SmoothWall <----VPN----> SonicWALL

Note: Comments are enclosed in brackets.

Disclaimer: 216.239.57.99 is Google's IP Address, and 66.35.250.150 is SlashDot's IP Address -- these are for example only.

Create A New VPN connection On Your Smoothie
Name: testconnection <a unique name shared by both VPN endpoints>
Left: 216.239.57.99 <SmoothWall's Red IP Address>
Left Subnet: 192.168.2.0/24 <Smoothwall's Green Subnet>
Right: 66.35.250.150 <SonicWALL's Public IP Address>
Right Subnet: 192.168.10.0/24 <SonicWALL's Private Subnet>
Secret: ******** <a.k.a. "Shared Secret">
Compression: No
Enabled: Yes

Edit /var/smoothwall/vpn/ipsec.conf
config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
        plutowait=no
        uniqueids=yes
        nat_traversal=yes

conn %default
        keyingtries=0

conn testconnection <unique name shared by both endpoints>
        left=216.239.57.99 <SmoothWall's Red IP Address>
        leftsubnet=192.168.2.0/24 <Smoothwall's Green Subnet>
        leftnexthop=%defaultroute
        right=66.35.250.150 <SonicWALL's Public IP Address>
        rightsubnet=192.168.10.0/24 <SonicWALL's Private Subnet>
        rightnexthop=%defaultroute
        compress=no
        auto=start
        auth=esp
        esp=3des-hmac-md5
        authby=secret

Note: Stop/Restart Smoothie's VPN from the web interface after saving the above file. If you wish, you can verify the Shared Secret by viewing /var/smoothwall/vpn/ipsec.secrets Once everything is properly configured ***NEVER*** go back into the VPN>Connections page of your Smoothie -- doing so will potentially overwrite your ipsec.conf file.

SonicWALL Setup

Main Settings
SA: testconnection <unique name shared by both endpoints>
IPsec Keying Mode: IKE using Preshared Secret <default>
Name: testconnection <unique name shared by both endpoints>
IPSec Gateway Name or Address: 216.239.57.99 <SmoothWall's Red IP Address>
Exchange: Main Mode <default>
Phase 1 DH Group: Group 2 <default>
SA Life time (secs): 28800 <default>
Phase 1 Encryption/Authentication: 3DES&MD5
Phase 2 Encryption/Authentication: Strong Encrypt (ESP 3DES HMAC MD5)
Shared Secret: ******** <same as on the Smoothie>
Network: 192.168.2.0 <Smoothwall's Green Subnet>
Subnet Mask: 255.255.255.0

Advanced Settings
Enable Perfect Forward Secrecy: Yes
Phase 2 DH Group: Group 2

Note: Leave all other Advanced Settings options at their defaults

Current Issues:

1) SonicWALL logs become filled with the following entries:

   -"IKE Responder: IPSec proposal does not match (Phase 2)"
   -"IKE Responder: ESP Perfect Forward Secrecy mismatch "
   -"IKE Responder: Received Quick Mode Request (Phase 2)"

   The above three entries repeat every ~20 seconds, but will eventually go away.

    -"NAT Discovery : Peer IPSec Security Gateway doesn't support VPN NAT Traversal" will be occaisonally logged.

SonicWALL log examples:

Time

Message

Source

Destination

Notes

Rule

01/30/2004 14:34:59.480

IKE Responder: IPSec proposal does not match (Phase 2)

216.239.57.99

66.35.250.150

192.168.2.0/24 -> 192.168.10.0/24

01/30/2004 14:34:59.480

IKE Responder: ESP Perfect Forward Secrecy mismatch

216.239.57.99

66.35.250.150

01/30/2004 14:34:59.000

IKE Responder: Received Quick Mode Request (Phase 2)

216.239.57.99

66.35.250.150

2) SmoothWall's IPsec log complains <ipsec_setup (/etc/ipsec.conf, line 9) unknown parameter name "nat_traversal"> when starting/restarting. I know it sounds illogical, since the version of FreeS/WAN included with SmoothWall wasn't compiled with the NAT Traversal patch, but the connection DOES work with this line added to ipsec.conf, even though it shows a <`--restart/--start' aborted> message.

updated 20040130