Ipsecuritas for sonicwall. Ipsec mac sonicwall.
This was a tricky one. I always had some difficulty getting the free IPsecuritas connected; so I am sure others had problems too.
Using IPsecuritas 3.2 build 2501
MacBook Leopard
connecting to a:
TZ 190 Wireless Enhanced
SonicOS Enhanced 4.0.1.3-46e
Sonicwall side config (straight out of the tech support report)
--- SA 1 ---
Authentication Method : IKE with Preshared secret
VPN Policy Name : "WAN GroupVPN"; enabled
Policy Type : Client Policy
Pre-shared Key len : 14, value=
IKE Local Id : UNKNOWN
IKE Remote Id : ID_FQDN: (GroupVPN)
Local network :
Peer network :
IKE Exchange : Aggressive Mode
IKE Proposal : DH Group 2; Encrypt/Auth - 3DES/SHA1
IKE SA Life time : 28800 (seconds)
IPsec Proposal : DH Group 2; Encrypt/Auth - ESP: 3DES/HMAC SHA1
Ipsec SA Life time : 28800 (seconds)
Policy Options : PFS: on; Xauth: on; Netbios: on; Multicast: off
Management : HTTP: n; HTTPS: n; SSH: n
XAUTH user group : Trusted Users
Default LAN gateway : (0.0.0.0)
VPN policy : Bound to zone WAN
WAN GroupVPN Client Settings:
User Name and Password Caching:
XAUTH User Authentication is Required
Cache XAUTH User Name and Password on Client: Never
Client Connections:
Virtual Adapter Settings: DHCP Lease or Manual Configuration
allow Connections to Split Tunnels
Set Default Route as this Gateway is not Selected
Apply VPN Access Control List is not Selected
Personal Firewall on Client Machine is not Required
Client Initial Provisioning:
Use Default Key for Simple Client Provisioning is Selected
-----------------------------
Now the ipsecuritas config
General Tab:
--------------------
Remote IPSec Device: IP or host name of Sonicwall (must be reachable from Internet)
Endpoint Mode: Host (IP Address left blank)
Remote Mode: Network (Internal LAN network of the Sonicwall, such as 10.0.1.0 CIDR/Mask 24)
Phase 1:
--------------------
Lifetime: 8 hours
DH Group: 1024 (2)
Encryption: 3DES
Authentication: SHA-1
Exchange Mode: Aggressive
Proposal Check: Claim
Nonce Size: 16
Phase 2:
--------------------
Lifetime: 8 hours
PFS Group: 1024 (2)
Encryption: 3DES
Authenication: HMAC SHA-1
ID:
--------------------
Local Identifier: Address
Remote Identifier: FQDN.
... just fill in the "Unique Firewall Identifier" from the Sonicwall VPN section
Authentication Method: XAuth PSK
Preshared Key:
Username: XAuth username
Store Password: checked if you would like the password to be stored
DNS: check "enable domain specific DNS servers"
Domains: fill in your domain name
Name Server Addresses: probably your domain controller ip address
Options
--------------------
Check off the following:
IPSec DOI
SIT_IDENTITY_ONLY
Initial Contact
Support Proxy
Request Certificate
Send Certificate
Unique SAs
IKE Fragmentation
NAT-T disable
do not check "enable connection check"
Action after connection timeout= give up
--------------------
The key for me was Perfect forward Secrecy was NOT enabled but it should have been! So ENABLE perfect forward secrecy. the reason for this was that IPSecuritas just does PFS without an option to turn it off or on, so you must turn it on, on the Sonicwall. otherwise you will get "NO PROPOSAL WAS CHOSEN" when trying to negotiate phase 1. Always have your log file open when trying to debug these connections. also, be wary of mapping multiple networks behind the Sonicwall, each has to build its own contract. please contact me if you need help with your connection.
this_blog(cool, exciting) :- posts(kleetus): Ipsecuritas, Mac OS X, Sonicwall Enhanced Firmware