# 2.6.0, IPSec, Bluesocket Sonicwall

## poot

I've been trying for a few days to get my 2.6.0 box to log on to my office's Sonicwall VPN Server.  I've got all the right modules compiled and loaded.  Here's the configuration information for the sonicwall:

Encryption:  3DES or 192 bit AES

Hashing Algorithm: SHA1 or MD5

Diffie-Hellman Group: Group 2 (1024 bit)

Compression: LZS or Deflate

Perfect Forward Secrecy (PFS): Disabled

Pre-Shared Key: allow

Server IP address: 192.168.64.1

IKE Mode: Main mode only

Since I'm running 2.6.0, I'd like to use the crypto api and all the IPSec goodies that come with the kernel.  I suppose this means I'm using the "KAME" tools.  Everything's peachy but the configuration.  Here's what I've got so far:

racoon.conf

```
pootlaptop racoon # cat racoon.conf

# $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $

# "path" must be placed before it should be used.

# You can overwrite which you defined, but it should not use due to confusing.

path include "/etc/racoon" ;

#include "remote.conf" ;

# search this file for pre_shared_key with various ID key.

path pre_shared_key "/etc/racoon/psk.txt" ;

# racoon will look for certificate file in the directory,

# if the certificate/certificate request payload is received.

#path certificate "/etc/cert" ;

# "log" specifies logging level.  It is followed by either "notify", "debug"

# or "debug2".

#log debug;

# "padding" defines some parameter of padding.  You should not touch these.

padding

{

        maximum_length 20;      # maximum padding length.

        randomize off;          # enable randomize length.

        strict_check off;       # enable strict check.

        exclusive_tail off;     # extract last one octet.

}

# if no listen directive is specified, racoon will listen to all

# available interface addresses.

listen

{

        #isakmp ::1 [7000];

        #isakmp 202.249.11.124 [500];

        #admin [7002];          # administrative's port by kmpstat.

        #strict_address;        # required all addresses must be bound.

}

# Specification of default various timer.

timer

{

        # These value can be changed per remote node.

        counter 5;              # maximum trying count to send.

        interval 20 sec;        # maximum interval to resend.

        persend 1;              # the number of packets per a send.

        # timer for waiting to complete each phase.

        phase1 30 sec;

        phase2 15 sec;

}

remote anonymous

{

        #exchange_mode main,aggressive;

        #exchange_mode aggressive,main;

        exchange_mode main;

        #doi ipsec_doi;

        #situation identity_only;

#       my_identifier user_fqdn "sakane@kame.net";

#       peers_identifier user_fqdn "sakane@kame.net";

        #certificate_type x509 "mycert" "mypriv";

#       nonce_size 16;

#       lifetime time 1 min;    # sec,min,hour

#

#       proposal {

#               encryption_algorithm 3des;

#               hash_algorithm sha1;

#               authentication_method pre_shared_key ;

#               dh_group 2 ;

#       }

#}

sainfo anonymous

{

        pfs_group 2;

        lifetime time 30 sec;

        encryption_algorithm 3des ;

        authentication_algorithm hmac_sha1;

        compression_algorithm deflate ;

}

#sainfo address 203.178.141.209 any address 203.178.141.218 any

#{

#       pfs_group 1;

#       lifetime time 30 sec;

#       encryption_algorithm des ;

#       authentication_algorithm hmac_md5;

#       compression_algorithm deflate ;

#}

#sainfo address ::1 icmp6 address ::1 icmp6

#{

#       pfs_group 1;

#       lifetime time 60 sec;

#       encryption_algorithm 3des, cast128, blowfish 448, des ;

#       authentication_algorithm hmac_sha1, hmac_md5 ;

#       compression_algorithm deflate ;

#}

```

psk.txt

```

pootlaptop racoon # cat psk.txt

# IPv4/v6 addresses

192.168.64.1    allow

#10.160.94.3    mekmitasdigoat

#172.16.1.133   mekmitasdigoat

#194.100.55.1   whatcertificatereally

#203.178.141.208        mekmitasdigoat

#206.175.160.18 mekmitasdigoat

#206.175.160.20 mekmitasdigoat

#206.175.160.21 mekmitasdigoat

#206.175.160.22 mekmitasdigoat

#206.175.160.23 mekmitasdigoat

#206.175.160.36 mekmitasdigoat

#206.175.161.125        mekmitasdigoat

#206.175.161.154        mekmitasdigoat

#206.175.161.156        mekmitasdigoat

#206.175.161.182        mekmitasdigoat

#3ffe:501:410:ffff:200:86ff:fe05:80fa   mekmitasdigoat

#3ffe:501:410:ffff:210:4bff:fea2:8baa   mekmitasdigoat

# USER_FQDN

#sakane@kame.net        mekmitasdigoat

# FQDN

#kame           hoge

```

ipsec.conf

```
pootlaptop etc # cat ipsec.conf

#!/usr/sbin/setkey -f

flush;

spdflush;

#spdadd xxx.xxx.xxx.xxx/32 0.0.0.0/0 any

#    -P out ipsec esp/tunnel/xxx.xxx.xxx.xxx-yyy.yyy.yyy.yyy/require;

#

#spdadd 0.0.0.0/0 xxx.xxx.xxx.xxx/32 any 

#    -P in ipsec esp/tunnel/yyy.yyy.yyy.yyy-xxx.xxx.xxx.xxx/require;

```

For posterity, an lsmod

```

pootlaptop etc # lsmod

Module                  Size  Used by

e100                   62596  0 

ipv6                  248160  10 

twofish                42368  0 

tcrypt                 62092  0 [permanent]

sha512                  9984  0 

sha256                 10368  0 

sha1                    8576  0 

serpent                12928  0 

md5                     4096  0 

md4                     3712  0 

des                    11648  0 

deflate                 4096  0 

zlib_deflate           21912  1 deflate

zlib_inflate           22272  1 deflate

cast6                  21120  0 

cast5                  16000  0 

blowfish                9728  0 

aes                    33088  0 

xfrm_user              15364  0 

driverloader          147752  0 

ipip                   11236  0 

ipcomp                  8064  0 

esp4                   10752  0 

ah4                     8192  0 

af_key                 33284  2 

snd_intel8x0           31812  0 

snd_ac97_codec         54020  1 snd_intel8x0

snd_mpu401_uart         7808  1 snd_intel8x0

snd_rawmidi            25088  1 snd_mpu401_uart

snd_seq_device          8324  1 snd_rawmidi

snd_pcm_oss            52356  0 

snd_pcm                97792  2 snd_intel8x0,snd_pcm_oss

snd_page_alloc         11908  2 snd_intel8x0,snd_pcm

snd_timer              25856  1 snd_pcm

snd_mixer_oss          19200  1 snd_pcm_oss

snd                    50692  9 snd_intel8x0,snd_ac97_codec,snd_mpu401_uart,snd_rawmidi,snd_seq_device,snd_pcm_oss,snd_pcm,snd_timer,snd_mixer_oss

rtc                    13096  0 

speedstep_centrino      4996  0 

freq_table              4484  1 speedstep_centrino

radeon                119448  24 

cpufreq_userspace       6052  2 

cpufreq_powersave       1920  0 

sr_mod                 15776  0 

cdrom                  34720  1 sr_mod

```

Here's the output from racoon:

```

pootlaptop etc # racoon -d -v -F -f /etc/racoon/racoon.conf

Foreground mode.

2003-12-18 14:54:48: INFO: main.c:174:main(): @(#)racoon 20001216 20001216 sakane@kame.net

2003-12-18 14:54:48: INFO: main.c:175:main(): @(#)This product linked OpenSSL 0.9.6j 10 Apr 2003 (http://www.openssl.org/)

2003-12-18 14:54:48: DEBUG: pfkey.c:370:pfkey_init(): call pfkey_send_register for AH

2003-12-18 14:54:48: DEBUG: pfkey.c:370:pfkey_init(): call pfkey_send_register for ESP

2003-12-18 14:54:48: DEBUG: pfkey.c:370:pfkey_init(): call pfkey_send_register for IPCOMP

2003-12-18 14:54:48: DEBUG: pfkey.c:2246:pk_checkalg(): compression algorithm can not be checked because sadb message doesn't support it.

2003-12-18 14:54:48: DEBUG: grabmyaddr.c:389:grab_myaddrs(): my interface: 127.0.0.1 (lo)

2003-12-18 14:54:48: DEBUG: grabmyaddr.c:389:grab_myaddrs(): my interface: 192.168.64.89 (eth0)

2003-12-18 14:54:48: DEBUG: grabmyaddr.c:389:grab_myaddrs(): my interface: 192.168.227.171 (eth1)

2003-12-18 14:54:48: DEBUG: grabmyaddr.c:676:autoconf_myaddrsport(): configuring default isakmp port.

2003-12-18 14:54:48: DEBUG: grabmyaddr.c:698:autoconf_myaddrsport(): 3 addrs are configured successfully

2003-12-18 14:54:48: INFO: isakmp.c:1362:isakmp_open(): 192.168.227.171[500] used as isakmp port (fd=6)

2003-12-18 14:54:48: INFO: isakmp.c:1362:isakmp_open(): 192.168.64.89[500] used as isakmp port (fd=7)

2003-12-18 14:54:48: INFO: isakmp.c:1362:isakmp_open(): 127.0.0.1[500] used as isakmp port (fd=8)

2003-12-18 14:54:48: DEBUG: pfkey.c:194:pfkey_handler(): get pfkey X_SPDDUMP message

2003-12-18 14:54:48: DEBUG: pfkey.c:209:pfkey_handler(): pfkey X_SPDDUMP failed: No such file or directory

```

I know I'm going to need to change ipsec.conf, but I'm not sure what the settings are that I'd have to change.  Is anyone experienced enough to handle this?  What other information should I provide?  I apologize for not giving more information, but apparently I've become totally clueless from freeswan with 2.4 to kame and 2.6.

----------

## Krigg

I'm also at odds with the 2.6 kernel and IPsec, I can't seem to get it working...and I almost had it working with the 2.4 kernel....now I can't seem to get it up and running.....freeswan keeps telling me that this isn't an IPsec enabled Kernel, yet in the Networking Options, I compiled the ONLY IPsec option I found directly into the kernel. Should I have left it a module?

JR

----------

## Krigg

No one knows which iteration of the 2.6 kernel has IPSec built in? Because I'm running the 2.6.0 right now, and can't get freeswan to download...it says;

```

Bleeding_Edge freeswan # emerge freeswan-2.04.ebuild

/usr/portage/packages

Calculating dependencies ...done!

>>> emerge (1 of 1) net-misc/freeswan-2.04 to /

>>> md5 src_uri ;-) freeswan-2.04.tar.gz

>>> md5 src_uri ;-) x509-1.4.8-freeswan-2.04.tar.gz

You need to have the crypto-enabled version of Gentoo Sources

with a symlink to it in /usr/src/linux in order to have IPSec

kernel compatibility.

```

and this is my uname -a specs;

```

Linux Bleeding_Edge 2.6.0 #3 SMP Wed Dec 24 20:03:21 CST 2003 i686 AMD Athlon(tm) MP 1800+ AuthenticAMD GNU/Linux

```

And everything I've read says that IPsec should be working if I use this kernel....but it's not....anyhoo, I'm gonna start experimentin....

JR

----------

## CHerzog

 *Krigg wrote:*   

> 
> 
> ```
> 
> >>> emerge (1 of 1) net-misc/freeswan-2.04 to /
> ...

 

You have to use the ipsectools, not Freeswan! Freeswan is for Kernel 2.4 only. You can download a patch for using 2.6, but then no other patch will work.

Use the Tools from the KAME-Project!

http://www.ipsec-howto.org/x237.html

Bye

Christian

----------

## _dan_

any news on this topic?

i need a vpn-client for the sonicwall too, but i've never done something with vpn or ipsec before and need some help on this topic.

would be cool if we could get it to work and write a smal tutorial, i haven't found anything on the web for this and i think it's quite usefull.

----------

## Aurora

I'm in the process of just trying to plain get my gentoo server box to act as an IPsec server.  This is definately challenging...  Seems this is quite "un-user friendly."  Then again if I didn't want a challenge I wouldn't have installed gentoo.   :Wink: 

We'll see what happens...I am intent on writing a tutoral if I can finally get the thing to work...

*sigh*   :Smile:   Here I go.    :Very Happy: 

----------

## _dan_

hm, where still not able to get ipsec with the sonicwall working  :Sad: 

but there is new hope, a guy from switzerland has a new project which is based on the old freeSwan. He wants to make it easier to configure, hopefully he will be successfull. 

http://www.strongswan.org/

If anyone trie's it and get it to work  :Smile:  i would be pleased to get a bit help,

thx  :Wink: 

have fun

----------

## Wilko

I've been toying around with IPSec and I've found your next step, so to speak (although mine isn't working yet, I think in time it might)

I was getting the 

2003-12-18 14:54:48: DEBUG: pfkey.c:194:pfkey_handler(): get pfkey X_SPDDUMP message

2003-12-18 14:54:48: DEBUG: pfkey.c:209:pfkey_handler(): pfkey X_SPDDUMP failed: No such file or

error, but I fixed it by doing the following:

Edit these lines:

#spdadd xxx.xxx.xxx.xxx/32 0.0.0.0/0 any

#    -P out ipsec esp/tunnel/xxx.xxx.xxx.xxx-yyy.yyy.yyy.yyy/require;

#

#spdadd 0.0.0.0/0 xxx.xxx.xxx.xxx/32 any

#    -P in ipsec esp/tunnel/yyy.yyy.yyy.yyy-xxx.xxx.xxx.xxx/require; 

1. Remove the comments (for starters)

2. Configure! the xxx.xxx.xxx.xxx/32 are IPs that are on your end. In my case I just put my own computers IP address 192.168.99.111/32. I've seen configurations were they just put localhost, but I'll save that 'optimization' for when it works.

3. Configure the 0.0.0.0/0. Currently that mask will make everything that you send go to through the tunnel, which might be what you wanted. I only wanted things going to the internal work network (192.168.160.0/24) to go through the tunnel, so thats what I put in place of both 0.0.0.0/0's. 

4. On the tunnel lines, the xxx.xxx.xxx.xxx's are the same as the ones in step 2.

5. On the tunnel lines, the yyy.yyy.yyy.yyy is the IP of the other end of the VPN gateway. This won't be a 192.XXX.XXX.XXX address, this will be something else (I was given a groupvpn configuration file, that I think sonic wall generated, it was XML and seemed to have the address in it, under the tag HostName).

6. Now if you look at the first line of the ipsec.conf file, you'll notice its supposedly executable. So I chmod +x'ed it, ran it, and now things sort of work. racoon starts, and when I ping destinations inside the VPN, racoon acknoledges the effort, but I haven't properly configured things, because it still doesn't work.

Its a start however.

----------

