View the Most Wanted LQ Wiki articles.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 11-17-2012, 04:12 AM   #1
LQ Newbie
Registered: Jun 2011
Posts: 4

Rep: Reputation: Disabled
Need urgent help to connect from Openswan in CentOS to a Sonicwall router

Hi, I am unable to establish a tunnel to a Sonicwall box. I am NATed and behind a router and already have correct pre shared key and unquie identifier. Below is the log that i am getting -

ipsec auto --up sonicwall
104 "sonicwall" #1: STATE_MAIN_I1: initiate
003 "sonicwall" #1: ignoring unknown Vendor ID payload [5b362bc820f60007]
003 "sonicwall" #1: received Vendor ID payload [RFC 3947] method set to=109
106 "sonicwall" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "sonicwall" #1: ignoring Vendor ID payload [Sonicwall 1 (TZ 170 Standard?)]
003 "sonicwall" #1: received Vendor ID payload [XAUTH]
003 "sonicwall" #1: received Vendor ID payload [Dead Peer Detection]
003 "sonicwall" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
108 "sonicwall" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "sonicwall" #1: discarding duplicate packet; already STATE_MAIN_I3
010 "sonicwall" #1: STATE_MAIN_I3: retransmission; will wait 20s for response
003 "sonicwall" #1: discarding duplicate packet; already STATE_MAIN_I3
010 "sonicwall" #1: STATE_MAIN_I3: retransmission; will wait 40s for response
003 "sonicwall" #1: discarding duplicate packet; already STATE_MAIN_I3
031 "sonicwall" #1: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
000 "sonicwall" #1: starting keying attempt 2 of an unlimited number, but releasing whack

Below is my ipsec.conf -

# /etc/ipsec.conf - Openswan IPsec configuration file
# Manual: ipsec.conf.5
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
#plutodebug="control parsing"
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
# Enable this if you see "failed to find any available worker"

#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
#include /etc/ipsec.d/*.conf

conn sonicwall

left=XX.XX.XX.XX # My local linux machine IP
leftsubnet=XX.XX.XX.XX/24 # The subnet of your local Linux machine
leftid=@GroupVPN # Same as given in Sonicwall
right=XX.XX.XX.XX # Sonicwall VPN IP
rightsubnet=XX.XX.XX.XX/24 # Sonicwall LAN subnet
rightid=@XXXXXXXXXXX # Sonicwall Unique Identifier
esp=3DES-SHA1 # protocol used for authentication in sonicwall

my ipsec.secret contains -


I also tried with non-NATed connection, i.e. from a live IP directly with same result.

Below is the output of IPSEC verify -

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.32/K2.6.18-308.el5 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]

Can anybody tell me where it is going wrong ? any help is much appreciated.

Thanks and Regards,

Old 11-19-2012, 07:26 AM   #2
Senior Member
Registered: Feb 2011
Location: Massachusetts, USA
Distribution: CentOS 6 (pre-systemd)
Posts: 2,226

Rep: Reputation: 561Reputation: 561Reputation: 561Reputation: 561Reputation: 561Reputation: 561
The output of the ipsec commands looks like your linux box is getting valid packets, but the other end is not seeing the responses. Check your route table, firewall rules and your hardware.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
is openswan 2.4.8 can run on centos 5.3 hari85 Linux - Networking 1 07-02-2010 09:21 AM
One Way Communication in CentOS/OpenSwan to Sonicwall VPN pacmantravis Linux - Networking 0 02-21-2010 02:31 AM
Sonicwall TZ 170 Enhanced with Openswan-2.4.10 as roadwarrior thro GPRS Link Mohamed Mydeen A Linux - Networking 0 01-16-2008 03:55 AM
Sonicwall to OpenSwan Roadwarrior shane_kelly55 Linux - Security 3 08-02-2005 12:22 AM
linux router and sonicwall viewpoint jleipert Linux - Networking 1 07-02-2005 05:02 PM

All times are GMT -5. The time now is 08:36 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration