pretty much all I had to futz with. Referring to the 'Proposals tab' 
above, your problem might be confined to the selection of SHA1 or MD5 and/or 
the selection of DH Group 2 or 5. Start with the DH Group setting. Those are 
the things that kept smoothwall from connecting when they were 'wrong'.


More information about the Users mailing list