Home Recent Changes WikiHelp
Openswan /
SonicWall
Login
Last modified: February 14, 2007, at 01:01 PM

As-of version 2.3.0, OpenSWAN can now connect to a SonicWALL VPN Appliance as a roadwarrior.

This example uses IKE using pre-shared secret as its keying mode. On the VPN Summary page of the SonicWALL administration site, note the value of "Unique Firewall Identifier" for ipsec.conf. Make sure the ~SonicWall GroupVPN has the following setup: 

  Phase 1 DH Group: Group 5
  Phase 1 Encryption/Authentication: 3DES & MD5
  Phase 2 Encryption/Authentication: Strong Encrypt and Authenticate (ESP 3DES HMAC MD5)

under Advanced Settings: 

  Enable XAUTH
  Enable Perfect Forward Secrecy
  Phase 2 DH Group: Group 5

ipsec.conf 

  conn sonicwall
     left=%defaultroute
     leftsubnet=your.subnet/mask
     leftid=@home
     leftxauthclient=yes
     right=sonicwall.ip.address
     rightsubnet=vpn.subnet/mask
     rightxauthserver=yes
     rightid=@sonicwall.unique.firewall.identifier
     keyingtries=0
     pfs=yes
     aggrmode=yes
     auto=add
     auth=esp
     esp=3des-md5-96
     ike=3des-md5-96
     authby=secret
     xauth=yes

ipsec.secrets 

  @home @sonicwall.unique.firewall.identifier : PSK "your.shared.secret.goes.here"

That should do it. See http://www.openswan.org/docs/local/README.XAUTHclient for xauth info.

SonicWall has some information at: http://www.sonicwall.com/support/SonicOS_FW_documentation.html

See also: 

 http://www.sonicwall.com/downloads/SonicOS_Enhanced_to_Openswan_Using_GroupVPN_with_XAUTH.pdf

http://www.sonicwall.com/downloads/SonicOS_Enhanced_to_Openswan_Using_Main_Mode_IKE_with_PreShared_key.pdf http://www.sonicwall.com/downloads/SonicOS_Enhanced_to_Openswan_Using_Aggressive_Mode_IKE_with_PreShared_key.pdf

The document at: http://www.sonicwall.com/downloads/SonicOS_Enhanced_to_Openswan_Using_GroupVPN_with_XAUTH.pdf is unfortunately wrong. It says to use "ipsec auto --up group". That will not work unless the username/password is already provided in the conn (a feature in 2.4).

Instead, use: 

ipsec whack --name sonicwall --initiate

This is a lower-level command, but it doesn't run the output through awk, which means that you will actually see the prompts as listed.

Some SonicWall configurations do not expect an id to come from the left side of the connection and therefore you may receive an "INVALID_ID" response from the SonicWall device. To solve this problem, remove the "leftid=@home" line and then change the ipsec.secrets key to be: ipsec.secrets 

  xxx.xxx.xxx.xxx @sonicwall.unique.firewall.identifier : PSK "your.shared.secret.goes.here"

(replace xxx.xxx.xxx.xxx with your ip address.)

Powered by PmWiki
view edit upload print history