VPN with KVpnc to Sonicwall TZ170
Hi,
I almost don't dare asking this but.. I've been struggling to find a solution to connect with KVpnc to a Sonicwall TZ170. The setup is: Linux/KVpnc - LAN - router - cablemodem - internet - DSL modem - TZ170 - LAN Using the Sonicwall Global VPN client, we can connect fine and ping the TZ170 from XP and access files/shares/RDP. In KVpnc, Freeswan gives an error that only Freeswan 1.X is supported (tried on SuSE 10.2 and Ubuntu 7.04) We would prefer to use the same tunnel and not create another one just for Linux. What is the correct KVpnc setup to build this tunnel? The Sonicwall is 3DES SHA1 and one right hop without PFS, with user authentication and with PSK. The Sonicwall manual and online articles give a configuration example for FreeSwan but that apparently does not work with KVpnc. Can we use OpenVPN? And how do we then configure the 'Connection Specifics'? Any help is very appreciated. Marinus. |
kvpnc is only a front end to a number of clients, you'd need to make sure you're using the right backend client first, maybe get that running seperately then wrap with kvpnc correctly.
|
OK I'm getting there.
I found an article on how to manually configure OpenVPN for a SonicWall See http://wiki.openswan.org/index.php/Openswan/SonicWall However, I keep getting error 021, connection not found No matter what I do in the config file, there is no difference in output to /var/log/messages so I'm thinking that there may be a prerequisite not correct: ipsec --verify Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan U2.4.6/K2.6.18.8-0.1-default (netkey) Checking for IPsec support in kernel [OK] NETKEY detected, testing for disabled ICMP send_redirects [FAILED] Please disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will cause the sending of bogus ICMP redirects! NETKEY detected, testing for disabled ICMP accept_redirects [FAILED] Please disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will accept bogus ICMP redirects! Checking for RSA private key (/etc/ipsec.secrets) [DISABLED] ipsec showhostkey: no default key in "/etc/ipsec.secrets" Checking that pluto is running [OK] Two or more interfaces found, checking IP forwarding [FAILED] Checking for 'ip' command [OK] Checking for 'iptables' command [OK] Opportunistic Encryption DNS checks: Looking for TXT in forward dns zone: LAB1 [MISSING] Does the machine have at least one non-private address? [FAILED] How do I disable accept_redirects, or is that not necessary? The file is empty. (I initially had debug levels in default but removed them to see if that made any difference) ipsec.conf Code:
version 2 SW_IP PC_IP : PSK "MySecret" ipsec whack --name sonicwall --initiate ipsec auto --up sonicwall both give 021 no connection named "sonicwall" I look forward to any reply. Thanks, Marinus. |
/usr/sbin/ipsec auto --add (connection name)
That was necessary to add the connection. I will post back on the progress. Marinus. |
OK. I'm actually handshaking with the VPN now, but it cannot complete Phase 2;
STATE_QUICK_I1: retransmission On the SW side the error is IKE Responder: IPSec proposal does not match (phase 2) That's either due to mismatched - destination networks - protocol settings - encryption settings - authentication settings - PFS settings The SW side = ESP / 3DES / SHA1 / no PFS Fie Time 28800 / [x] Enable Windows Networking NetBIOS [ ] Apply NAT and Firewall Rules [ ] Forward packets Default LAN gateway 0.0.0.0 VPN Terminated at LAN [x] Require Authentication of VPN Clients via XAUTH Virtual Adapter settings DHCP Lease Allow connections to Split tunnels [ ] Set default Route as this Gateway [ ] Require Global .... [x] Use default Key for Simple Client Provisioning Code:
version 2 Code:
GroupVPN (SW Unique ID) : PSK ".." |
Any luck
Marinus, I'm running into this exact problem trying to connect to a sonicwall. Any luck figuring out how to make it work?
|
Hi.
No, unfortunately I have not found a solution yet. I also don't have any time to do serious testing and research now. However, I would pay someone to figure this one out... SW's customer service has no idea; they only tailor towards Windows.... Marinus. |
Anyone manaage to get OpenSWAN VPN working against SonicWall TZ 170 WITH XAUTH?
Did anyone manage to pull this off? We can get OpenSWAN to communicate
with the SonicWall with XAUTH disabled, but really want to run with it on. Anyone have a successful configuration they can share? Send me email if so. Thanks in advance for any helpful guidance! |
Bump
anyone?? anyone??
|
fixed
search for: SonicOS Enhanced to Openswan Using Aggressive Mode IKE with PreShared Key
specially the leftid and rightid did it for us. |
|
All times are GMT -5. The time now is 02:44 PM. |