[Openswan Users] SonicOs Enhanced - Default Group VPN and OpenSwan

Davide Fanciola dfanciola at gmail.com
Mon Jun 10 15:04:07 UTC 2013 

On lun, 2013-06-10 at 09:52 -0400, Gaiseric Vandal wrote:
> Are you trying to give the VPN client an IP address from the Sonicwall 
> DHCP server?

Indeed! 

A valid alternative would be having a fixed ip in a predefined range and
not real LAN ip's. That's what i was trying to achieve by setting
"leftsubnet=172.16.0.101/32". Sonicwall seemed to agree with the
proposed config and phase 2 completed successfully, but with no
routing. 


> 
> This works with the Windows client since the windows client creates a 
> virtual Sonicwall  NIC, which gets an IP address from the Sonicwall DHCP 
> server (or which ever DHCP server that the sonicwall may relay DHCP 
> request to.)  The virtual NIC is somehow bridged to the sonicwall LAN.
> 
> OpenSwan does not create a virtual NIC.    Even if you did create a 
> virtual NIC (e.g. eth0:1) I don't know how you could request an IP 
> address from a DHCP server on a different LAN.

Funny, i havent tried the eth0:1 thing, but it cames to my mind ;)

As i mentioned above, even without DHCP i would like to be able to set
the IP seen on the other side.

> 
> 
> 
> Sonicwall has an SSL VPN option as well-   they provide a linux client 
> for it.  I have tested the windows client but not he linux client so I 
> don't know if it creates a virtual NIC for linux clients  (it does for 
> windows clients.)  SSL VPN does not have a PSK so I wouldn't use it w/o 
> additional authentication e.g. RSA SecurID.
> 

I don't find SSL VPN very nice to work with anyway, i always end up
closing the browser by mistake :)


Cheers,
Davide

> 
> 
> 
> 
> On 06/10/13 09:06, Davide Fanciola wrote:
> > Hi,
> >
> > we are using a SonicWall box with the default GroupVPN setup and the
> > internal DHCP is used to configure VPN clients addresses. We are not
> > using L2TP, just the internal DHCP that comes with the SonicWall.
> >
> > I've managed to configure OpenSwan to connect and access the VPN
> > networks, but i cannot get the dhcp part to work.
> > The problem i have is that when I access VPN resources, my source ip is
> > unchanged (same as in my LAN) and I would like to be seen as a "VPN DHCP
> > Client" on the other side.
> >
> > Here is the config i'm using now :
> >
> > ********************
> > config setup
> >      nat_traversal=yes
> >      oe=off
> >      protostack=netkey
> >      interfaces=%defaultroute
> >
> > conn sonicwall
> >      type=tunnel
> >      left=%defaultroute
> >      leftid=@GroupVPN
> >      leftxauthclient=yes
> >      leftxauthusername=<USERNAME>
> >      right=<SONIC_IP>
> >      rightid=@<SONIC_ID>
> >      rightsubnet=172.16.0.0/23
> >      rightxauthserver=yes
> >      modecfgpull=yes
> >      keyingtries=0
> >      pfs=no
> >      aggrmode=yes
> >      keyexchange=ike
> >      auto=add
> >      auth=esp
> >      ike=3des-sha1
> >      phase2alg=3des-sha1
> >      authby=secret
> > ********************
> >
> >
> > I've tried to add "rightmodecfgserver=yes" and "leftmodecfgclient=yes"
> > but with no success. Changing modecfgpull from yes to no have no effect
> > on the actual configuration.
> >
> > I've also tried to set "leftsubnet=172.16.0.101/32" but despite being
> > able to connect without apparent errors (SonicWall logs agrees) packets
> > are not routed correctly.
> > Also tried to add leftnexthop and leftsourceip with various combinations
> > but still no luck.
> >
> > Maybe after all what I'm trying to do is not supported, the docs I've
> > found on the SonicWall(ehm...Dell) web site are suggesting this kind of
> > configuration anyway.
> >
> > Does anyone know if it's possible to make OpenSwan get the network
> > configuration from a SonicWall VPN? What would be a correct
> > configuration for that case?
> >
> > Thanks in advance,
> >
> > Cheers,
> > Davide
> >
> > _______________________________________________
> > Users at lists.openswan.org
> > https://lists.openswan.org/mailman/listinfo/users
> > Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> > Building and Integrating Virtual Private Networks with Openswan:
> > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list