I have a SonicWall router with an IP address @public_A. Behind this router is a LAN 192.168.2.0/24. On an other hand, I have a Linux Ubuntu machine with IP address @public_B
My aim is to realise a VPN IPSec client for Linux so I am able to send messages from my Linux Client machine to the 192.168.2.0/24 LAN.
This client already exists for Windows machines, developped by SonicWall, but not for Linux machines.
I decided to configure an OpenSwan tunnel in order to connect to this LAN, following advice of many posts on the internet.
ipsec.conf :
conn sonicwall
type=tunnel
left=public_B
leftid=@yyyyyyyyyyyyyyy
leftxauthclient=yes
right=public_A
rightsubnet=192.168.2.0/24
rightxauthserver=yes
rightid=@xxxxxxxxxxxxxxxx
keyingtries=0
pfs=no
aggrmode=yes
auto=add
auth=esp
esp=aes256-sha1
#phase2alg=aes256-sha1
ike=aes256-sha1;modp1536
authby=secret
leftxauthusername=USER
#xauth=yes
keyexchange=ike
Logs at launch :
~# ipsec whack --name sonicwall --initiate
002 "sonicwall" #9: initiating Aggressive Mode #9, connection "sonicwall"
112 "sonicwall" #9: STATE_AGGR_I1: initiate
003 "sonicwall" #9: ignoring Vendor ID payload [Sonicwall 1 (TZ 170 Standard?)]
003 "sonicwall" #9: ignoring unknown Vendor ID payload [xxxxxxxxxxxxxxxxxx]
003 "sonicwall" #9: received Vendor ID payload [RFC 3947] method set to=109
003 "sonicwall" #9: received Vendor ID payload [Dead Peer Detection]
003 "sonicwall" #9: received Vendor ID payload [XAUTH]
002 "sonicwall" #9: Aggressive mode peer ID is ID_FQDN: '@xxxxxxxxxxxxxxxxx'
003 "sonicwall" #9: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
002 "sonicwall" #9: transition from state STATE_AGGR_I1 to state STATE_AGGR_I2
004 "sonicwall" #9: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1536}
002 "sonicwall" #9: XAUTH: Answering XAUTH challenge with user='USER'
002 "sonicwall" #9: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
004 "sonicwall" #9: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
003 "sonicwall" #9: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
003 "sonicwall" #9: received and ignored informational message
002 "sonicwall" #9: XAUTH: Successfully Authenticated
002 "sonicwall" #9: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
004 "sonicwall" #9: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
002 "sonicwall" #10: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE+IKEv2ALLOW+SAREFTRACK {using isakmp#9 msgid:489fb919 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs}
117 "sonicwall" #10: STATE_QUICK_I1: initiate
002 "sonicwall" #10: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 "sonicwall" #10: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xff65c149 <0x6de1b3e3 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none}
NB : no route had been added after that in my routing table.
My tunnel seems to be fully functionnal but : I cannot send any message to the LAN behind the router. I have no idea how to use the tunnel I have just set in order to send at least a ping to a machine in the LAN. How should I do ?
You can also give me advice to reach my goal, even if it is not by using OpenSwan
Thanks for reading and helping.
Answer
Do you have any new network interfaces after you've successfully authenticated? Check ip addr to see if you have any ppp0 or similar interfaces.
I'm not sure about your case since your authentication method is different from what I've configured in the past (pre-shared key openswan + user/pass xl2tpd) but, if there are any similarities, running ipsec auto --up ${connection_name} normally establishes the tunnel using the preshared key for authentication but without bringing up the interface, at which point I have to tell xl2tpd to connect, which authenticates with the user and password, then creates the interface ppp0.
What's your output for ipsec verify (after starting the openswan service)?