*****SPAM***** Re: [Users] Sonicwall and FreeSWAN

From: Jarek Karpiel (karpiel_at_init.com.pl)
Date: Thu Oct 31 2002 - 07:25:27 CET

• Next message: Johan Geuze: "[Users] we have no ipsecN interface for either end of this connection"
• Previous message: Sam Sgro: "Re: [Users] STATE_QUICK_I1: internal error"
• In reply to: Andreas Steffen: "Re: [Users] Sonicwall and FreeSWAN"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

SPAM: -------------------- Start SpamAssassin results ----------------------
SPAM: This mail is probably spam. The original message has been altered
SPAM: so you can recognise or block similar unwanted mail in future.
SPAM: See http://spamassassin.org/tag/ for more details.
SPAM:
SPAM: Content analysis details: (8.20 hits, 5 required)
SPAM: REFERENCES (-0.5 points) Has a valid-looking References header
SPAM: USER_AGENT_OE (0.2 points) X-Mailer header indicates a non-spam MUA (Outlook Express)
SPAM: SPAM_PHRASE_00_01 (0.8 points) BODY: Spam phrases score is 00 to 01 (low)
SPAM: [score: 0]
SPAM: QUOTED_EMAIL_TEXT (-0.8 points) BODY: Contains what looks like a quoted email text
SPAM: KNOWN_MAILING_LIST (-0.1 points) Email came from some known mailing list software
SPAM: RCVD_IN_DSBL (3.2 points) RBL: Received via a relay in list.dsbl.org
SPAM: [RBL check: found 97.88.186.213.list.dsbl.org]
SPAM: RCVD_IN_OSIRUSOFT_COM (0.4 points) RBL: Received via a relay in relays.osirusoft.com
SPAM: [RBL check: found 97.88.186.213.relays.osirusoft.com.]
SPAM: RCVD_IN_RFCI (2.3 points) RBL: Received via a relay in ipwhois.rfc-ignorant.org
SPAM: [RBL check: found 97.88.186.213.ipwhois.rfc-ignorant.org., type: 127.0.0.6]
SPAM: X_OSIRU_OPEN_RELAY (2.7 points) RBL: DNSBL: sender is Confirmed Open Relay
SPAM:
SPAM: -------------------- End of SpamAssassin results ---------------------

----- Original Message -----
From: "Andreas Steffen" <andreas.steffen_at_strongsec.net>
To: "Jarek Karpiel" <karpiel_at_init.com.pl>
Cc: <users_at_lists.freeswan.org>
Sent: Wednesday, October 30, 2002 8:26 PM
Subject: Re: [Users] Sonicwall and FreeSWAN

> Sonicwall, similar to Symantec box uses KEY_IDs for identification.
> In April I posted a contribution explaining the setup based on
> preshard secrets and KEY_IDs.
>
> http://lists.freeswan.org/pipermail/users/2002-April/009037.html
>
> Since standard FreeS/WAN does not support KEY_IDs you will need the
> X.509 patch.
>
> Regards
>
> Andreas
>
> Jarek Karpiel wrote:
> > Hello all,
> >
> > I'm having troubles with getting connected to Sonicwall XPRS2 from my
> > FreeSWAN 1.98b / RH 7.2. I get following log:
> > 002 "G-W" #2: initiating Main Mode
> > 104 "G-W" #2: STATE_MAIN_I1: initiate
> > 106 "G-W" #2: STATE_MAIN_I2: sent MI2, expecting MR2
> > 003 "G-W" #2: ignoring Vendor ID payload
> > 003 "G-W" #2: ignoring Vendor ID payload
> > 108 "G-W" #2: STATE_MAIN_I3: sent MI3, expecting MR3
> > 003 "G-W" #2: encrypted Informational Exchange message is invalid
because it
> > i
> > s for incomplete ISAKMP SA
> >
> > Here is my ipsec.conf
> >
> > basic configuration
> > config setup
> > # THIS SETTING MUST BE CORRECT or almost nothing will work;
> > # %defaultroute is okay for most simple cases.
> > interfaces=3D%defaultroute
> > # Debug-logging controls: "none" for (almost) none, "all" fo=
r
lots.
> > klipsdebug=3Dall
> > plutodebug=3Dall
> > # Use auto=3D parameters in conn descriptions to control star=
tup
> > actions.
> > plutoload=3D%search
> > plutostart=3D%search
> > # Close down old connection when new one using same ID shows =
up.
> > uniqueids=3Dyes
> >
> >
> > # defaults for subsequent connection descriptions
> > # (these defaults will soon go away)
> > conn %default
> > keyingtries=3D0
> > disablearrivalcheck=3Dno
> > #authby=3Drsasig
> > #leftrsasigkey=3D%dnsondemand
> > #rightrsasigkey=3D%dnsondemand
> >
> >
> > # connection description for opportunistic encryption
> > # (requires KEY record in your DNS reverse map; see
doc/opportunism.howto)
> > conn me-to-anyone
> > left=3D%defaultroute
> > right=3D%opportunistic
> > keylife=3D1h
> > rekey=3Dno
> > # for initiator only OE, uncomment and uncomment this
> > # after putting your key in your forward map
> > #leftid=3D_at_myhostname.example.com
> > # uncomment this next line to enable it
> > #auto=3Droute
> >
> >
> > # sample VPN connection
> > conn G-W
> > # Left security gateway, subnet behind it, next hop toward
right.
> > left=3Dx.x.x.99
> > leftsubnet=3D172.16.150.0/24
> > leftnexthop=3Dx.x.x.102
> > #leftfirewall=3Dyes
> > # Right security gateway, subnet behind it, next hop toward
left.
> > rightid=3D0040200RT0D4
> > right=3Dy.y.y.253
> > rightsubnet=3D10.19.1.0/24
> > rightnexthop=3Dy.y.y.250
> > rightfirewall=3Dyes
> > # To authorize this connection, but not actually start it, at
> > startup,
> > # uncomment this.
> > #keyexchange=3Dike
> > #compress=3Dyes
> > #keyingtries=3D3
> > authby=3Dsecret
> > auth=3Desp
> > esp=3D3des-hmac-md5
> > #type=3Dtunnel
> > #ikelifetime=3D8h
> > #keylife=3D8h
> > pfs=3Dno
> > auto=3Dadd
> >
> > As far as the Sonicwall is concerned I don't have access to it, but
Admin
> > set up the connection for me. He receives following logs on Sonicwall=
:
> > 2002/10/29 04:10:28.768 - IKE Responder: No response - remote
> > party timeout or SA mis-match - Source:x.x.x.99, 500 -
> > Destination:y.y.y.253, 500 - -
> >
> > Help me,
> >
> > Greets,
> > Ketch
> >
> > _______________________________________________
> > Users mailing list
> > Users_at_lists.freeswan.org
> > http://lists.freeswan.org/mailman/listinfo/users
>
>
> --
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
> strongSec GmbH phone: +41 76 340 25 56
> Alter Z=FCrichweg 20 home: http://www.strongsec.com
> CH-8952 Schlieren (Switzerland)
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D[strong internet se=
curity]=3D=3D
>

Well, actually it was not related to X.509 patch, 'cause I don't have it.
Eventualy I got this connection working yesterday evening and I would lik=
e
to share my knowledge with other users who might have this problem in
future.
I connected Sonicwall XPRS2 and FreeS/WAN 1.98b on RH 7.2. Sonicwall has =
to
encrypt with 3DES and MD5. Both machines share the secret.
Here are the files on Linux:
ipsec.conf:

# /etc/ipsec.conf - FreeS/WAN IPsec configuration file

# More elaborate and more varied sample configurations can be found

# in FreeS/WAN's doc/examples file, and in the HTML documentation.

# basic configuration

config setup

        # THIS SETTING MUST BE CORRECT or almost nothing will work;

        # %defaultroute is okay for most simple cases.

        #interfaces=3D%defaultroute

        interfaces=3D"ipsec0=3Deth0"

        # Debug-logging controls: "none" for (almost) none, "all" for lo=
ts.

        klipsdebug=3Dall

        plutodebug=3Dall

        # Use auto=3D parameters in conn descriptions to control startup
actions.

        plutoload=3D%search

        plutostart=3D%search

        # Close down old connection when new one using same ID shows up.

        uniqueids=3Dyes

# defaults for subsequent connection descriptions

# (these defaults will soon go away)

conn %default

        keyingtries=3D0

        disablearrivalcheck=3Dno

        authby=3Drsasig

        #leftrsasigkey=3D%dnsondemand

        #rightrsasigkey=3D%dnsondemand

# connection description for opportunistic encryption

# (requires KEY record in your DNS reverse map; see doc/opportunism.howto=
)

conn me-to-anyone

        left=3D%defaultroute

        right=3D%opportunistic

        keylife=3D1h

        rekey=3Dno

        # for initiator only OE, uncomment and uncomment this

        # after putting your key in your forward map

        #leftid=3D_at_myhostname.example.com

        # uncomment this next line to enable it

        #auto=3Droute

# sample VPN connection

conn G-W

        # Left security gateway, subnet behind it, next hop toward right.

        auth=3Desp

        authby=3Dsecret

        pfs=3Dno

        esp=3D3des-hmac-md5

        left=3Dx.x.x.99

        leftsubnet=3D172.16.150.0/24

        leftnexthop=3Dx.x.x.102

        # Right security gateway, subnet behind it, next hop toward left.

        rightid=3D (here goes so called Sonicwall Identifier - a 12 byte
number, for example 0040200RT0D4
)

        right=3Dy.y.y.253

        rightsubnet=3D10.19.1.0/24

        rightnexthop=3Dy.y.y.250

        auto=3Droute

 Now ipsec.secrets:

x.x.x.99 y.y.y.253 : PSK "some shared secret"

It's important to have well organized firewall rules. I used for this
example ipchains, which is default in fresh instalation of RH 7.2. In my
example I had masquarading activated. The line in my ipchains script
responsible for it is below and it's a sort of a tricky section:

-A forward -i eth0 -s 172.16.150.0/24 -d \! 10.19.1.0/24 -j MASQ

Greetings to all FreeS/WAN users,

Jarek Karpiel

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Johan Geuze: "[Users] we have no ipsecN interface for either end of this connection"
• Previous message: Sam Sgro: "Re: [Users] STATE_QUICK_I1: internal error"
• In reply to: Andreas Steffen: "Re: [Users] Sonicwall and FreeSWAN"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Fri Nov 01 2002 - 05:20:36 CET