[Openswan Users] SonicOs Enhanced - Default Group VPN and OpenSwan

Gaiseric Vandal gaiseric.vandal at gmail.com
Mon Jun 10 13:52:53 UTC 2013

Are you trying to give the VPN client an IP address from the Sonicwall 
DHCP server?

This works with the Windows client since the windows client creates a 
virtual Sonicwall  NIC, which gets an IP address from the Sonicwall DHCP 
server (or which ever DHCP server that the sonicwall may relay DHCP 
request to.)  The virtual NIC is somehow bridged to the sonicwall LAN.

OpenSwan does not create a virtual NIC.    Even if you did create a 
virtual NIC (e.g. eth0:1) I don't know how you could request an IP 
address from a DHCP server on a different LAN.

Sonicwall has an SSL VPN option as well-   they provide a linux client 
for it.  I have tested the windows client but not he linux client so I 
don't know if it creates a virtual NIC for linux clients  (it does for 
windows clients.)  SSL VPN does not have a PSK so I wouldn't use it w/o 
additional authentication e.g. RSA SecurID.

On 06/10/13 09:06, Davide Fanciola wrote:
> Hi,
> we are using a SonicWall box with the default GroupVPN setup and the
> internal DHCP is used to configure VPN clients addresses. We are not
> using L2TP, just the internal DHCP that comes with the SonicWall.
> I've managed to configure OpenSwan to connect and access the VPN
> networks, but i cannot get the dhcp part to work.
> The problem i have is that when I access VPN resources, my source ip is
> unchanged (same as in my LAN) and I would like to be seen as a "VPN DHCP
> Client" on the other side.
> Here is the config i'm using now :
> ********************
> config setup
>      nat_traversal=yes
>      oe=off
>      protostack=netkey
>      interfaces=%defaultroute
> conn sonicwall
>      type=tunnel
>      left=%defaultroute
>      leftid=@GroupVPN
>      leftxauthclient=yes
>      leftxauthusername=<USERNAME>
>      right=<SONIC_IP>
>      rightid=@<SONIC_ID>
>      rightsubnet=
>      rightxauthserver=yes
>      modecfgpull=yes
>      keyingtries=0
>      pfs=no
>      aggrmode=yes
>      keyexchange=ike
>      auto=add
>      auth=esp
>      ike=3des-sha1
>      phase2alg=3des-sha1
>      authby=secret
> ********************
> I've tried to add "rightmodecfgserver=yes" and "leftmodecfgclient=yes"
> but with no success. Changing modecfgpull from yes to no have no effect
> on the actual configuration.
> I've also tried to set "leftsubnet=" but despite being
> able to connect without apparent errors (SonicWall logs agrees) packets
> are not routed correctly.
> Also tried to add leftnexthop and leftsourceip with various combinations
> but still no luck.
> Maybe after all what I'm trying to do is not supported, the docs I've
> found on the SonicWall(ehm...Dell) web site are suggesting this kind of
> configuration anyway.
> Does anyone know if it's possible to make OpenSwan get the network
> configuration from a SonicWall VPN? What would be a correct
> configuration for that case?
> Thanks in advance,
> Cheers,
> Davide
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list