From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Wed Oct 30 2002 - 20:26:24 CET
Sonicwall, similar to Symantec box uses KEY_IDs for identification.
In April I posted a contribution explaining the setup based on
preshard secrets and KEY_IDs.
http://lists.freeswan.org/pipermail/users/2002-April/009037.html
Since standard FreeS/WAN does not support KEY_IDs you will need the
X.509 patch.
Regards
Andreas
Jarek Karpiel wrote:
> Hello all,
>
> I'm having troubles with getting connected to Sonicwall XPRS2 from my
> FreeSWAN 1.98b / RH 7.2. I get following log:
> 002 "G-W" #2: initiating Main Mode
> 104 "G-W" #2: STATE_MAIN_I1: initiate
> 106 "G-W" #2: STATE_MAIN_I2: sent MI2, expecting MR2
> 003 "G-W" #2: ignoring Vendor ID payload
> 003 "G-W" #2: ignoring Vendor ID payload
> 108 "G-W" #2: STATE_MAIN_I3: sent MI3, expecting MR3
> 003 "G-W" #2: encrypted Informational Exchange message is invalid because it
> i
> s for incomplete ISAKMP SA
>
> Here is my ipsec.conf
>
> basic configuration
> config setup
> # THIS SETTING MUST BE CORRECT or almost nothing will work;
> # %defaultroute is okay for most simple cases.
> interfaces=%defaultroute
> # Debug-logging controls: "none" for (almost) none, "all" for lots.
> klipsdebug=all
> plutodebug=all
> # Use auto= parameters in conn descriptions to control startup
> actions.
> plutoload=%search
> plutostart=%search
> # Close down old connection when new one using same ID shows up.
> uniqueids=yes
>
>
> # defaults for subsequent connection descriptions
> # (these defaults will soon go away)
> conn %default
> keyingtries=0
> disablearrivalcheck=no
> #authby=rsasig
> #leftrsasigkey=%dnsondemand
> #rightrsasigkey=%dnsondemand
>
>
> # connection description for opportunistic encryption
> # (requires KEY record in your DNS reverse map; see doc/opportunism.howto)
> conn me-to-anyone
> left=%defaultroute
> right=%opportunistic
> keylife=1h
> rekey=no
> # for initiator only OE, uncomment and uncomment this
> # after putting your key in your forward map
> #leftid=@myhostname.example.com
> # uncomment this next line to enable it
> #auto=route
>
>
> # sample VPN connection
> conn G-W
> # Left security gateway, subnet behind it, next hop toward right.
> left=x.x.x.99
> leftsubnet=172.16.150.0/24
> leftnexthop=x.x.x.102
> #leftfirewall=yes
> # Right security gateway, subnet behind it, next hop toward left.
> rightid=0040200RT0D4
> right=y.y.y.253
> rightsubnet=10.19.1.0/24
> rightnexthop=y.y.y.250
> rightfirewall=yes
> # To authorize this connection, but not actually start it, at
> startup,
> # uncomment this.
> #keyexchange=ike
> #compress=yes
> #keyingtries=3
> authby=secret
> auth=esp
> esp=3des-hmac-md5
> #type=tunnel
> #ikelifetime=8h
> #keylife=8h
> pfs=no
> auto=add
>
> As far as the Sonicwall is concerned I don't have access to it, but Admin
> set up the connection for me. He receives following logs on Sonicwall:
> 2002/10/29 04:10:28.768 - IKE Responder: No response - remote
> party timeout or SA mis-match - Source:x.x.x.99, 500 -
> Destination:y.y.y.253, 500 - -
>
> Help me,
>
> Greets,
> Ketch
>
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users
-- ====================================================================== Andreas Steffen e-mail: andreas.steffen_at_strongsec.com strongSec GmbH phone: +41 76 340 25 56 Alter Zürichweg 20 home: http://www.strongsec.com CH-8952 Schlieren (Switzerland) ==========================================[strong internet security]== _______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Fri Nov 01 2002 - 05:20:36 CET