Difference between revisions of "VPN/Racoon as IPsec client for Zywall"
(18 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
{{DISPLAYTITLE:Racoon as IPsec client for Zywall}} |
{{DISPLAYTITLE:Racoon as IPsec client for Zywall}} |
||
Zywall comes with a Windows IPSEC client sporting a nice interface and many great features. I wanted to see if I can use any of the IP implementations on Linux to connect to a Zywall I had all the credentials and configuration parameters. |
Zywall comes with a Windows IPSEC client sporting a nice interface and many great features. I wanted to see if I can use any of the IP implementations on Linux to connect to a Zywall I had all the credentials and configuration parameters. This particular configuration is for a ''roadwarrior'' type setup. It was tested with Ubuntu 12.04 as the client and a ZyWALL 10W as the concentrator. |
||
== Prerequisites == |
== Prerequisites == |
||
Line 8: | Line 8: | ||
== Windows client configuration == |
== Windows client configuration == |
||
This is just to show the configuraion on the Windows host that was used to create the configuration on Linux. |
This is just to show the configuraion on the Windows host that was used to create the configuration on Linux. The below exerpt is a configuration file (<tt><span class="input"><ConnectionName></span>.tgb</tt>) produced by <tt>vpnconf.exe</tt> which is part of the Zywall IPsec Client. |
||
# Do not edit this file. It is overwritten by VpnConf. |
|||
# SIGNATURE MD5 = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx |
|||
# Creation Date : 2008-05-13 at 09:50:11 |
|||
# Written by VpnConf 4.10 |
|||
# |
|||
[General] |
|||
Shared-SADB = Defined |
|||
Retransmits = 2 |
|||
Exchange-max-time = 15 |
|||
Default-phase-1-lifetime = 3600,360:28800 |
|||
Bitblocking = 0 |
|||
Xauth-interval = 60 |
|||
DPD-interval = 30 |
|||
DPD_retrans = 5 |
|||
DPD_wait = 15 |
|||
[Default-phase-2-lifetime] |
|||
LIFE_TYPE = SECONDS |
|||
LIFE_DURATION = 3600,300:28800 |
|||
# ==================== PHASES 1 ==================== |
|||
[Phase 1] |
|||
<span class="input"><IPsecGatewayAddress></span> = <span class="input"><ConnectionName></span>-P1 |
|||
[<span class="input"><ConnectionName></span>-main-mode] |
|||
DOI = IPSEC |
|||
EXCHANGE_TYPE = ID_PROT |
|||
Transforms = DES-MD5-GRP1 |
|||
[<span class="input"><ConnectionName></span>-P1] |
|||
Phase = 1 |
|||
Address = <span class="input"><IPsecGatewayAddress></span> |
|||
Transport = udp |
|||
Configuration = <span class="input"><IPsecGatewayAddress></span>-main-mode |
|||
Authentication = "<span class="input"><PreSharedKey></span>" |
|||
# ==================== PHASES 2 ==================== |
|||
[Phase 2] |
|||
Manual-connections = <span class="input"><ConnectionName></span>-<span class="input"><TunnelName></span>-P2 |
|||
[<span class="input"><ConnectionName></span>-<span class="input"><TunnelName></span>-P2] |
|||
Phase = 2 |
|||
ISAKMP-peer = <span class="input"><ConnectionName></span>-P1 |
|||
Remote-ID = <span class="input"><TunnelName></span>-remote-addr |
|||
Configuration = <span class="input"><TunnelName></span>-quick-mode |
|||
AutoStart = 0 |
|||
USBStart = 0 |
|||
# ==================== Ipsec ID ==================== |
|||
[<span class="input"><TunnelName></span>-remote-addr] |
|||
ID-type = IPV4_ADDR |
|||
Address = <span class="input"><RemoteTargetIP></span> |
|||
# ==================== TRANSFORMS ==================== |
|||
[<span class="input"><TunnelName></span>-quick-mode] |
|||
DOI = IPSEC |
|||
EXCHANGE_TYPE = QUICK_MODE |
|||
Suites = <span class="input"><TunnelName></span>-quick-mode-suite |
|||
[<span class="input"><TunnelName></span>-quick-mode-suite] |
|||
Protocols = TGBQM-ESP-DES-SHA-TUN |
|||
[TGBQM-ESP-DES-SHA-TUN] |
|||
PROTOCOL_ID = IPSEC_ESP |
|||
Transforms = TGBQM-ESP-DES-SHA-TUN-XF |
|||
[TGBQM-ESP-DES-SHA-TUN-XF] |
|||
TRANSFORM_ID = DES |
|||
AUTHENTICATION_ALGORITHM = HMAC_SHA |
|||
ENCAPSULATION_MODE = TUNNEL |
|||
Life = Default-phase-2-lifetime |
|||
# ==================== CERTIFICATES ==================== |
|||
== Linux client configuration == |
== Linux client configuration == |
||
Line 42: | Line 121: | ||
} |
} |
||
sainfo anonymous address <span class="input">< |
sainfo anonymous address <span class="input"><RemoteTargetIP></span> any { |
||
#pfs_group none; |
#pfs_group none; |
||
lifetime time 3600 seconds; |
lifetime time 3600 seconds; |
||
Line 49: | Line 128: | ||
compression_algorithm deflate; |
compression_algorithm deflate; |
||
} |
} |
||
==== psk.txt ==== |
==== psk.txt ==== |
||
# IPv4/v6 addresses |
# IPv4/v6 addresses |
||
Line 62: | Line 142: | ||
# |
# |
||
<span class="input"><IPsecGatewayAddress> <PreSharedKey></span> |
<span class="input"><IPsecGatewayAddress> <PreSharedKey></span> |
||
=== SA configuration === |
=== SA configuration === |
||
Line 71: | Line 150: | ||
spdflush; |
spdflush; |
||
spdadd <span class="input"><LocalIPorSubnet></span> <span class="input"><RemoteTargetIP></span> any -P out ipsec |
spdadd <span class="input"><LocalIPorSubnet></span> <span class="input"><RemoteTargetIP></span> any -P out ipsec |
||
esp/tunnel/<span class="input"><LocalGateway></span>-<span class="input">< |
esp/tunnel/<span class="input"><LocalGateway></span>-<span class="input"><IPsecGatewayAddress></span>/require; |
||
spdadd <span class="input"><RemoteTargetIP></span> <span class="input"><LocalIPorSubnet></span> any -P in ipsec |
spdadd <span class="input"><RemoteTargetIP></span> <span class="input"><LocalIPorSubnet></span> any -P in ipsec |
||
esp/tunnel/<span class="input">< |
esp/tunnel/<span class="input"><IPsecGatewayAddress></span>-<span class="input"><LocalGateway></span>/require; |
||
=== Enable configuration === |
|||
Either use the following commands |
|||
setkey -f /etc/ipsec-conf.txt |
|||
racoonctl reload-config |
|||
or restart the services |
|||
/etc/init.d/setkey restart |
|||
/etc/init.d/racoon restart |
|||
=== Bring up the tunnel === |
|||
racoonctl vpn-connect <span class="input"><IPsecGatewayAddress></span> |
|||
=== Confirm connection === |
|||
# ping -c 3 <span class="input"><IPsecGatewayAddress></span> |
|||
PING <span class="highlight"><IPsecGatewayAddress></span> (<span class="highlight"><IPsecGatewayAddress></span>) 56(84) bytes of data. |
|||
64 bytes from <span class="highlight"><IPsecGatewayAddress></span>: icmp_req=1 ttl=127 time=49.7 ms |
|||
64 bytes from <span class="highlight"><IPsecGatewayAddress></span>: icmp_req=2 ttl=127 time=50.5 ms |
|||
64 bytes from <span class="highlight"><IPsecGatewayAddress></span>: icmp_req=3 ttl=127 time=50.5 ms |
|||
--- <span class="highlight"><IPsecGatewayAddress></span> ping statistics --- |
|||
3 packets transmitted, 3 received, 0% packet loss, time 2003ms |
|||
rtt min/avg/max/mdev = 49.734/50.297/50.583/0.398 ms |
|||
== Troubleshooting == |
|||
This is a very brief overview of commands to help with troubleshooting. |
|||
=== Phase 1 === |
|||
Check if Phase 1 is up and running with <tt>racoonctl show-sa isakmp</tt> |
|||
# racoonctl show-sa isakmp |
|||
Destination Cookies Created |
|||
<span class="highlight"><IPsecGatewayAddress></span>.500 177d11554e3e18aa:276cab39052f7850 2012-06-05 16:47:11 |
|||
=== Phase 2 === |
|||
Check if Phase 2 is up and running with <tt>racoonctl show-sa esp</tt> or <tt>setkey -DH</tt> |
|||
# setkey -DH |
|||
00000000: 02 0a 00 00 02 00 00 00 00 00 00 00 58 15 00 00 |
|||
<span class="highlight"><LocalGateway></span> <span class="highlight"><IPsecGatewayAddress></span> |
|||
esp mode=tunnel spi=1540133473(0x5bcc9261) reqid=0(0x00000000) |
|||
E: des-cbc 4180bb88 26dcf85d |
|||
A: hmac-sha1 247c6472 bd5431f1 2d2e9c46 b567e6e4 a38cd518 |
|||
seq=0x00000000 replay=4 flags=0x00000000 state=mature |
|||
created: Jun 5 19:19:03 2012 current: Jun 5 19:22:54 2012 |
|||
diff: 231(s) hard: 3600(s) soft: 2880(s) |
|||
last: Jun 5 19:19:04 2012 hard: 0(s) soft: 0(s) |
|||
current: 420(bytes) hard: 0(bytes) soft: 0(bytes) |
|||
allocated: 5 hard: 0 soft: 0 |
|||
sadb_seq=1 pid=5464 refcnt=0 |
|||
<span class="highlight"><IPsecGatewayAddress></span> <span class="highlight"><LocalGateway></span> |
|||
esp mode=tunnel spi=98033518(0x05d7df6e) reqid=0(0x00000000) |
|||
E: des-cbc 664ce469 ae2ff311 |
|||
A: hmac-sha1 66b6c9f2 73c61747 23ca88d4 f2bd61a5 d2c89381 |
|||
seq=0x00000000 replay=4 flags=0x00000000 state=mature |
|||
created: Jun 5 19:19:03 2012 current: Jun 5 19:22:54 2012 |
|||
diff: 231(s) hard: 3600(s) soft: 2880(s) |
|||
last: Jun 5 19:19:04 2012 hard: 0(s) soft: 0(s) |
|||
current: 420(bytes) hard: 0(bytes) soft: 0(bytes) |
|||
allocated: 5 hard: 0 soft: 0 |
|||
sadb_seq=0 pid=5464 refcnt=0 |
|||
=== Racoon debugging === |
|||
Enable debugging in the <tt>racoon.conf</tt> configuration file and watch the syslog output under <tt>/var/log/{syslog,messages}</tt> for errors. |
|||
log <span class="input">debug2</span>; |
|||
[[Category:IPsec]] |
[[Category:IPsec]] |
Latest revision as of 18:47, 12 January 2013
Zywall comes with a Windows IPSEC client sporting a nice interface and many great features. I wanted to see if I can use any of the IP implementations on Linux to connect to a Zywall I had all the credentials and configuration parameters. This particular configuration is for a roadwarrior type setup. It was tested with Ubuntu 12.04 as the client and a ZyWALL 10W as the concentrator.
Prerequisites
- A Zywall router
- A configured Windows Zywall IPsec client or the *.tbp configuration file
- An operating system with the Racoon IPsec implementation.
Windows client configuration
This is just to show the configuraion on the Windows host that was used to create the configuration on Linux. The below exerpt is a configuration file (<ConnectionName>.tgb) produced by vpnconf.exe which is part of the Zywall IPsec Client.
# Do not edit this file. It is overwritten by VpnConf. # SIGNATURE MD5 = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx # Creation Date : 2008-05-13 at 09:50:11 # Written by VpnConf 4.10 # [General] Shared-SADB = Defined Retransmits = 2 Exchange-max-time = 15 Default-phase-1-lifetime = 3600,360:28800 Bitblocking = 0 Xauth-interval = 60 DPD-interval = 30 DPD_retrans = 5 DPD_wait = 15 [Default-phase-2-lifetime] LIFE_TYPE = SECONDS LIFE_DURATION = 3600,300:28800 # ==================== PHASES 1 ==================== [Phase 1] <IPsecGatewayAddress> = <ConnectionName>-P1 [<ConnectionName>-main-mode] DOI = IPSEC EXCHANGE_TYPE = ID_PROT Transforms = DES-MD5-GRP1 [<ConnectionName>-P1] Phase = 1 Address = <IPsecGatewayAddress> Transport = udp Configuration = <IPsecGatewayAddress>-main-mode Authentication = "<PreSharedKey>" # ==================== PHASES 2 ==================== [Phase 2] Manual-connections = <ConnectionName>-<TunnelName>-P2 [<ConnectionName>-<TunnelName>-P2] Phase = 2 ISAKMP-peer = <ConnectionName>-P1 Remote-ID = <TunnelName>-remote-addr Configuration = <TunnelName>-quick-mode AutoStart = 0 USBStart = 0 # ==================== Ipsec ID ==================== [<TunnelName>-remote-addr] ID-type = IPV4_ADDR Address = <RemoteTargetIP> # ==================== TRANSFORMS ==================== [<TunnelName>-quick-mode] DOI = IPSEC EXCHANGE_TYPE = QUICK_MODE Suites = <TunnelName>-quick-mode-suite [<TunnelName>-quick-mode-suite] Protocols = TGBQM-ESP-DES-SHA-TUN [TGBQM-ESP-DES-SHA-TUN] PROTOCOL_ID = IPSEC_ESP Transforms = TGBQM-ESP-DES-SHA-TUN-XF [TGBQM-ESP-DES-SHA-TUN-XF] TRANSFORM_ID = DES AUTHENTICATION_ALGORITHM = HMAC_SHA ENCAPSULATION_MODE = TUNNEL Life = Default-phase-2-lifetime # ==================== CERTIFICATES ====================
Linux client configuration
This is example is based on the Debian / Ubuntu layout.
Software install
First step is to install racoon and ipsec-tools
sudo apt-get install racoon ipsec-tools
Racoon config
For this example a pre-shared-key (PSK) is used. Hence we have to edit both the /etc/racoon/racoon.conf and the /etc/racoon/psk.txt files.
racoon.conf
# # # Also read the Linux IPSEC Howto up at # http://www.ipsec-howto.org/t1.html # log notify; path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; remote <IPsecGatewayAddress> { exchange_mode main,aggressive; proposal { encryption_algorithm des; hash_algorithm md5; authentication_method pre_shared_key; dh_group 1; } generate_policy on; nat_traversal on; } sainfo anonymous address <RemoteTargetIP> any { #pfs_group none; lifetime time 3600 seconds; encryption_algorithm des; authentication_algorithm hmac_sha1; compression_algorithm deflate; }
psk.txt
# IPv4/v6 addresses
10.160.94.3 mekmitasdigoat
172.16.1.133 0x12345678
194.100.55.1 whatcertificatereally
3ffe:501:410:ffff:200:86ff:fe05:80fa mekmitasdigoat
3ffe:501:410:ffff:210:4bff:fea2:8baa mekmitasdigoat
# USER_FQDN
foo@kame.net mekmitasdigoat
# FQDN
foo.kame.net hoge
#
<IPsecGatewayAddress> <PreSharedKey>
SA configuration
Once the racoon files are in place the SA needs to be set via the /etc/ipsec-tools.conf file.
#!/usr/sbin/setkey -f flush; spdflush; spdadd <LocalIPorSubnet> <RemoteTargetIP> any -P out ipsec esp/tunnel/<LocalGateway>-<IPsecGatewayAddress>/require; spdadd <RemoteTargetIP> <LocalIPorSubnet> any -P in ipsec esp/tunnel/<IPsecGatewayAddress>-<LocalGateway>/require;
Enable configuration
Either use the following commands
setkey -f /etc/ipsec-conf.txt racoonctl reload-config
or restart the services
/etc/init.d/setkey restart /etc/init.d/racoon restart
Bring up the tunnel
racoonctl vpn-connect <IPsecGatewayAddress>
Confirm connection
# ping -c 3 <IPsecGatewayAddress> PING <IPsecGatewayAddress> (<IPsecGatewayAddress>) 56(84) bytes of data. 64 bytes from <IPsecGatewayAddress>: icmp_req=1 ttl=127 time=49.7 ms 64 bytes from <IPsecGatewayAddress>: icmp_req=2 ttl=127 time=50.5 ms 64 bytes from <IPsecGatewayAddress>: icmp_req=3 ttl=127 time=50.5 ms --- <IPsecGatewayAddress> ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2003ms rtt min/avg/max/mdev = 49.734/50.297/50.583/0.398 ms
Troubleshooting
This is a very brief overview of commands to help with troubleshooting.
Phase 1
Check if Phase 1 is up and running with racoonctl show-sa isakmp
# racoonctl show-sa isakmp
Destination Cookies Created
<IPsecGatewayAddress>.500 177d11554e3e18aa:276cab39052f7850 2012-06-05 16:47:11
Phase 2
Check if Phase 2 is up and running with racoonctl show-sa esp or setkey -DH
# setkey -DH 00000000: 02 0a 00 00 02 00 00 00 00 00 00 00 58 15 00 00 <LocalGateway> <IPsecGatewayAddress> esp mode=tunnel spi=1540133473(0x5bcc9261) reqid=0(0x00000000) E: des-cbc 4180bb88 26dcf85d A: hmac-sha1 247c6472 bd5431f1 2d2e9c46 b567e6e4 a38cd518 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Jun 5 19:19:03 2012 current: Jun 5 19:22:54 2012 diff: 231(s) hard: 3600(s) soft: 2880(s) last: Jun 5 19:19:04 2012 hard: 0(s) soft: 0(s) current: 420(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 5 hard: 0 soft: 0 sadb_seq=1 pid=5464 refcnt=0 <IPsecGatewayAddress> <LocalGateway> esp mode=tunnel spi=98033518(0x05d7df6e) reqid=0(0x00000000) E: des-cbc 664ce469 ae2ff311 A: hmac-sha1 66b6c9f2 73c61747 23ca88d4 f2bd61a5 d2c89381 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Jun 5 19:19:03 2012 current: Jun 5 19:22:54 2012 diff: 231(s) hard: 3600(s) soft: 2880(s) last: Jun 5 19:19:04 2012 hard: 0(s) soft: 0(s) current: 420(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 5 hard: 0 soft: 0 sadb_seq=0 pid=5464 refcnt=0
Racoon debugging
Enable debugging in the racoon.conf configuration file and watch the syslog output under /var/log/{syslog,messages} for errors.
log debug2;