[Openswan Users] Trying to set up Openswan for the SonicWALL Network Security Appliance (NSA) 2400
Neal Murphy
neal.p.murphy at alum.wpi.edu
Wed Aug 17 00:21:12 EDT 2011
On Tuesday 16 August 2011 17:16:27 Neal Murphy wrote:
> On Tuesday 16 August 2011 15:06:03 László Monda wrote:
> > Dear List,
> >
> > The company I work for uses the SonicWALL Crapwork... I mean Network
> > Security Appliance (NSA) 2400 model, Product Code: 5805, Firmware
> > Version: SonicOS Enhanced 5.8.0.1-31o, URL is
> > http://www.sonicwall.com/us/products/NSA_2400.html
>
> If you have access to the sonicwall, go through its configs again and pay
> close attention to LANs and local & remote addresses. I think you
> overlooked a couple parameters that aren't obvious (at least until you
> *see* them and cry, "Doh!")
This is for a net-to-net config. I haven't tried a road warrior setup.
On the sonicwall (PRO 1260 Enhanced, running version 3.2) :
Under VPN, Settings, edit your config and in its General tab:
- primary gateway is your hostname or IP address
- local IKE ID is its IP address
- peer IKE ID is your IP address or domain name
Under your config's Network tab:
- you may have to define a destination network to match your environ
and select it
Under your config's Proposals tab:
- your proposals looked OK. But beware:
o The DH Group may be 5 for each phase
o The authentication might be MD5 for each phase
Under your config's Advanced tab:
- Check 'Enable keep-alive
- If you are going through a NAT router, check 'Apply NAT policies and
select your defined LAN for the 'Translated Remote Network'
Under VPN, Advanced, you may need:
- Dead Peer Detection
- Enable fragmented packet handling
- Enable NAT traversal
- Clean up active tunnels when host name resolves to a different address
Under Network, Address Objects, you may need to define objects for your
network to use in the settings, network and advanced tabs, above.
That's pretty much all I had to futz with. Referring to the 'Proposals tab'
above, your problem might be confined to the selection of SHA1 or MD5 and/or
the selection of DH Group 2 or 5. Start with the DH Group setting. Those are
the things that kept smoothwall from connecting when they were 'wrong'.
N
More information about the Users
mailing list