Openswan to SonicWALL TZ170
Let me start off by saying that, in general, I like SonicWALL products. They were the first firewalls I ever sold and, as such, they are still the ones I feel most familiar with, and know best. It’s also no secret that their GlobalVPN Client makes it ludicrously easy to create and connect to a VPN. Unfortunately, though, SonicWALL’s focus is very Windows-centric. This means that, now I have a need to connect my Ubuntu laptop to a SonicWALL VPN, I have to leave the warm and fuzzy comfort of the GlobalVPN client and get to know Openswan a bit better.
According to what I have read and researched, many people have difficulties connecting Openswan to a SonicWALL appliance. I was no different. At one stage I had decided that it would be easier for me to gnaw a tunnel to my client’s office through solid granite, rather than persevere trying to get the VPN tunnel running. In the end, though, I got it working – here’s how.
So, first things first. You’re going to need a GroupVPN policy defined on the SonicWALL box. The TZ170 I’m connecting to has SonicOS Enhanced. If some of the following screenshots look different to yours, then that’s probably why. Firstly, make sure that the VPN is enabled, and that your SonicWALL has a unique identifier. You can leave it at the default, if you wish, but here we’ve called it DUBLIN01.
Enable the VPN and Unique ID
Next, create a GroupVPN policy. We’re using XAUTH for authorisation, so you would need to add some local users afterwards. On the first screen, define the policy authentication method, and the shared secret:
Defining the policy authentication method and shared secret
Now define your proposals. Use Diffie-Hellman Group 5, encryption 3DES, authentication SHA1 with 28800 lifetime. For the second phase, use ESP protocol with 3DES encryption and SHA1 authentication. Do not enable Perfect Forward Secrecy.
Defining the proposals
On the Advanced screen, click to enable XAUTH. We’re using a custom group called VPN. If you choose to do the same, then define this under the Users -> Local Groups section. We added access to LAN Subnets.
The advanced options
Finally, on the Client tab, uncheck all the boxes and make sure that the Virtual Adapter Settings are set to “DHCP Lease or Manual Configuration”. If you are not going to be using any Windows clients with this connection, then you can set this to “None”. This option gives the ability to use any client, though.
Client options
Now click OK to apply all of these settings, and we can move to the Ubuntu box.
If you haven’t already installed Openswan on your Ubuntu box, then do it now:
sudo apt-get install openswan
You can safely accept all the defaults during the installation. When Openswan is installed, it will have created a couple of files, which we’ll need to edit. The first of these is /etc/ipsec.conf, so type:
sudo gedit /etc/ipsec.conf
Change this file, so it reads as follows:
version 2.0 # conforms to second version of ipsec.conf specification
config setup
nat_traversal=yes
protostack=netkey
interfaces=%defaultroute
# Add connections here
conn sonicwall
type=tunnel
left=%defaultroute
leftsubnet=xxx.xxx.xxx.xxx/24 # Your local subnet, eg: 192.168.0.0/24
leftid=@GroupVPN # Do not change this!
leftxauthclient=yes
right=xxx.xxx.xxx.xxx # Change this to the external IP of your router
rightsubnet=xxx.xxx.xxx.xxx/24 # The subnet at the router end, eg: 192.168.2.0/24
rightxauthserver=yes
rightid=@DUBLIN01 # This must be the Unique ID of the SonicWALL router
keyingtries=0
pfs=no
aggrmode=yes
keyexchange=ike
auto=add
auth=esp
esp=3DES-SHA1
ike=3DES-SHA1
authby=secret
Note that the unique ID of the router must be preceded by an @ sign. I’ve supplied @DUBLIN01, because that was the example I gave above. Save the file, and then edit the /etc/ipsec.secrets file:
sudo gedit /etc/ipsec.secrets
Add a line to the file, as follows:
@GroupVPN @DUBLIN01 : PSK "JRC1981IMMAKIKHF4E"
The first section has to be identical to the leftid supplied in the ipsec.conf file. The second is the unique router ID, and must be identical to rightid. In the quotes, supply the shared secret that you put into the VPN config on the SonicWALL. This example is pre-populated with the sample ID (DUBLIN01) and shared secret from the screenshots above.
Save this file.
Now, from the command prompt type:
sudo ipsec setup --start sudo ipsec whack --listen sudo ipsec whack --name sonicwall --initiate
You can put these into a shell script, if you wish. If you get any errors, then check the log on the SonicWALL side. Make sure that your leftid and rightid are correct, and that the subnet on your side and the VPN side match. For example, I initially had the right subnet set to 192.168.2.0/24, but the actual subnet was 192.168.2.0/27. It failed due to this.
Once the connection is established, try pinging servers on the remote side. I’ve found the tunnel to be very stable and easy to use….eventually!!
cool, will use this.. tried for ages to get openswan working with a TZ about a year go!
I’ll convert you fully to Linux yet
Thank you in advance, I have wanted to do this without Windows but never found a real definition of the left and right settings and id things. I am new to this but I think I can make it work now. Then I will have to figure out the script thing. Life is learning so I will give it a go.
BTW found this link over on Ubuntu forums, thanks again.
You’re welcome. Hope it works ok for you – let me know if you need help with the shell script
Thanks for your comment, Matt.
I managed to setup the VPN with your article – thanks! I can ping ok from remote centos server to LAN behind sonicwall. How to I access the centos server over the VPN – it has no local IP address & using the servers live ip address takes the traffic over the internet not the VPN.
I have tried forcing the sonicwall groupvpn policy to only use DCHP (not dhcp _manual config) but the sonicwall refuses the VPN connection with the error: IKE Responder: WAN GroupVPN policy does not allow static IP for Virtual Adapter.
Your help would be appreciated! Thanks, Barry
As far as I know, you need to enable SonicWALL’s L2TP server and specify a pool of addresses for Openswan to use. I don’t know how much modification you will need to make to my config file above – I did read that you need to change leftsubnet to be the same as the subnet on your remote side – in my example, this would be 192.168.2.0/24.
Thanks for your comment – hope this points you in the right direction!
Nice article, thanks.
Some older VPN clients can’t use Diffie-Hellman Group 5, they *have* to use Diffie-Hellman Group 2, so I ended up using “ike=3des-sha1-modp1024″ instead of your “ike=3des-sha1″ above. Thought I’d feed that back to you in case anyone else finds that useful.
Thank you so much, Matt. After follow your guide and some other too, i was able to establish a connection with my sonicwall, really good, fast. Below i let my ipsec.conf description to help some others:
Instead of using, like your example, “leftsubnet=192.168.0.0/24″, used “leftsubnet=0.0.0.0/0.0.0.0″(1) and for “ike” used “ike=3des-sha1-modp1024″, like Chris (above) suggested.
(1) http://readlist.com/lists/openswan.org/users/1/5682.html
Cheers (with some “caipirinha”)
Hi
thanks for the post but after i did what you said i get this error when i try to start ipsec
openswan failed to exec the requested action – the following error occured:
can not load config ‘/etc/ipsec.conf’: /etc/ipsec.conf:31: syntax error, unexpected KEYWORD, expecting $end [interfaces]
Any ideas?
Thanks
Sounds like an error in your ipsec.conf file. What is at line 31? You can post the content of the file here if you want, and I’ll take a look. Blank out your ID’s, IP addresses, and hostname details though
Hi Matt,
Did you ever get:
Informational Exchange message must be encrypted
When trying to connect?
Regards,
Cian
@Cian Maher
Hi Cian,
Great to hear from you. Yes, that message happens when the DH group isn’t set to 5. I think SonicWALL’s default is group 2