[Openswan Users] EC2 Instance trying to connect to Sonicwall via Openswan, not getting any IP and can't route
doug m
qrkyxboy at googlemail.com
Wed Jul 31 21:29:12 UTC 2013
Didn't help. The tail end of ipsec auto --status:
000 "sonicwall": 0.0.0.0/0===<my wan
IP>[@GroupVPN,+XC+S=C]:17/1701---172.31.32.1...<his wan
IP>[@XXXXXXXXXX,+XS+S=C]:17/0===192.168.10.0/24; erouted; eroute owner: #2
000 "sonicwall": myip=unset; hisip=unset;
000 "sonicwall": xauth info: myxauthuser=<username>;
000 "sonicwall": ike_life: 28800s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "sonicwall": policy:
PSK+ENCRYPT+TUNNEL+DONTREKEY+UP+AGGRESSIVE+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD;
prio: 0,24; interface: eth0;
000 "sonicwall": newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "sonicwall": IKE algorithms wanted:
3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2); flags=-strict
000 "sonicwall": IKE algorithms found:
3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
000 "sonicwall": IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
000 "sonicwall": ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000;
flags=-strict
000 "sonicwall": ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160
000 "sonicwall": ESP algorithm newest: 3DES_000-HMAC_SHA1; pfsgroup=<N/A>
000
000 #2: "sonicwall":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE_IF_USED in 27971s; newest IPSEC; eroute owner; isakmp#1;
idle; import:admin initiate
000 #2: "sonicwall" esp.5ebb5095@<his wan IP> esp.bc715754@<my wan IP>
tun.0@<his wan IP> tun.0@<my wan IP> ref=0 refhim=4294901761
000 #1: "sonicwall":4500 STATE_XAUTH_I1 (XAUTH client - awaiting CFG_set);
EVENT_SA_REPLACE in 28499s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0);
idle; import:admin initiate
The only other thing I see is in auth.log
Jul 31 21:21:33 ip-172-31-36-54 pluto[2308]: packet from <his wan IP>:4500:
Mode Config message is for a non-existent (expired?) ISAKMP SA
It connects, it just doesn't get an IP.
-doug
On 31 July 2013 16:31, Leto <letoams at gmail.com> wrote:
> try adding forceencaps=yes
>
> sent from a tiny device
>
> On 2013-07-31, at 21:39, doug m <qrkyxboy at gmail.com> wrote:
>
> Working with a client and I'm thinking maybe the Sonicwall is at fault. I
> am trying to use the Linux instance to connect to the VPN via Sonicwall so
> it should be getting fed an IP from the 192.168.10.0/24 range but it gets
> nothing. It authenticates and is showing connected.
>
> 004 "sonicwall" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel
> mode {ESP=>0x9eb4577b <0xfde7e679 xfrm=3DES_0-HMAC_SHA1 NATOA=none
> NATD=none DPD=none}
>
> But I notice this in ipsec auto --status:
>
> 000 "sonicwall": myip=unset; hisip=unset;
>
> Here is the config:
>
> config setup
> virtual_private=virtual_private=%v4:192.168.10.0/24
> nat_traversal=yes
> oe=off
> protostack=netkey
> plutodebug=none
> interfaces=%defaultroute
> conn sonicwall
> type=tunnel
> left=xxxxxxxxxxx.compute.amazonaws.com
> leftnexthop=%defaultroute
> leftsubnet=0.0.0.0/0.0.0.0
> leftprotoport=17/1701
> leftid=@GroupVPN
> leftxauthclient=yes
> leftxauthusername=XXXXXX
> right=remote.server.com
> rightsubnet=192.168.10.0/24
> rightprotoport=17/0
> rightxauthserver=yes
> rightid=@XXXXXXXX # The sonicwall's UID
> pfs=no
> aggrmode=yes
> keyexchange=ike
> auto=add
> auth=esp
> esp=3des-sha1
> ike=3des-sha1-modp1024
> ikelifetime=8h
> authby=secret
> rekey=no
>
> Not sure what next steps are -- there isn't much I haven't tried, any
> suggestions?
> thanks-
> -doug
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130731/8d987fe5/attachment-0001.html>
More information about the Users
mailing list