VPN with KVpnc to Sonicwall TZ170

Marinus · 04-22-2007, 09:49 PM

Hi,

I almost don't dare asking this but..
I've been struggling to find a solution to connect with KVpnc to a Sonicwall TZ170.
The setup is:

Linux/KVpnc - LAN - router - cablemodem - internet - DSL modem - TZ170 - LAN

Using the Sonicwall Global VPN client, we can connect fine and ping the TZ170 from XP and access files/shares/RDP.

In KVpnc, Freeswan gives an error that only Freeswan 1.X is supported (tried on SuSE 10.2 and Ubuntu 7.04)
We would prefer to use the same tunnel and not create another one just for Linux.

What is the correct KVpnc setup to build this tunnel?
The Sonicwall is 3DES SHA1 and one right hop without PFS, with user authentication and with PSK.

The Sonicwall manual and online articles give a configuration example for FreeSwan but that apparently does not work with KVpnc.
Can we use OpenVPN?
And how do we then configure the 'Connection Specifics'?

Any help is very appreciated.

Marinus.

acid_kewpie · 04-23-2007, 01:41 AM

kvpnc is only a front end to a number of clients, you'd need to make sure you're using the right backend client first, maybe get that running seperately then wrap with kvpnc correctly.

Marinus · 04-23-2007, 04:55 PM

OK I'm getting there.
I found an article on how to manually configure OpenVPN for a SonicWall

See

http://wiki.openswan.org/index.php/Openswan/SonicWall

However, I keep getting error 021, connection not found
No matter what I do in the config file, there is no difference in output to
/var/log/messages so I'm thinking that there may be a prerequisite not
correct:

ipsec --verify

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.6/K2.6.18.8-0.1-default (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [FAILED]

Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!

NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]

Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
or NETKEY will accept bogus ICMP redirects!

Checking for RSA private key (/etc/ipsec.secrets) [DISABLED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [FAILED]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]

Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: LAB1 [MISSING]
Does the machine have at least one non-private address? [FAILED]

How do I disable accept_redirects, or is that not necessary?
The file is empty.

(I initially had debug levels in default but removed them to see if that made any difference)
ipsec.conf

Code:

version 2

conn sonicwall
  type=tunnel
  left=PC_IP
  leftsubnet=SUBNET/24
  leftnexthop=LAN_GATEWAY_IP
  right=(SW_WAN_IP)
  rightnexthop=SW_IP
  rightsubnet=SW_SUBNET/24
  rightid=(SW_WAN_IP)
  keyingtries=0
  pfs=no
  auto=add
  auth=esp
  esp=3des-sha1
  ike=3des-sha1
  keyexchange=ike
  authby=secret
  xauth=yes

ipsec.secrets

SW_IP PC_IP : PSK "MySecret"

ipsec whack --name sonicwall --initiate
ipsec auto --up sonicwall

both give 021 no connection named "sonicwall"

I look forward to any reply.

Thanks,

Marinus.

Marinus · 04-23-2007, 08:17 PM

/usr/sbin/ipsec auto --add (connection name)

That was necessary to add the connection.

I will post back on the progress.

Marinus.

Marinus · 04-23-2007, 10:42 PM

OK. I'm actually handshaking with the VPN now, but it cannot complete Phase 2;
STATE_QUICK_I1: retransmission

On the SW side the error is

IKE Responder: IPSec proposal does not match (phase 2)
That's either due to
mismatched
- destination networks
- protocol settings
- encryption settings
- authentication settings
- PFS settings

The SW side =
ESP / 3DES / SHA1 / no PFS Fie Time 28800 /
[x] Enable Windows Networking NetBIOS
[ ] Apply NAT and Firewall Rules
[ ] Forward packets

Default LAN gateway 0.0.0.0

VPN Terminated at LAN

[x] Require Authentication of VPN Clients via XAUTH

Virtual Adapter settings DHCP Lease
Allow connections to Split tunnels
[ ] Set default Route as this Gateway
[ ] Require Global ....

[x] Use default Key for Simple Client Provisioning

Code:

version 2

conn GroupVPN
     left=%defaultroute
     leftsubnet=10.9.9.0/24
     leftid=MyIP
     right=SW IP
     rightsubnet=192.168.5.0/24
     rightid=SW Unique ID
     keyingtries=0
     pfs=no
     aggrmode=no
     auto=add
     auth=esp
     esp=3des-sha1
     ike=3des-sha1
     authby=secret
     xauth=yes

ipsec.secrets

Code:

GroupVPN (SW Unique ID) : PSK ".."

rushrtb2112 · 06-28-2007, 12:19 PM

Marinus, I'm running into this exact problem trying to connect to a sonicwall. Any luck figuring out how to make it work?

Marinus · 06-28-2007, 10:32 PM

Hi.

No, unfortunately I have not found a solution yet.
I also don't have any time to do serious testing and research now.
However, I would pay someone to figure this one out... SW's customer
service has no idea; they only tailor towards Windows....

Marinus.

rodgers · 07-02-2008, 12:43 PM

Did anyone manage to pull this off? We can get OpenSWAN to communicate
with the SonicWall with XAUTH disabled, but really want to run with it on.
Anyone have a successful configuration they can share? Send me email if so. Thanks in advance for any helpful guidance!

edthefox · 03-20-2009, 01:58 PM

anyone?? anyone??

batje · 06-11-2010, 11:48 AM

search for: SonicOS Enhanced to Openswan Using Aggressive Mode IKE with PreShared Key

specially the leftid and rightid did it for us.

batje · 06-11-2010, 11:48 AM

http://www.sonicwall.com/downloads/E...Shared_key.pdf