[Swan] Usage of leftaddresspool with SonicOs Enhanced

Tue Jun 11 17:43:34 EEST 2013

Hello,

I'm trying to use the new "leftaddresspool" options with a SonicWall
default GroupVPN with DHCP. The idea is to mimic the Windows client so
that VPN users are all confined in a specific range.

Here is my config :

**************
config setup
        protostack=netkey
        interfaces="%defaultroute"
        dumpdir=/var/run/pluto/
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,
        %v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,
        %v6:fe80::/10,%v4:!172.16.0.0/23

conn sonic
    type=tunnel
    left=%defaultroute
    leftid=@GroupVPN
    leftxauthclient=yes
    leftxauthusername=<my_user>
    leftaddresspool=172.16.0.90-172.16.0.100
    right=<sonic_ip>
    rightid=@<sonic_id>
    rightsubnet=0.0.0.0/0
    rightxauthserver=yes
    keyingtries=0
    pfs=no
    aggrmode=yes
    keyexchange=ike
    auto=add
    auth=esp
    ike=3des-sha1
    ikev2=never
    phase2alg=3des-sha1
    authby=secret

**************

With this configuration phase 2 will not complete blocking at
STATE_QUICK_I1.

Switching rightsubnet from "0.0.0.0/0" to "172.16.0.0/23" allow the
connection to complete, but the client source ip is unchanged (i.e the
real home LAN address).

I've also tried different ranges, one matching the DHCP range, one
outside the DHCP range but still in the rightsubnet and finally a
totally new range/subnet, but still no luck.

On the SonicWall i have activated "Accept Multiple Proposal from client"
and also changed the "VPN Access" from "LAN Subnets" to "0.0.0.0/0",
with no effects on my problem.

Does anyone have some hints on what i am doing wrong?

Thanks in advance,
Cheers,
Davide