Creating a VPN tunnel between Ubuntu and Sonicwall

Jack Wallen
Mar 3, 2010
Updated • Jan 19, 2013
Network
|
11

Yesterday I walked you through the process of connecting to a Microsoft PPTP VPN (see my article "Connecting to a Microsoft VPN with Linux"). That article used a simple GUI tool to allow you to create your VPN tunnel. Unfortunately there is no magic support you can add to the Network Manager Applet to add support for the Sonicwall VPN. Instead, you have to do things manually. That's right - it's all command line from here. But don't worry, it's not terribly difficult...just a lot of typing. And, of course, you will have to bring up and bring down your connection manually. But if you're stuck having to make a connection with a Sonicwall VPN, and you're using Linux, as of right now it's your only hope.

What you need

To make this connection happen you are going to need a few bits of information:

Unique Firewall Identifier: This is on the VPN Settings of your Sonicwall router. If you do not have access to the router itself, you might have to nicely ask your IT department.

Shared secret key: This also is taken from your Sonicwall router.

NOTE: In order for this to work the Sonicwal must be set to IDE Using Preshared Secret. Either set it as such or ask your IT department if it is (and, if not, if it can be). The Sonicwall also has to have the Proposals set as such:

  • Phase 1: Group5, 3DES, SHA1, 28800
  • Phase 2: ESP, 3DES, SHA1
  • Enable Perfect Forward Secrecy, Set DH Group to Group 5, and Lifetime to  28800

It might be a lot to ask your IT department, but if you want to make that connection using Linux, it's a must.

On your Linux client you will need to install OpenSwan. You can do this from the Synaptic Package Manager by following these steps:

  1. Open up Synaptic.
  2. Search for "openswan" (no quotes).
  3. Mark OpenSwan for installation.
  4. Click Apply to install.

Configuring OpenSwan

There are two files you have to configure. The first file is /etc/ipsec.conf. The configuration needs to look like:

conn sonicwall
type=tunnel
left=YOUR_IP_ADDRESS
leftid=@home
leftxauthclient=yes
right=IP_ADDRESS_OF_SONICWALL
rightsubnet=LAN_GATEWAY_ADDRESS
rightxauthserver=yes
rightid=@SONICWALL_UNIQUE_IDENTIFIER
keyingtries=0
pfs=yes
aggrmode=yes
auto=add
auth=esp
esp=3DES-SHA1
ike=3DES-SHA1
authby=secret

Where all fields in ALL CAPS are unique to your setup.

Now you need to add one line to /etc/ipsec.secrets. This line looks like:

@home @SONICWALL_UNIQUE_IDENTIFIER : PSK "SHARED_SECRET_KEY"

Now you are ready to test out your connection.

Bringing it up and taking it down

There are three commands you need to bring up your tunnel:

sudo ipsec setup ––start
sudo ipsec auto ––add sonicwall
sudo ipsec whack ––name sonicwall ––initiate

Once you've initiated that final command you should be able to open up Places > Network (That's in GNOME of course) and find your VPN machines. If not, wait a moment and re-open Places > Network.

Once you are done, you can bring down your connection with two commands:

sudo ipsec whack ––name sonicwall ––terminate
sudo ipsec setup ––stop

Of course, instead of having to run those same commands all the time I would create two scripts, one for starting and one for stopping. Move those scripts to /usr/bin, give them executable permission, and create a menu entry and then starting and stopping your VPN connection is simple.

Final thoughts

It's not as simple as connecting to a Microsoft VPN but at least there is a way to connect to your Sonicwall VPN. Good luck!

Advertisement

Previous Post: «
Next Post: «

Comments

  1. Jim said on July 29, 2013 at 4:51 pm
    Reply

    Just to say the indenting of the files in this case is important, the ipsec.conf needs the declaration at the start of the line eg “conn sonicwall”. All further config declarations should be started after a tabspace.

    Example
    conn sonicwall
    “TABSPACE”->authby=secret
    “TABSPACE”->auto=add

    etc etc etc,

    hope this helps further people.

  2. Jucelio said on November 23, 2012 at 7:12 pm
    Reply

    for me appears this:

    root@jucelio-PW-945GCX:/etc# ipsec setup –start
    ipsec_setup: Starting Openswan IPsec 2.6.37…
    root@jucelio-PW-945GCX:/etc# ipsec auto –add sonicwall
    connect(pluto_ctl) failed: No such file or directory

    anybody knows what this?

  3. Foo said on April 28, 2012 at 2:42 pm
    Reply

    Hi, has anyone found a fix for the problem:

    003 “sonicwall” #1: multiple transforms were set in aggressive mode. Only first one used.
    003 “sonicwall” #1: transform (5,2,2,0) ignored.
    002 “sonicwall” #1: initiating Aggressive Mode #1, connection “sonicwall”
    003 “sonicwall” #1: multiple transforms were set in aggressive mode. Only first one used.
    003 “sonicwall” #1: transform (5,2,2,0) ignored.
    112 “sonicwall” #1: STATE_AGGR_I1: initiate
    003 “sonicwall” #1: Informational Exchange message must be encrypted
    010 “sonicwall” #1: STATE_AGGR_I1: retransmission; will wait 20s for response
    003 “sonicwall” #1: Informational Exchange message must be encrypted
    010 “sonicwall” #1: STATE_AGGR_I1: retransmission; will wait 40s for response
    003 “sonicwall” #1: Informational Exchange message must be encrypted

  4. Anonymous said on June 25, 2011 at 7:59 pm
    Reply

    I think this:

    Getting an error when I run the sudo ipsec setup –start: /etc/ipsec.conf:36: syntax error, unexpected KEYWORD, expecting $end [type]

    has to do with improper spacing in ipsec.conf
    i think indentation matters in this case
    and at line 36 it should be indented a bit instead of at the beginning of the line

  5. Ken said on April 2, 2010 at 11:40 pm
    Reply

    No joy for me. Have hit a brick wall.

  6. Ed said on March 30, 2010 at 12:37 am
    Reply

    I am having the same issues/messages – any way to troubleshoot or indicate which setting isn’t right?

    Ken – did you ever figure anything out?
    Jack (author) any suggestions for us?

  7. Ken said on March 27, 2010 at 8:56 pm
    Reply

    *sigh* Guess these comment areas aren’t being read by the author.

  8. Ken said on March 14, 2010 at 6:05 pm
    Reply

    A couple of followup points;
    1) The config file entries must be indented with after the “conn sonicwall” line
    2) The “LAN_GATEWAY_ADDRESS” entry appears to require the address & subnet of the remote network (ie 192.168.1.0/24)

    After making those changes, I at least see connection attempts, but am still failing to connect, with the following messages;

    klowe@klowe-ubuntu:~$ sudo ipsec whack –name sonicwall –initiate
    003 “sonicwall” #1: multiple transforms were set in aggressive mode. Only first one used.
    003 “sonicwall” #1: transform (5,2,2,0) ignored.
    002 “sonicwall” #1: initiating Aggressive Mode #1, connection “sonicwall”
    003 “sonicwall” #1: multiple transforms were set in aggressive mode. Only first one used.
    003 “sonicwall” #1: transform (5,2,2,0) ignored.
    112 “sonicwall” #1: STATE_AGGR_I1: initiate
    003 “sonicwall” #1: Informational Exchange message must be encrypted
    010 “sonicwall” #1: STATE_AGGR_I1: retransmission; will wait 20s for response
    003 “sonicwall” #1: Informational Exchange message must be encrypted
    010 “sonicwall” #1: STATE_AGGR_I1: retransmission; will wait 40s for response
    003 “sonicwall” #1: Informational Exchange message must be encrypted

    Any help would be appreciated!

  9. Ken said on March 14, 2010 at 5:43 pm
    Reply

    Thanks for the directions…. exactly what I’ve been looking for.

    Getting an error when I run the sudo ipsec setup –start: /etc/ipsec.conf:36: syntax error, unexpected KEYWORD, expecting $end [type]

    Line 36 in the config file is the “type=tunnel” line

    Any thoughts?

    1. Deepak said on December 26, 2013 at 10:07 am
      Reply

      I know its a bit late reply but even I was suffering from the same error so thought of posting a fix for this for other viewers
      “type=tunnel” has to start after a TAB as shown in the below link

      http://www.golinuxhub.com/2012/10/unexpected-keyword-expecting-end-type.html

      Regards
      Deepak

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.