Not Always What You Want

ugliest hat ever

Back in June 2008, I bought this yarn on a trip to Seattle. I had no plans for it, I just liked the way it looked.

I still do — except knit up. It looks awful! Colors vomiting and spiralling up the hat tube.

I’ll finish the hat and maybe someone will love it and take it off of my hands.

Today’s shot, taken during a dog walk at a local park before the weather turned nasty:

autumn

I love autumn. And now I’m off to upgrade my laptop to Ubuntu 11.10.

Ubuntu, Sonicwall, and OpenSwan – Final

I did get it to work and was able to use tsclient to connect to my Windows 7 development box in the office. Success! Now when my laptop finally dies I can replace it with something not running Windows and still work from it!

In the end, I fixed two of my own typos — one in the shared secret, one in the gateway for rightsubnet — and two configuration settings in my \etc\ipsec.conf.

Key Issues for me:


  • it seems SOME Sonicwalls require your leftid to be set to “@GroupVPN.” I know I have seen this in the Sonicwall Global VPN client (Windows) as well. I didn’t expect that to be an issue so this was a surprising fix to me.

  • the IKE DH Group is REALLY IMPORTANT. The examples all suggest just setting it to 3DES-SHA1. That did not work for my DH group 2. This post on ubuntuforums does note the Group 2 (and 5) settings for IKE.

Other potentially useful notes, some of which were problems for me and some that were not:


  • sudo ipsec auto --listall will show the Pre-Shared Keys defined (not the key itself, just the players+communications defined).

  • sudo ipsec auto --status may give you slightly more information about what’s going on.

  • after editing /etc/ipsec.conf, don’t forget to refresh the configuration: sudo ipsec auto --replace sonicwall

  • don’t forget to tab in the /etc/ipsec.conf settings for the connection.

  • Got your tunnel configured and connected but can’t do anything? Maybe you need to enable IP forwarding. Check to see if it’s already set up by either using sysctl (0 = disabled, 1=enabled):
    sysctl net.ipv4.ip_forward
    or by checking /proc directly:
    cat /proc/sys/net/ipv4/ip_forward
    here’s how to fix it temporarily or permanently.

In the end, my final /etc/ipsec.conf looks something like this:

conn sonicwall
  type=tunnel
  left=192.168.XXX.XXX # my ubuntu machine IP
  leftid=@GroupVPN # this is REQUIRED to connect to our Sonicwall appliance
  leftxauthclient=yes
  right=XXX.XXX.XXX.XXX # IP of the Sonicwall
  rightsubnet=192.168.3.0/24 # the OFFICE subnet, not HOME like some documentation said
  rightxauthserver=yes
  rightid=@000123456789 # the Sonicwall appliance ID
  keyingtries=1
  pfs=no
  aggrmode=yes
  auto=add
  auth=esp
  esp=3DES-SHA1
  ike=3DES-SHA1-modp1024 # DH GROUP 2
  authby=secret # set up in /etc/ipsec.secrets
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/oe-exclude-dns.conf

Hooray! Also I would like to say that I am rather impressed with Ubuntu 10.04 after using it for a few hours working on this.

Ubuntu, Sonicwall, and OpenSwan Part 2

In the process of getting an Ubuntu 10.04 machine to connect to a Sonicwall appliance at my office (part 0), I followed documentation and ran into an error of “Informational Exchange message must be encrypted (part 1).”

I did a lot of searching on the error, but mostly came up with other people having the error and not finding a solution. I started tinkering with settings to see if I could get other error messages that might be more helpful.

First, I edited /etc/ipsec.conf to turn off aggressive mode:
aggrmode=no

This gave me a different error:
Possible authentication failure: no acceptable response to our first encrypted message

Ah ha! That led me to re-check my shared secret in /etc/ipsec.secrets where I found a typo. Then I re-checked /etc/ipsec.conf and concluded that I misunderstood the documentation and clearly the rightsubnet should be my OFFICE subnet, not my home subnet.

I refreshed my ipsec connection settings sudo ipsec auto --replace sonicwall and tried again.

A new error, it just hung here:
002 "sonicwall" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
004 "sonicwall" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}

I searched around for this and happened across this post on ubuntuforums that indicated that the user had to set the leftid (local Ubuntu machine id) to @GroupVPN [and it's case-sensitive]. Odd, I thought, but I tried it, changing it in /etc/ipsec.conf and /etc/ipsec.secrets.

Sure enough, another new error!

003 "sonicwall" #1: next payload type of ISAKMP Hash Payload has an unknown value: 112
[note: this unknown value changed regularly, it was NOT always 112.]

At this point I got excited because I knew I was at least talking to the Sonicwall appliance and we were just having trouble understanding one another. I started focusing on key exchange/IKE and I happened to come across a few notes about IKE DH Group 5 requiring an edit to /etc/ipsec.conf to change the setting for ike to ike=3DES-SHA1-modp1536.

Me to self, “Hm. We’re DH2. That’s 1024 bits. Since Group 5 is 1536 bits and this says it should be set to 3DES-SHA1-modp1536, let me try setting ike=3DES-SHA1-modp1024.”

I updated and it seemed to connect but never asked me for my authentication information, it just hung here:
003 "sonicwall" #1: malformed payload in packet
002 "sonicwall" #1: sending notification PAYLOAD_MALFORMED to XXX.XXX.XXX.XXX:XXXX

I hrmed a bit more — so close! — and remembered that I still had aggressive mode off. I popped into /etc/ipsec.conf and turned it back on. aggrmode=yes

I updated the connection and tried to open it again:
xantha@moloko:~$ sudo ipsec auto --replace sonicwall
xantha@moloko:~$ sudo ipsec whack --name sonicwall --initiate

Success! It prompted me for a username and password, I supplied it, we were authenticated! (some parts redacted here)
041 "sonicwall" #1: sonicwall prompt for Username:
Name enter: USERID
040 "sonicwall" #1: sonicwall prompt for Password:
Enter secret:
002 "sonicwall" #1: XAUTH: Answering XAUTH challenge with user='USERID'
002 "sonicwall" #1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
004 "sonicwall" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
003 "sonicwall" #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
003 "sonicwall" #1: received and ignored informational message
002 "sonicwall" #1: XAUTH: Successfully Authenticated

Woo hoo!

[aside: some of the errors may have been due to things being repaired in the order I repaired them... hard to say. I just know what errors I got and what steps I took to resolve them. YMMV of course. ]

Ubuntu, Sonicwall, and OpenSwan Part 1

I am attempting to get OpenSwan on Ubuntu 10.04 to connect to a Sonicwall appliance at my Windows-centric office so I can work remotely from an Ubuntu-based laptop (read part 0).

I resurrected one of my old machines (20th anniversary shuttle), discovered the hard drive was shot, found an old 60GB IBM DeskStar EIDE hard drive lying around, popped it in, and installed Ubuntu 10.04, then installed OpenSwan a la
sudo apt-get install openswan

No issues with that install.

I edited /etc/ipsec.conf as specified by OpenSwan:

conn sonicwall
   type=tunnel
   left=XXX.XXX.XXX.XXX #my ubuntu machine IP
   leftid=@home
   leftxauthclient=yes
   right=xxx.xxx.xxx.xxx #IP address of my sonicwall router
   rightsubnet=192.168.X.0/24 #office subnet
   rightxauthserver=yes
   rightid=@sonicwall.unique.identifier #this ID is listed in the sonicwall admin interface
   keyingtries=0
   pfs=yes
   aggrmode=yes
   auto=add
   auth=esp
   esp=3DES-SHA1
   ike=3DES-SHA1
   authby=secret

Then I went into /etc/ipsec.secrets and added the secret code to it:
@home @sonicwall.unique.identifer : PSK "sooper.secret.shared.secret.key"

I started the connection up and opened it. Well, crappers:
xantha@moloko:~$ sudo ipsec setup --start
ipsec_setup: Starting Openswan IPsec U2.6.23/K2.6.32-22-generic-pae...
xantha@moloko:~$ sudo ipsec auto --replace sonicwall
xantha@moloko:~$ sudo ipsec whack --name sonicwall --initiate
003 "sonicwall" #1: multiple transforms were set in aggressive mode. Only first one used.
003 "sonicwall" #1: transform (5,2,2,0) ignored.
002 "sonicwall" #1: initiating Aggressive Mode #1, connection "sonicwall"
003 "sonicwall" #1: multiple transforms were set in aggressive mode. Only first one used.
003 "sonicwall" #1: transform (5,2,2,0) ignored.
112 "sonicwall" #1: STATE_AGGR_I1: initiate
003 "sonicwall" #1: Informational Exchange message must be encrypted
010 "sonicwall" #1: STATE_AGGR_I1: retransmission; will wait 20s for response
003 "sonicwall" #1: Informational Exchange message must be encrypted
010 "sonicwall" #1: STATE_AGGR_I1: retransmission; will wait 40s for response
003 "sonicwall" #1: Informational Exchange message must be encrypted
010 "sonicwall" #1: STATE_AGGR_I1: retransmission; will wait 40s for response
003 "sonicwall" #1: Informational Exchange message must be encrypted
010 "sonicwall" #1: STATE_AGGR_I1: retransmission; will wait 40s for response
003 "sonicwall" #1: Informational Exchange message must be encrypted
010 "sonicwall" #1: STATE_AGGR_I1: retransmission; will wait 40s for response

Informational Exchange message must be encrypted, huh. Whatever can that mean?

Ubuntu, Sonicwall, and OpenSwan, Part 0

I’ve worked for the same company since 2004. They are based in the DC area. When I moved back to Seattle in 2008, I became a remote employee and it works out fairly well (though I admit I miss being in the office sometimes!).

My laptop is 4+ years old now and starting to show signs of impending death. I’d like to replace it with a non-Windows, non-OS X laptop (be it some flavor of Linux or FreeBSD or whatever). I think this will help me work on some of my side code projects.

However, due to my remote employee status, I definitely need it to be able to connect to the office vpn and our Windows-based servers and my Windows-based development machine. Caveat: I do not want to use a VM for this.

So after some searching, I see a lot of people are using OpenSwan to connect to a Sonicwall appliance from Ubuntu (pelago, openswan, ghacks).

I am going to try it out.