I've been told that the remote side is a Sonicwall TZ170, firmware SonicOS Enhanced 3.1.0.7-4e. I'm going to keep monkeying with the configuration to see if I can get it to work. Thanks!
On 9/30/05, Will H. Backman <[EMAIL PROTECTED]> wrote: > > What sonicwall firmware version? > I have a spare sonicwall that I could use to try and mirror your > configuration and see if it works for me. > I'd have to wait until I get in to work on Monday. > > > -----Original Message----- > From: [EMAIL PROTECTED] on behalf of Trepliev > Sent: Fri 9/30/2005 8:57 PM > To: misc@openbsd.org > Subject: OpenBSD VPN SonicWall Problems > > I'm having some unusual difficulties getting a VPN running between > OpenBSD3.7 and a SonicWall. > > The remote gateway is not under my control and I have to make the > adjustments on my side to make this work. > > For some reason it looks to be failing during Phase 1 when it is getting > the > USER_FQDN from the remote gateway. > > Does anyone here have working configuration snippets for this sort of > arrangement? > > Thanks! > > AAA.AAA.AAA.AAA is the address of the local OpenBSD 3.7 VPN Server > BBB.BBB.BBB.BBB is the address of the remote SonicWall > > ========================================= > isakmpd.conf > ========================================= > > [General] > Retransmits= 3 > Exchange-max-time= 120 > Check-interval= 300 > Policy-file= /etc/isakmpd/isakmpd.policy > > [Phase 1] > BBB.BBB.BBB.BBB= ISAKMP-peer-SonicWall > > [Phase 2] > Connections= IPsec-Fission-SonicWall > > [ISAKMP-peer-SonicWall] > Phase= 1 > Transport= udp > Address= BBB.BBB.BBB.BBB > Configuration= SonicWall-main-mode > Authentication= mekmitasdigoat > Local-ID= ID-Fission > Remote-ID= ID-SonicWall > > [IPsec-Fission-SonicWall] > Phase= 2 > ISAKMP-peer= ISAKMP-peer-SonicWall > Configuration= SonicWall-quick-mode > Local-ID= Net-Corp > Remote-ID= Net-SonicWall > > [ID-SonicWall] > ID-type= USER_FQDN > Name= SonicWall > > [ID-Fission] > ID-type= FQDN > Name= fission.corp.local > > [Net-SonicWall] > ID-type= IPV4_ADDR_SUBNET > Network= 172.16.0.0 <http://172.16.0.0> <http://172.16.0.0> > Netmask= 255.255.0.0 <http://255.255.0.0> <http://255.255.0.0> > > [Net-Corp] > ID-type= IPV4_ADDR_SUBNET > Network= 10.1.105.0 <http://10.1.105.0> <http://10.1.105.0> > Netmask= 255.255.255.0 <http://255.255.255.0> <http://255.255.255.0> > > [SonicWall-main-mode] > DOI= IPSEC > EXCHANGE_TYPE= AGGRESSIVE > Transforms= AES-SHA-GRP2 > > [SonicWall-quick-mode] > DOI= IPSEC > EXCHANGE_TYPE= QUICK_MODE > Suites= QM-ESP-AES-SHA-GRP2-SUITE > > > ========================================= > Debugging information from ISAKMPD -dvL -D0=70 -D4=99 -D5=50 -D6=60 -D7=50 > -D8=40 -D9=40 > ========================================= > > 174101.074956 Default log_debug_cmd: log level changed from 0 to 70 for > class 0 [priv] > 174101.075646 Default log_debug_cmd: log level changed from 0 to 99 for > class 4 [priv] > 174101.075713 Default log_debug_cmd: log level changed from 0 to 50 for > class 5 [priv] > 174101.075773 Default log_debug_cmd: log level changed from 0 to 60 for > class 6 [priv] > 174101.075832 Default log_debug_cmd: log level changed from 0 to 50 for > class 7 [priv] > 174101.075891 Default log_debug_cmd: log level changed from 0 to 40 for > class 8 [priv] > 174101.075950 Default log_debug_cmd: log level changed from 0 to 40 for > class 9 [priv] > 174101.077609 Sdep 30 monitor_init: pid 18819 my fd 6 [priv] > 174101.079134 Sdep 30 monitor_init: pid 0 my fd 5 [priv] > 174101.079510 Misc 10 monitor_init: privileges dropped for child process > 174101.654766 Timr 10 timer_add_event: event > connection_checker(0x3c1e8c80) > added last, expiration in 0s > 174101.655255 Misc 60 connection_record_passive: passive connection > "IPsec-Fission-SonicWall" added > 174101.645410 Plcy 30 policy_init: initializing > 174101.658148 Misc 20 udp_make: transport 0x3c1ead00 socket 8 ip > 127.0.0.1 <http://127.0.0.1><http://127.0.0.1>port 500 > 174101.659980 Misc 20 udp_encap_make: transport 0x3c1ead40 socket 9 ip > 127.0.0.1 <http://127.0.0.1> <http://127.0.0.1> port 4500 > 174101.675446 Misc 20 udp_make: transport 0x3c06a0c0 socket 16 ip > AAA.AAA.AAA.AAA port 500 > 174101.677576 Misc 20 udp_encap_make: transport 0x3c06a100 socket 17 ip > AAA.AAA.AAA.AAA port 4500 > 174101.696403 Misc 20 udp_make: transport 0x3c06a480 socket 26 ip > 0.0.0.0 <http://0.0.0.0><http://0.0.0.0>port 500 > 174101.698525 Misc 20 udp_encap_make: transport 0x3c06a4c0 socket 27 ip > 0.0.0.0 <http://0.0.0.0> <http://0.0.0.0> port 4500 > 174101.743637 Default log_packet_init: starting IKE packet capture to file > "/var/run/isakmpd.pcap" > 174101.744459 Timr 10 timer_handle_expirations: event > connection_checker(0x3c1e8c80) > 174101.745041 Timr 10 timer_add_event: event > connection_checker(0x3c1e8c80) > added last, expiration in 300s > 174101.746671 Timr 10 timer_add_event: event exchange_free_aux(0x3c065d00) > added before connection_checker(0x3c1e8c80), expiration in 120s > 174101.748101 Exch 10 exchange_establish_p1: 0x3c065d00 > ISAKMP-peer-SonicWall SonicWall-main-mode policy initiator phase 1 doi 1 > exchange 4 step 0 > 174101.748691 Exch 10 exchange_establish_p1: icookie 0f7fd1a961498319 > rcookie 0000000000000000 > 174101.749186 Exch 10 exchange_establish_p1: msgid 00000000 > 174101.749826 SA 60 sa_create: sa 0x3c065f00 phase 1 added to exchange > 0x3c065d00 (ISAKMP-peer-SonicWall) > 174101.745797 Misc 70 attribute_set_constant: no PRF in the AES-SHA-GRP2 > section > 174101.745971 Misc 70 group_get: returning 0x3c06a6c0 of group 2 > 174101.746116 Exch 50 nat_t_setup_hashes: > MD5("draft-ietf-ipsec-nat-t-ike-02 > ") (16 bytes) > 174101.746174 Exch 50 nat_t_setup_hashes: > 174101.746242 Exch 50 90cb8091 3ebb696e 086381b5 ec427b1f > 174101.746299 Exch 50 nat_t_setup_hashes: > MD5("draft-ietf-ipsec-nat-t-ike-03") (16 bytes) > 174101.746347 Exch 50 nat_t_setup_hashes: > 174101.746412 Exch 50 7d9419a6 5310ca6f 2c179d92 15529d56 > 174101.746467 Exch 50 nat_t_setup_hashes: MD5("RFC 3947") (16 bytes) > 174101.746513 Exch 50 nat_t_setup_hashes: > 174101.746580 Exch 50 4a131c81 07035845 5c5728f2 0e95452f > 174101.789728 Negt 40 ike_phase_1_send_ID: IPV4_ADDR: > 174101.789821 Negt 40 00000000 > 174101.800761 Exch 40 exchange_run: exchange 0x3c065d00 finished step 0, > advancing... > 174101.801342 Timr 10 timer_add_event: event > message_send_expire(0x3c069580) > added before exchange_free_aux(0x3c065d00), expiration in 7s > 174104.088867 Timr 10 timer_remove_event: removing event > message_send_expire(0x3c069580) > 174104.089711 Exch 50 nat_t_check_vendor_payload: bad size 8 != 16 > 174104.090254 Exch 50 nat_t_check_vendor_payload: bad size 8 != 16 > 174104.090740 Exch 10 nat_t_check_vendor_payload: NAT-T capable peer > detected > 174104.091406 Exch 10 dpd_check_vendor_payload: DPD capable peer detected > 174104.091962 Negt 30 message_negotiate_sa: transform 1 proto 1 proposal 1 > ok > 174104.094023 Negt 20 ike_phase_1_validate_prop: success > 174104.094612 Negt 30 message_negotiate_sa: proposal 1 succeeded > 174104.095100 Misc 20 ipsec_decode_transform: transform 1 chosen > 174104.146533 Negt 40 ike_phase_1_recv_ID: FQDN: > 174104.147189 Negt 40 4d696372 6f706c65 78 > 174110.127525 Negt 30 message_negotiate_sa: transform 1 proto 1 proposal 1 > ok > 174110.128426 Negt 20 ike_phase_1_validate_prop: success > 174110.128963 Negt 30 message_negotiate_sa: proposal 1 succeeded > 174110.129448 Misc 20 ipsec_decode_transform: transform 1 chosen > 174110.180487 Negt 40 ike_phase_1_recv_ID: FQDN: > 174110.181143 Negt 40 4d696372 6f706c65 78 > 174119.127216 Negt 30 message_negotiate_sa: transform 1 proto 1 proposal 1 > ok > 174119.128104 Negt 20 ike_phase_1_validate_prop: success > 174119.128638 Negt 30 message_negotiate_sa: proposal 1 succeeded > 174119.129119 Misc 20 ipsec_decode_transform: transform 1 chosen > 174119.180523 Negt 40 ike_phase_1_recv_ID: FQDN: > 174119.181182 Negt 40 4d696372 6f706c65 78 > 174139.126306 Negt 30 message_negotiate_sa: transform 1 proto 1 proposal 1 > ok > 174139.127198 Negt 20 ike_phase_1_validate_prop: success > 174139.127731 Negt 30 message_negotiate_sa: proposal 1 succeeded > 174139.128214 Misc 20 ipsec_decode_transform: transform 1 chosen > 174139.179205 Negt 40 ike_phase_1_recv_ID: FQDN: > 174139.179854 Negt 40 4d696372 6f706c65 78 > 174301.765855 Timr 10 timer_handle_expirations: event > exchange_free_aux(0x3c065d00) > 174301.766599 Exch 20 exchange_establish_finalize: finalizing exchange > 0x3c065d00 with arg 0x3c12bc40 (IPsec-Fission-SonicWall) & fail = 1
