tomclegg.net


Diary
Examples
    256-router
    adzap
    apache-double-reverse
    cacti-adodb-php4
    debian-quota
    diskonmodule
    dollarsperbyte
    dynip
    ezmlm-linux
    fbsdhabits
    freebsdclone
    macbook-quantal-sound
    maildirpop3d-awfulhak
    mandy
    md
    mrtg
    net-snmp
    nodefaultroute
    oracle9i
    oracle9i-bsd5
    oracle9i-client
    oracle9i-nat
    php-cgi
    php-commandline
    php-image
    php-kics
    php-mini_httpd
    pinouts
    pizzaperdollar
    plesk-symlink-php
    pxe
    qmail-linux
    qmail-qfilter
  >racoon-sonicwall<
    redundant-vpn
    rewriterule
    seahorse-workaround
    setting-locale-failed
    smalldog
    snmpv3-cacti
    spamassassin
    squid-tproxy
    supfile
    suse73
    svc-nmbd
    svc-smbd
    svc-smtpd
    switch-virtualbox-virsh
    toyotastereo
    vm
    vn-file
    wmp-invalid
    xcode-remote-install
    xen-eth0-renamed
    xen-monowall
    xen3-ubuntu-dapper
    zz-update-grub-fail
Hire Tom
Mostly Mozart
Patches
School
Scrapbook
Software
Telephones




colocation
comments
davidireland
edsgranola
faq
funsites
goodlooking
goodmovies
google-earth-saucy-amd64
houserules
liberating
resume
resume2
scratch
shopping
snacks
todo
university
warisbogus

It is possible to establish an IPsec VPN tunnel between SonicWall and racoon (FreeBSD, Monowall, etc).

SonicWall test unit:

Model: SonicWall TZ170 Enhanced
Firmware version: SonicOS Enhanced 2.5.0.6-49e
ROM version: SonicROM 2.0.0.2

Racoon test unit:

Hardware: Soekris net4801
Operating system: Monowall 1.11
Racoon package version freebsd-20040617a
Racoon internal version 20001216 sakane@kame.net

Notes

On the SonicWall, you can use 0.0.0.0 as the remote IP address for the tunnel. The racoon end doesn't need a static IP address.

Phase 1

Racoon's local identifier should be the same type and value as the remote identifier specified in the SonicWall configuration.

If racoon's local identifier does not match the remote identifier specified in the SonicWall configuration, SonicWall will say this:

IKE Responder: Received Aggressive Mode request (Phase 1)
SENDING>>>> ISAKMP OAK AG (InitCookie:0xabcdefabcdefabcd RespCookie:0xabcdefabcdefabcd, MsgID: 0x0) (SA, KE, NON, ID, VID, HASH)

Racoon will say this:

racoon: INFO: isakmp.c:813:isakmp_ph1begin_i(): begin Aggressive mode.
racoon: WARNING: ipsec_doi.c:3064:ipsecdoi_checkid1(): ID type mismatched.
racoon: WARNING: ipsec_doi.c:3079:ipsecdoi_checkid1(): ID value mismatched.
racoon: NOTIFY: oakley.c:2084:oakley_skeyid(): couldn't find the proper pskey, try to get one by the peer's address.
racoon: ERROR: oakley.c:1233:oakley_validate_auth(): HASH mismatched

Phase 2

Racoon's phase 2 proposal should specify the encryption and hash algorithms specified in the SonicWall configuration.

If you specify 3DES for phase 2 on the Sonicwall and enable 3DES and Blowfish for phase 2 in racoon, the tunnel will come up.

If you also enable CAST128 or Rijndael/AES for phase 2 in racoon, Sonicwall will say this:

IKE Responder: Algorithms and/or keys do not match
IKE Responder: IPSec proposal does not match (Phase 2)

Racoon will say this:

racoon: ERROR: isakmp_inf.c:840:isakmp_info_recv_n(): unknown notify message, no phase2 handle found.

Monowall config.xml exerpt

        <tunnel>
            <interface>wan</interface>
            <local-subnet>
                <network>lan</network>
            </local-subnet>
            <remote-subnet>10.20.1.0/24</remote-subnet>
            <remote-gateway>24.67.192.3</remote-gateway>
            <p1>
                <mode>aggressive</mode>
                <myident>
                    <fqdn>MONOWALL</fqdn>
                </myident>
                <encryption-algorithm>3des</encryption-algorithm>
                <hash-algorithm>sha1</hash-algorithm>
                <dhgroup>2</dhgroup>
                <lifetime>28800</lifetime>
                <pre-shared-key>xxxxx</pre-shared-key>
            </p1>
            <p2>
                <protocol>esp</protocol>
                <encryption-algorithm-option>3des</encryption-algorithm-option>
                <encryption-algorithm-option>blowfish</encryption-algorithm-option>
                <hash-algorithm-option>hmac_md5</hash-algorithm-option>
                <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
                <pfsgroup>0</pfsgroup>
                <lifetime>28800</lifetime>
            </p2>
            <descr>Sonicwall test</descr>
        </tunnel>