What sonicwall firmware version? I have a spare sonicwall that I could use to try and mirror your configuration and see if it works for me. I'd have to wait until I get in to work on Monday.
-----Original Message----- From: [EMAIL PROTECTED] on behalf of Trepliev Sent: Fri 9/30/2005 8:57 PM To: misc@openbsd.org Subject: OpenBSD VPN SonicWall Problems I'm having some unusual difficulties getting a VPN running between OpenBSD3.7 and a SonicWall. The remote gateway is not under my control and I have to make the adjustments on my side to make this work. For some reason it looks to be failing during Phase 1 when it is getting the USER_FQDN from the remote gateway. Does anyone here have working configuration snippets for this sort of arrangement? Thanks! AAA.AAA.AAA.AAA is the address of the local OpenBSD 3.7 VPN Server BBB.BBB.BBB.BBB is the address of the remote SonicWall ========================================= isakmpd.conf ========================================= [General] Retransmits= 3 Exchange-max-time= 120 Check-interval= 300 Policy-file= /etc/isakmpd/isakmpd.policy [Phase 1] BBB.BBB.BBB.BBB= ISAKMP-peer-SonicWall [Phase 2] Connections= IPsec-Fission-SonicWall [ISAKMP-peer-SonicWall] Phase= 1 Transport= udp Address= BBB.BBB.BBB.BBB Configuration= SonicWall-main-mode Authentication= mekmitasdigoat Local-ID= ID-Fission Remote-ID= ID-SonicWall [IPsec-Fission-SonicWall] Phase= 2 ISAKMP-peer= ISAKMP-peer-SonicWall Configuration= SonicWall-quick-mode Local-ID= Net-Corp Remote-ID= Net-SonicWall [ID-SonicWall] ID-type= USER_FQDN Name= SonicWall [ID-Fission] ID-type= FQDN Name= fission.corp.local [Net-SonicWall] ID-type= IPV4_ADDR_SUBNET Network= 172.16.0.0 <http://172.16.0.0> Netmask= 255.255.0.0 <http://255.255.0.0> [Net-Corp] ID-type= IPV4_ADDR_SUBNET Network= 10.1.105.0 <http://10.1.105.0> Netmask= 255.255.255.0 <http://255.255.255.0> [SonicWall-main-mode] DOI= IPSEC EXCHANGE_TYPE= AGGRESSIVE Transforms= AES-SHA-GRP2 [SonicWall-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-AES-SHA-GRP2-SUITE ========================================= Debugging information from ISAKMPD -dvL -D0=70 -D4=99 -D5=50 -D6=60 -D7=50 -D8=40 -D9=40 ========================================= 174101.074956 Default log_debug_cmd: log level changed from 0 to 70 for class 0 [priv] 174101.075646 Default log_debug_cmd: log level changed from 0 to 99 for class 4 [priv] 174101.075713 Default log_debug_cmd: log level changed from 0 to 50 for class 5 [priv] 174101.075773 Default log_debug_cmd: log level changed from 0 to 60 for class 6 [priv] 174101.075832 Default log_debug_cmd: log level changed from 0 to 50 for class 7 [priv] 174101.075891 Default log_debug_cmd: log level changed from 0 to 40 for class 8 [priv] 174101.075950 Default log_debug_cmd: log level changed from 0 to 40 for class 9 [priv] 174101.077609 Sdep 30 monitor_init: pid 18819 my fd 6 [priv] 174101.079134 Sdep 30 monitor_init: pid 0 my fd 5 [priv] 174101.079510 Misc 10 monitor_init: privileges dropped for child process 174101.654766 Timr 10 timer_add_event: event connection_checker(0x3c1e8c80) added last, expiration in 0s 174101.655255 Misc 60 connection_record_passive: passive connection "IPsec-Fission-SonicWall" added 174101.645410 Plcy 30 policy_init: initializing 174101.658148 Misc 20 udp_make: transport 0x3c1ead00 socket 8 ip 127.0.0.1<http://127.0.0.1>port 500 174101.659980 Misc 20 udp_encap_make: transport 0x3c1ead40 socket 9 ip 127.0.0.1 <http://127.0.0.1> port 4500 174101.675446 Misc 20 udp_make: transport 0x3c06a0c0 socket 16 ip AAA.AAA.AAA.AAA port 500 174101.677576 Misc 20 udp_encap_make: transport 0x3c06a100 socket 17 ip AAA.AAA.AAA.AAA port 4500 174101.696403 Misc 20 udp_make: transport 0x3c06a480 socket 26 ip 0.0.0.0<http://0.0.0.0>port 500 174101.698525 Misc 20 udp_encap_make: transport 0x3c06a4c0 socket 27 ip 0.0.0.0 <http://0.0.0.0> port 4500 174101.743637 Default log_packet_init: starting IKE packet capture to file "/var/run/isakmpd.pcap" 174101.744459 Timr 10 timer_handle_expirations: event connection_checker(0x3c1e8c80) 174101.745041 Timr 10 timer_add_event: event connection_checker(0x3c1e8c80) added last, expiration in 300s 174101.746671 Timr 10 timer_add_event: event exchange_free_aux(0x3c065d00) added before connection_checker(0x3c1e8c80), expiration in 120s 174101.748101 Exch 10 exchange_establish_p1: 0x3c065d00 ISAKMP-peer-SonicWall SonicWall-main-mode policy initiator phase 1 doi 1 exchange 4 step 0 174101.748691 Exch 10 exchange_establish_p1: icookie 0f7fd1a961498319 rcookie 0000000000000000 174101.749186 Exch 10 exchange_establish_p1: msgid 00000000 174101.749826 SA 60 sa_create: sa 0x3c065f00 phase 1 added to exchange 0x3c065d00 (ISAKMP-peer-SonicWall) 174101.745797 Misc 70 attribute_set_constant: no PRF in the AES-SHA-GRP2 section 174101.745971 Misc 70 group_get: returning 0x3c06a6c0 of group 2 174101.746116 Exch 50 nat_t_setup_hashes: MD5("draft-ietf-ipsec-nat-t-ike-02 ") (16 bytes) 174101.746174 Exch 50 nat_t_setup_hashes: 174101.746242 Exch 50 90cb8091 3ebb696e 086381b5 ec427b1f 174101.746299 Exch 50 nat_t_setup_hashes: MD5("draft-ietf-ipsec-nat-t-ike-03") (16 bytes) 174101.746347 Exch 50 nat_t_setup_hashes: 174101.746412 Exch 50 7d9419a6 5310ca6f 2c179d92 15529d56 174101.746467 Exch 50 nat_t_setup_hashes: MD5("RFC 3947") (16 bytes) 174101.746513 Exch 50 nat_t_setup_hashes: 174101.746580 Exch 50 4a131c81 07035845 5c5728f2 0e95452f 174101.789728 Negt 40 ike_phase_1_send_ID: IPV4_ADDR: 174101.789821 Negt 40 00000000 174101.800761 Exch 40 exchange_run: exchange 0x3c065d00 finished step 0, advancing... 174101.801342 Timr 10 timer_add_event: event message_send_expire(0x3c069580) added before exchange_free_aux(0x3c065d00), expiration in 7s 174104.088867 Timr 10 timer_remove_event: removing event message_send_expire(0x3c069580) 174104.089711 Exch 50 nat_t_check_vendor_payload: bad size 8 != 16 174104.090254 Exch 50 nat_t_check_vendor_payload: bad size 8 != 16 174104.090740 Exch 10 nat_t_check_vendor_payload: NAT-T capable peer detected 174104.091406 Exch 10 dpd_check_vendor_payload: DPD capable peer detected 174104.091962 Negt 30 message_negotiate_sa: transform 1 proto 1 proposal 1 ok 174104.094023 Negt 20 ike_phase_1_validate_prop: success 174104.094612 Negt 30 message_negotiate_sa: proposal 1 succeeded 174104.095100 Misc 20 ipsec_decode_transform: transform 1 chosen 174104.146533 Negt 40 ike_phase_1_recv_ID: FQDN: 174104.147189 Negt 40 4d696372 6f706c65 78 174110.127525 Negt 30 message_negotiate_sa: transform 1 proto 1 proposal 1 ok 174110.128426 Negt 20 ike_phase_1_validate_prop: success 174110.128963 Negt 30 message_negotiate_sa: proposal 1 succeeded 174110.129448 Misc 20 ipsec_decode_transform: transform 1 chosen 174110.180487 Negt 40 ike_phase_1_recv_ID: FQDN: 174110.181143 Negt 40 4d696372 6f706c65 78 174119.127216 Negt 30 message_negotiate_sa: transform 1 proto 1 proposal 1 ok 174119.128104 Negt 20 ike_phase_1_validate_prop: success 174119.128638 Negt 30 message_negotiate_sa: proposal 1 succeeded 174119.129119 Misc 20 ipsec_decode_transform: transform 1 chosen 174119.180523 Negt 40 ike_phase_1_recv_ID: FQDN: 174119.181182 Negt 40 4d696372 6f706c65 78 174139.126306 Negt 30 message_negotiate_sa: transform 1 proto 1 proposal 1 ok 174139.127198 Negt 20 ike_phase_1_validate_prop: success 174139.127731 Negt 30 message_negotiate_sa: proposal 1 succeeded 174139.128214 Misc 20 ipsec_decode_transform: transform 1 chosen 174139.179205 Negt 40 ike_phase_1_recv_ID: FQDN: 174139.179854 Negt 40 4d696372 6f706c65 78 174301.765855 Timr 10 timer_handle_expirations: event exchange_free_aux(0x3c065d00) 174301.766599 Exch 20 exchange_establish_finalize: finalizing exchange 0x3c065d00 with arg 0x3c12bc40 (IPsec-Fission-SonicWall) & fail = 1
