Arch Linux

herOldMan

Member

Registered: 2013-10-11

Posts: 154

Can't connect to VPN behind a Sonicwall firewall

I am trying to remotely connect to a network device behind a Sonicwall firewall.

Sonicwall external IP = 142.68.120.63 (fiction)
Sonicwall auth method = IKE shared secret
shared secret =  sonicSecret (fiction)
LAN address of target machine behind the Sonicwall = 192.168.1.109
Target user at 192.168.1.109 = mark
Target machine's OS = Win7
mark's password = password (fiction)
LAN address of my client: 192.168.57.99
Client machine's interface: enp0s3

I have a Windows 7 x 64 VM, which I have used to verify the route and its availability. The Windows VPN client is the Dell SonicWall Global VPN Client. I am able to connect by adding only four pieces of information: the external IP of the Sonicwall, the shared secret, the users name, and the user's password.

Following the wiki: https://wiki.archlinux.org/index.php/L2 … ient_setup
Here is my /etc/ipsec.conf:

config setup
     virtual_private=%v4:192.168.1.0/16
     nat_traversal=yes
     protostack=netkey
     oe=no
     plutoopts="--interface=enp0s3"
conn L2TP-PSK
     authby=secret
     pfs=no
     auto=add
     keyingtries=3
     dpddelay=30
     dpdtimeout=120
     dpdaction=clear
     rekey=yes
     ikelifetime=8h
     keylife=1h
     type=transport # tried tunnel also
     left=192.168.57.99
     leftnexthop=%defaultroute
     leftprotoport=17/1701
     right=142.68.120.63
     rightprotoport=17/1701

Here is my /etc/ipsec.secrets

192.168.57.99 142.68.120.63 : PSK "sonicSecret"

The openswan service starts without error.

Here's my /etc/xl2tpd/xl2tpd.conf

[lac vpn-connection]
lns = 142.68.120.63
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes

Here's my /etc/ppp/options.l2tpd.client

ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-mschap-v2
# tried require-pap also
noccp
noauth
idle 1800
mtu 1410
mru 1410
defaultroute
usepeerdns
debug
lock
connect-delay 5000
name mark
password password

ipsec auto --add L2TP-PSK adds the connection without error.
/var/run/xl2tpd/l2tp-control is present
systemctl start/restart openswan # no error
systemctl start/restart xl2tpd # no error
ipsec auto --up L2TP-PSK fails:

002 "L2TP-PSK" #1: initiating Main Mode
105 "L2TP-PSK" #1: STATE_MAIN_I1: initiate
003 "L2TP-PSK" #1: ignoring unknown Vendor ID payload [….]
003 "L2TP-PSK" #1: received Vendor ID payload [RFC 3947] method set to=115 
003 "L2TP-PSK" #1: Can't authenticate: no preshared key found for `192.168.57.99' and `142.68.120.63'.  Attribute OAKLEY_AUTHENTICATION_METHOD
003 "L2TP-PSK" #1: no acceptable Oakley Transform
214 "L2TP-PSK" #1: STATE_MAIN_I1: NO_PROPOSAL_CHOSEN
002 "L2TP-PSK" #1: sending notification NO_PROPOSAL_CHOSEN to 142.68.120.63:500

My guess based on the output is that I am not properly pointing to the shared key in /etc/ipsec.secrets, but I am not able to figure it out.

I have tried many permutations based on posts found elsewhere, eg http://www.ghacks.net/2010/03/03/creati … sonicwall/. I have also tried the approach on a different Linux Distro.

I have also tried the netextender package without luck. There appears to be no analog for the pre-shared secret input that the Dell GVC client provides. There is also an ambiguous extra in the interface labeled “Domain.” The application fails to connect with the simple error “Authentication failed.” (Note: initially I must accept the Sonicwall's untrusted cert.)

After a few days, I am reaching out for help.

herOldMan

Member

Registered: 2013-10-11

Posts: 154

Re: Can't connect to VPN behind a Sonicwall firewall

I posted this in the wrong sub-forum. I am hoping an administrator will move it to Networking, Server and Administration.

ewaller

Administrator

From: Pasadena, CA

Registered: 2009-07-13

Posts: 20,349

Re: Can't connect to VPN behind a Sonicwall firewall

I posted this in the wrong sub-forum. I am hoping an administrator will move it to Networking, Server and Administration.

Done.  In the future, it is better to use the report function.  It makes it far more likely that a moderator will see it quickly and it does not clutter the thread.

Last edited by ewaller (2015-10-19 16:06:46)

---

Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

herOldMan

Member

Registered: 2013-10-11

Posts: 154

Re: Can't connect to VPN behind a Sonicwall firewall

I am getting closer but I am still very much stuck.

Using a new ipsec.conf, I can now connect

config setup
     virtual_private=%v4:192.168.57.0/16,
     nat_traversal=yes
     protostack=netkey
     oe=no
     plutoopts="--interface=enp0s3"
conn L2TP-PSK
     authby=secret
     pfs=no
     auto=add
     keyingtries=3
     dpddelay=30
     dpdtimeout=120
     dpdaction=clear
     rekey=yes
     ikelifetime=8h
     keylife=1h
     type=transport # tried tunnel also
     left=192.168.57.99              # local arch machine IP
     leftsubnet=192.168.57.0/24       # The subnet of arch machine
     leftprotoport=17/1701
     right=142.68.120.63          # Sonicwall VPN IP
     rightsubnet=192.168.1.0/24     # Sonicwall LAN subnet
     rightprotoport=17/1701

It appears to work:

[max@ArchBBone ~]$ sudo ipsec auto --up L2TP-PSK
002 "L2TP-PSK" #1: initiating Main Mode
104 "L2TP-PSK" #1: STATE_MAIN_I1: initiate
003 "L2TP-PSK" #1: ignoring unknown Vendor ID payload [5b362bc820f60008]
003 "L2TP-PSK" #1: received Vendor ID payload [RFC 3947] method set to=115 
002 "L2TP-PSK" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
002 "L2TP-PSK" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
106 "L2TP-PSK" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "L2TP-PSK" #1: ignoring Vendor ID payload [Sonicwall 1 (TZ 170 Standard?)]
003 "L2TP-PSK" #1: received Vendor ID payload [XAUTH]
003 "L2TP-PSK" #1: received Vendor ID payload [Dead Peer Detection]
003 "L2TP-PSK" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): i am NATed
002 "L2TP-PSK" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
108 "L2TP-PSK" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "L2TP-PSK" #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
002 "L2TP-PSK" #1: Main mode peer ID is ID_IPV4_ADDR: '100.40.32.115'
002 "L2TP-PSK" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
004 "L2TP-PSK" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
002 "L2TP-PSK" #1: Dead Peer Detection (RFC 3706): enabled
002 "L2TP-PSK" #2: initiating Quick Mode PSK+ENCRYPT+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:88b406de proposal=defaults pfsgroup=no-pfs}
117 "L2TP-PSK" #2: STATE_QUICK_I1: initiate
003 "L2TP-PSK" #2: NAT-Traversal: received 2 NAT-OA. ignored because peer is not NATed
002 "L2TP-PSK" #2: Dead Peer Detection (RFC 3706): enabled
002 "L2TP-PSK" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 "L2TP-PSK" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0x43b2df17 <0x407385ed xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=enabled}

But, continuing with the wiki instructions:

$ ipsec auto --up L2TP-PSK
$ echo "c vpn-connection" > /var/run/xl2tpd/l2tp-control

I find that ip l does not show any entry for the pppx link (just lo and enp8s0).