[Openswan Users] Problems with "dynamic IP" client connection to Sonicwall

[Gaiseric Vandal]

I have Sonicwall Pro 2040 Router with SonicOS Enhanced 3.2.3.0-6e.       
The sonicwall has a default "GroupVPN" policy for client VPN 
connections.  Xauth authentication is used.    The "Virtual Adapter" 
settings specify "DHCP lease or Manual Configuration."    Windows 
clients with the SonicWall GlobalVPN client use a virtual NIC with DHCP 
for the VPN connection.


I have a linux client running Fedora Core 14 (x64) with the bundled 
openswan ver 2.6.33-3.   This uses NETKEY for IPSec.    I have 
configured an IPSec client VPN connection to the sonicwall Sonicwall.  
This is ipsec tunnel (not transport over PPTP or L2TP)  I am able to 
connect if I specify the client's current IP in /etc/ipsec.conf.      
But this means you have to update the ipsec.conf file everytime your IP 
address changes.    If I configure ipsec.conf to use 
"left=%defaultroute" I get through the xauth authentication but then the 
connection fails.  Xauth authentication happens between phase 1 and 
phase 2.


The client shows

         no acceptable response to our first quick mode message: perhaps 
peer likes no proposal


The server log shows

         IKE Responder: Received Quick Mode Request (Phase 2)
         IKE Responder: IPSec proposal does not match (Phase 2)


I changed the "Virtual Adapter Settings" on the sonicwall to "none" and 
I was able to connect from the Linux OpenSwan VPN client.    I then 
changed the "Virtual Adapter Settings" on the sonicwall back to DHCP 
lease or Manual Configuration" to keep the Windows users functional.    
However now the linux client seems to be able to connect anyway (at 
least for now.)

I welcome advice on what is going on.


My ipsec.conf file generally looks like the following

------------------------------------------------------------------------------------------------------------------------------------------------------------------------
config setup
         protostack=netkey
         interfaces=%defaultroute
         nat_traversal=yes




conn MYCOMPANY
         type=tunnel
#For Dynamic IP support  , uncomment the following line
         left=%defaultroute
#For Static IP uncomment the following two lines
         #left=192.168.1.x
         #leftsubnet=192.168.1.0/24
         leftid=@GroupVPN
         leftxauthclient=yes
         right=PUBLIC_IP_OF_ROUTER
         rightsubnet=192.168.20.0/24 #the private LAN at work...
#rightid is the VPN server identifier
         rightid=@Sonic2040
        rightxauthserver=yes
         keyingtries=0
         pfs=no
         auto=add
         auth=esp
#IKE  (Phase 1)  Proposal
         ike=3des-sha1-modp1024
# Ipsec (Phase 2) Proposal
         esp=3des-sha1
         authby=secret
         aggrmode=yes
         auto=add
#dpd settings don't seem to have an affect
          dpddelay=30
         dpdtimeout=120
         dpdaction=restart


------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Thanks



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openswan.org/pipermail/users/attachments/20120313/cdc6080d/attachment.html>