Yesterday I walked you through the process of connecting to a Microsoft PPTP VPN (see my article “Connecting to a Microsoft VPN with Linux“). That article used a simple GUI tool to allow you to create your VPN tunnel. Unfortunately there is no magic support you can add to the Network Manager Applet to add support for the Sonicwall VPN. Instead, you have to do things manually. That’s right – it’s all command line from here. But don’t worry, it’s not terribly difficult…just a lot of typing. And, of course, you will have to bring up and bring down your connection manually. But if you’re stuck having to make a connection with a Sonicwall VPN, and you’re using Linux, as of right now it’s your only hope.
What you need
To make this connection happen you are going to need a few bits of information:
Unique Firewall Identifier: This is on the VPN Settings of your Sonicwall router. If you do not have access to the router itself, you might have to nicely ask your IT department.
Shared secret key: This also is taken from your Sonicwall router.
NOTE: In order for this to work the Sonicwal must be set to IDE Using Preshared Secret. Either set it as such or ask your IT department if it is (and, if not, if it can be). The Sonicwall also has to have the Proposals set as such:
- Phase 1: Group5, 3DES, SHA1, 28800
- Phase 2: ESP, 3DES, SHA1
- Enable Perfect Forward Secrecy, Set DH Group to Group 5, and Lifetime to 28800
It might be a lot to ask your IT department, but if you want to make that connection using Linux, it’s a must.
On your Linux client you will need to install OpenSwan. You can do this from the Synaptic Package Manager by following these steps:
- Open up Synaptic.
- Search for “openswan” (no quotes).
- Mark OpenSwan for installation.
- Click Apply to install.
Configuring OpenSwan
There are two files you have to configure. The first file is /etc/ipsec.conf. The configuration needs to look like:
conn sonicwall
type=tunnel
left=YOUR_IP_ADDRESS
leftid=@home
leftxauthclient=yes
right=IP_ADDRESS_OF_SONICWALL
rightsubnet=LAN_GATEWAY_ADDRESS
rightxauthserver=yes
rightid=@SONICWALL_UNIQUE_IDENTIFIER
keyingtries=0
pfs=yes
aggrmode=yes
auto=add
auth=esp
esp=3DES-SHA1
ike=3DES-SHA1
authby=secret
Where all fields in ALL CAPS are unique to your setup.
Now you need to add one line to /etc/ipsec.secrets. This line looks like:
@home @SONICWALL_UNIQUE_IDENTIFIER : PSK “SHARED_SECRET_KEY”
Now you are ready to test out your connection.
Bringing it up and taking it down
There are three commands you need to bring up your tunnel:
sudo ipsec setup ––start
sudo ipsec auto ––add sonicwall
sudo ipsec whack ––name sonicwall ––initiate
Once you’ve initiated that final command you should be able to open up Places > Network (That’s in GNOME of course) and find your VPN machines. If not, wait a moment and re-open Places > Network.
Once you are done, you can bring down your connection with two commands:
sudo ipsec whack ––name sonicwall ––terminate
sudo ipsec setup ––stop
Of course, instead of having to run those same commands all the time I would create two scripts, one for starting and one for stopping. Move those scripts to /usr/bin, give them executable permission, and create a menu entry and then starting and stopping your VPN connection is simple.
Final thoughts
It’s not as simple as connecting to a Microsoft VPN but at least there is a way to connect to your Sonicwall VPN. Good luck!
Enjoyed the article?: Then sign-up for our free newsletter or RSS feed to kick off your day with the latest technology news and tips, or share the article with your friends and contacts on Facebook or Twitter.Related Articles:
My Encrypted TunnelHelp, I Use Ubuntu and There’s No “su”!
How to install Nagios on Ubuntu server
Join a Ubuntu machine to a Windows domain
Creating a database with MySQL Administrator
Thanks for the directions…. exactly what I’ve been looking for.
Getting an error when I run the sudo ipsec setup –start: /etc/ipsec.conf:36: syntax error, unexpected KEYWORD, expecting $end [type]
Line 36 in the config file is the “type=tunnel” line
Any thoughts?
A couple of followup points;
1) The config file entries must be indented with after the “conn sonicwall” line
2) The “LAN_GATEWAY_ADDRESS” entry appears to require the address & subnet of the remote network (ie 192.168.1.0/24)
After making those changes, I at least see connection attempts, but am still failing to connect, with the following messages;
klowe@klowe-ubuntu:~$ sudo ipsec whack –name sonicwall –initiate
003 “sonicwall” #1: multiple transforms were set in aggressive mode. Only first one used.
003 “sonicwall” #1: transform (5,2,2,0) ignored.
002 “sonicwall” #1: initiating Aggressive Mode #1, connection “sonicwall”
003 “sonicwall” #1: multiple transforms were set in aggressive mode. Only first one used.
003 “sonicwall” #1: transform (5,2,2,0) ignored.
112 “sonicwall” #1: STATE_AGGR_I1: initiate
003 “sonicwall” #1: Informational Exchange message must be encrypted
010 “sonicwall” #1: STATE_AGGR_I1: retransmission; will wait 20s for response
003 “sonicwall” #1: Informational Exchange message must be encrypted
010 “sonicwall” #1: STATE_AGGR_I1: retransmission; will wait 40s for response
003 “sonicwall” #1: Informational Exchange message must be encrypted
Any help would be appreciated!
*sigh* Guess these comment areas aren’t being read by the author.
I am having the same issues/messages – any way to troubleshoot or indicate which setting isn’t right?
Ken – did you ever figure anything out?
Jack (author) any suggestions for us?
No joy for me. Have hit a brick wall.
I think this:
Getting an error when I run the sudo ipsec setup –start: /etc/ipsec.conf:36: syntax error, unexpected KEYWORD, expecting $end [type]
has to do with improper spacing in ipsec.conf
i think indentation matters in this case
and at line 36 it should be indented a bit instead of at the beginning of the line