Need urgent help to connect from Openswan in CentOS to a Sonicwall router
Hi, I am unable to establish a tunnel to a Sonicwall box. I am NATed and behind a router and already have correct pre shared key and unquie identifier. Below is the log that i am getting -
ipsec auto --up sonicwall 104 "sonicwall" #1: STATE_MAIN_I1: initiate 003 "sonicwall" #1: ignoring unknown Vendor ID payload [5b362bc820f60007] 003 "sonicwall" #1: received Vendor ID payload [RFC 3947] method set to=109 106 "sonicwall" #1: STATE_MAIN_I2: sent MI2, expecting MR2 003 "sonicwall" #1: ignoring Vendor ID payload [Sonicwall 1 (TZ 170 Standard?)] 003 "sonicwall" #1: received Vendor ID payload [XAUTH] 003 "sonicwall" #1: received Vendor ID payload [Dead Peer Detection] 003 "sonicwall" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed 108 "sonicwall" #1: STATE_MAIN_I3: sent MI3, expecting MR3 003 "sonicwall" #1: discarding duplicate packet; already STATE_MAIN_I3 010 "sonicwall" #1: STATE_MAIN_I3: retransmission; will wait 20s for response 003 "sonicwall" #1: discarding duplicate packet; already STATE_MAIN_I3 010 "sonicwall" #1: STATE_MAIN_I3: retransmission; will wait 40s for response 003 "sonicwall" #1: discarding duplicate packet; already STATE_MAIN_I3 031 "sonicwall" #1: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message 000 "sonicwall" #1: starting keying attempt 2 of an unlimited number, but releasing whack Below is my ipsec.conf - # /etc/ipsec.conf - Openswan IPsec configuration file # # Manual: ipsec.conf.5 # # Please place your own config files in /etc/ipsec.d/ ending in .conf version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup # Debug-logging controls: "none" for (almost) none, "all" for lots. #klipsdebug=none #plutodebug="control parsing" # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey protostack=netkey nat_traversal=yes #virtual_private= oe=off # Enable this if you see "failed to find any available worker" nhelpers=1 interfaces="%defaultroute" #You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this. #include /etc/ipsec.d/*.conf conn sonicwall type=tunnel left=XX.XX.XX.XX # My local linux machine IP leftsubnet=XX.XX.XX.XX/24 # The subnet of your local Linux machine leftid=@GroupVPN # Same as given in Sonicwall leftxauthclient=yes right=XX.XX.XX.XX # Sonicwall VPN IP rightsubnet=XX.XX.XX.XX/24 # Sonicwall LAN subnet rightid=@XXXXXXXXXXX # Sonicwall Unique Identifier rightxauthserver=yes keyingtries=0 pfs=no auto=add auth=esp esp=3DES-SHA1 # protocol used for authentication in sonicwall ike=3DES-SHA1-modp1024 authby=secret aggrmode=no my ipsec.secret contains - @GroupVPN @XXXXXXXXXX : PSK "XXXXXXX" I also tried with non-NATed connection, i.e. from a live IP directly with same result. Below is the output of IPSEC verify - Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan U2.6.32/K2.6.18-308.el5 (netkey) Checking for IPsec support in kernel [OK] SAref kernel support [N/A] NETKEY: Testing for disabled ICMP send_redirects [OK] NETKEY detected, testing for disabled ICMP accept_redirects [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for NAT-T on udp 4500 [OK] Two or more interfaces found, checking IP forwarding [OK] Checking NAT and MASQUERADEing [OK] Checking for 'ip' command [OK] Checking /bin/sh is not /bin/dash [OK] Checking for 'iptables' command [OK] Opportunistic Encryption Support [DISABLED] Can anybody tell me where it is going wrong ? any help is much appreciated. Thanks and Regards, Sudip |
The output of the ipsec commands looks like your linux box is getting valid packets, but the other end is not seeing the responses. Check your route table, firewall rules and your hardware.
|
All times are GMT -5. The time now is 06:56 PM. |