Ubuntu, Sonicwall, and OpenSwan – Final

I did get it to work and was able to use tsclient to connect to my Windows 7 development box in the office. Success! Now when my laptop finally dies I can replace it with something not running Windows and still work from it!

In the end, I fixed two of my own typos — one in the shared secret, one in the gateway for rightsubnet — and two configuration settings in my \etc\ipsec.conf.

Key Issues for me:

  • it seems SOME Sonicwalls require your leftid to be set to “@GroupVPN.” I know I have seen this in the Sonicwall Global VPN client (Windows) as well. I didn’t expect that to be an issue so this was a surprising fix to me.

  • the IKE DH Group is REALLY IMPORTANT. The examples all suggest just setting it to 3DES-SHA1. That did not work for my DH group 2. This post on ubuntuforums does note the Group 2 (and 5) settings for IKE.

Other potentially useful notes, some of which were problems for me and some that were not:

  • sudo ipsec auto --listall will show the Pre-Shared Keys defined (not the key itself, just the players+communications defined).

  • sudo ipsec auto --status may give you slightly more information about what’s going on.

  • after editing /etc/ipsec.conf, don’t forget to refresh the configuration: sudo ipsec auto --replace sonicwall

  • don’t forget to tab in the /etc/ipsec.conf settings for the connection.

  • Got your tunnel configured and connected but can’t do anything? Maybe you need to enable IP forwarding. Check to see if it’s already set up by either using sysctl (0 = disabled, 1=enabled):
    sysctl net.ipv4.ip_forward
    or by checking /proc directly:
    cat /proc/sys/net/ipv4/ip_forward
    here’s how to fix it temporarily or permanently.

In the end, my final /etc/ipsec.conf looks something like this:

conn sonicwall
  left=192.168.XXX.XXX # my ubuntu machine IP
  leftid=@GroupVPN # this is REQUIRED to connect to our Sonicwall appliance
  right=XXX.XXX.XXX.XXX # IP of the Sonicwall
  rightsubnet= # the OFFICE subnet, not HOME like some documentation said
  rightid=@000123456789 # the Sonicwall appliance ID
  ike=3DES-SHA1-modp1024 # DH GROUP 2
  authby=secret # set up in /etc/ipsec.secrets
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/oe-exclude-dns.conf

Hooray! Also I would like to say that I am rather impressed with Ubuntu 10.04 after using it for a few hours working on this.

What do you think?