[Openswan Users] SonicOs Enhanced - Default Group VPN and OpenSwan
dfanciola at gmail.com
Mon Jun 10 15:04:07 UTC 2013
On lun, 2013-06-10 at 09:52 -0400, Gaiseric Vandal wrote:
> Are you trying to give the VPN client an IP address from the Sonicwall
> DHCP server?
A valid alternative would be having a fixed ip in a predefined range and
not real LAN ip's. That's what i was trying to achieve by setting
"leftsubnet=172.16.0.101/32". Sonicwall seemed to agree with the
proposed config and phase 2 completed successfully, but with no
> This works with the Windows client since the windows client creates a
> virtual Sonicwall NIC, which gets an IP address from the Sonicwall DHCP
> server (or which ever DHCP server that the sonicwall may relay DHCP
> request to.) The virtual NIC is somehow bridged to the sonicwall LAN.
> OpenSwan does not create a virtual NIC. Even if you did create a
> virtual NIC (e.g. eth0:1) I don't know how you could request an IP
> address from a DHCP server on a different LAN.
Funny, i havent tried the eth0:1 thing, but it cames to my mind ;)
As i mentioned above, even without DHCP i would like to be able to set
the IP seen on the other side.
> Sonicwall has an SSL VPN option as well- they provide a linux client
> for it. I have tested the windows client but not he linux client so I
> don't know if it creates a virtual NIC for linux clients (it does for
> windows clients.) SSL VPN does not have a PSK so I wouldn't use it w/o
> additional authentication e.g. RSA SecurID.
I don't find SSL VPN very nice to work with anyway, i always end up
closing the browser by mistake :)
> On 06/10/13 09:06, Davide Fanciola wrote:
> > Hi,
> > we are using a SonicWall box with the default GroupVPN setup and the
> > internal DHCP is used to configure VPN clients addresses. We are not
> > using L2TP, just the internal DHCP that comes with the SonicWall.
> > I've managed to configure OpenSwan to connect and access the VPN
> > networks, but i cannot get the dhcp part to work.
> > The problem i have is that when I access VPN resources, my source ip is
> > unchanged (same as in my LAN) and I would like to be seen as a "VPN DHCP
> > Client" on the other side.
> > Here is the config i'm using now :
> > ********************
> > config setup
> > nat_traversal=yes
> > oe=off
> > protostack=netkey
> > interfaces=%defaultroute
> > conn sonicwall
> > type=tunnel
> > left=%defaultroute
> > leftid=@GroupVPN
> > leftxauthclient=yes
> > leftxauthusername=<USERNAME>
> > right=<SONIC_IP>
> > rightid=@<SONIC_ID>
> > rightsubnet=172.16.0.0/23
> > rightxauthserver=yes
> > modecfgpull=yes
> > keyingtries=0
> > pfs=no
> > aggrmode=yes
> > keyexchange=ike
> > auto=add
> > auth=esp
> > ike=3des-sha1
> > phase2alg=3des-sha1
> > authby=secret
> > ********************
> > I've tried to add "rightmodecfgserver=yes" and "leftmodecfgclient=yes"
> > but with no success. Changing modecfgpull from yes to no have no effect
> > on the actual configuration.
> > I've also tried to set "leftsubnet=172.16.0.101/32" but despite being
> > able to connect without apparent errors (SonicWall logs agrees) packets
> > are not routed correctly.
> > Also tried to add leftnexthop and leftsourceip with various combinations
> > but still no luck.
> > Maybe after all what I'm trying to do is not supported, the docs I've
> > found on the SonicWall(ehm...Dell) web site are suggesting this kind of
> > configuration anyway.
> > Does anyone know if it's possible to make OpenSwan get the network
> > configuration from a SonicWall VPN? What would be a correct
> > configuration for that case?
> > Thanks in advance,
> > Cheers,
> > Davide
> > _______________________________________________
> > Users at lists.openswan.org
> > https://lists.openswan.org/mailman/listinfo/users
> > Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> > Building and Integrating Virtual Private Networks with Openswan:
> > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> Users at lists.openswan.org
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
More information about the Users