LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 11-17-2012, 04:12 AM   #1
sudipdutta1978
LQ Newbie
 
Registered: Jun 2011
Posts: 4

Rep: Reputation: Disabled
Need urgent help to connect from Openswan in CentOS to a Sonicwall router


Hi, I am unable to establish a tunnel to a Sonicwall box. I am NATed and behind a router and already have correct pre shared key and unquie identifier. Below is the log that i am getting -

ipsec auto --up sonicwall
104 "sonicwall" #1: STATE_MAIN_I1: initiate
003 "sonicwall" #1: ignoring unknown Vendor ID payload [5b362bc820f60007]
003 "sonicwall" #1: received Vendor ID payload [RFC 3947] method set to=109
106 "sonicwall" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "sonicwall" #1: ignoring Vendor ID payload [Sonicwall 1 (TZ 170 Standard?)]
003 "sonicwall" #1: received Vendor ID payload [XAUTH]
003 "sonicwall" #1: received Vendor ID payload [Dead Peer Detection]
003 "sonicwall" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
108 "sonicwall" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "sonicwall" #1: discarding duplicate packet; already STATE_MAIN_I3
010 "sonicwall" #1: STATE_MAIN_I3: retransmission; will wait 20s for response
003 "sonicwall" #1: discarding duplicate packet; already STATE_MAIN_I3
010 "sonicwall" #1: STATE_MAIN_I3: retransmission; will wait 40s for response
003 "sonicwall" #1: discarding duplicate packet; already STATE_MAIN_I3
031 "sonicwall" #1: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
000 "sonicwall" #1: starting keying attempt 2 of an unlimited number, but releasing whack

Below is my ipsec.conf -

# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
#klipsdebug=none
#plutodebug="control parsing"
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
protostack=netkey
nat_traversal=yes
#virtual_private=
oe=off
# Enable this if you see "failed to find any available worker"
nhelpers=1
interfaces="%defaultroute"

#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
#include /etc/ipsec.d/*.conf

conn sonicwall

type=tunnel
left=XX.XX.XX.XX # My local linux machine IP
leftsubnet=XX.XX.XX.XX/24 # The subnet of your local Linux machine
leftid=@GroupVPN # Same as given in Sonicwall
leftxauthclient=yes
right=XX.XX.XX.XX # Sonicwall VPN IP
rightsubnet=XX.XX.XX.XX/24 # Sonicwall LAN subnet
rightid=@XXXXXXXXXXX # Sonicwall Unique Identifier
rightxauthserver=yes
keyingtries=0
pfs=no
auto=add
auth=esp
esp=3DES-SHA1 # protocol used for authentication in sonicwall
ike=3DES-SHA1-modp1024
authby=secret
aggrmode=no

my ipsec.secret contains -

@GroupVPN @XXXXXXXXXX : PSK "XXXXXXX"


I also tried with non-NATed connection, i.e. from a live IP directly with same result.

Below is the output of IPSEC verify -

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.32/K2.6.18-308.el5 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]


Can anybody tell me where it is going wrong ? any help is much appreciated.

Thanks and Regards,

Sudip
 
Old 11-19-2012, 07:26 AM   #2
smallpond
Senior Member
 
Registered: Feb 2011
Location: Massachusetts, USA
Distribution: Fedora
Posts: 1,544

Rep: Reputation: 375Reputation: 375Reputation: 375Reputation: 375
The output of the ipsec commands looks like your linux box is getting valid packets, but the other end is not seeing the responses. Check your route table, firewall rules and your hardware.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
is openswan 2.4.8 can run on centos 5.3 hari85 Linux - Networking 1 07-02-2010 09:21 AM
One Way Communication in CentOS/OpenSwan to Sonicwall VPN pacmantravis Linux - Networking 0 02-21-2010 02:31 AM
Sonicwall TZ 170 Enhanced with Openswan-2.4.10 as roadwarrior thro GPRS Link Mohamed Mydeen A Linux - Networking 0 01-16-2008 03:55 AM
Sonicwall to OpenSwan Roadwarrior shane_kelly55 Linux - Security 3 08-02-2005 12:22 AM
linux router and sonicwall viewpoint jleipert Linux - Networking 1 07-02-2005 05:02 PM


All times are GMT -5. The time now is 07:33 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration