Difference between revisions of "VPN/Racoon as IPsec client for Zywall"

From braindump
Jump to navigation Jump to search
 
(17 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{DISPLAYTITLE:Racoon as IPsec client for Zywall}}
{{DISPLAYTITLE:Racoon as IPsec client for Zywall}}
Zywall comes with a Windows IPSEC client sporting a nice interface and many great features. I wanted to see if I can use any of the IP implementations on Linux to connect to a Zywall I had all the credentials and configuration parameters.
Zywall comes with a Windows IPSEC client sporting a nice interface and many great features. I wanted to see if I can use any of the IP implementations on Linux to connect to a Zywall I had all the credentials and configuration parameters. This particular configuration is for a ''roadwarrior'' type setup. It was tested with Ubuntu 12.04 as the client and a ZyWALL 10W as the concentrator.


== Prerequisites ==
== Prerequisites ==
Line 8: Line 8:


== Windows client configuration ==
== Windows client configuration ==
This is just to show the configuraion on the Windows host that was used to create the configuration on Linux.
This is just to show the configuraion on the Windows host that was used to create the configuration on Linux. The below exerpt is a configuration file (<tt><span class="input"><ConnectionName></span>.tgb</tt>) produced by <tt>vpnconf.exe</tt> which is part of the Zywall IPsec Client.

# Do not edit this file. It is overwritten by VpnConf.
# SIGNATURE MD5 = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# Creation Date : 2008-05-13 at 09:50:11
# Written by VpnConf 4.10
#
[General]
Shared-SADB = Defined
Retransmits = 2
Exchange-max-time = 15
Default-phase-1-lifetime = 3600,360:28800
Bitblocking = 0
Xauth-interval = 60
DPD-interval = 30
DPD_retrans = 5
DPD_wait = 15
[Default-phase-2-lifetime]
LIFE_TYPE = SECONDS
LIFE_DURATION = 3600,300:28800
# ==================== PHASES 1 ====================
[Phase 1]
<span class="input"><IPsecGatewayAddress></span> = <span class="input"><ConnectionName></span>-P1
[<span class="input"><ConnectionName></span>-main-mode]
DOI = IPSEC
EXCHANGE_TYPE = ID_PROT
Transforms = DES-MD5-GRP1
[<span class="input"><ConnectionName></span>-P1]
Phase = 1
Address = <span class="input"><IPsecGatewayAddress></span>
Transport = udp
Configuration = <span class="input"><IPsecGatewayAddress></span>-main-mode
Authentication = "<span class="input"><PreSharedKey></span>"
# ==================== PHASES 2 ====================
[Phase 2]
Manual-connections = <span class="input"><ConnectionName></span>-<span class="input"><TunnelName></span>-P2
[<span class="input"><ConnectionName></span>-<span class="input"><TunnelName></span>-P2]
Phase = 2
ISAKMP-peer = <span class="input"><ConnectionName></span>-P1
Remote-ID = <span class="input"><TunnelName></span>-remote-addr
Configuration = <span class="input"><TunnelName></span>-quick-mode
AutoStart = 0
USBStart = 0
# ==================== Ipsec ID ====================
[<span class="input"><TunnelName></span>-remote-addr]
ID-type = IPV4_ADDR
Address = <span class="input"><RemoteTargetIP></span>
# ==================== TRANSFORMS ====================
[<span class="input"><TunnelName></span>-quick-mode]
DOI = IPSEC
EXCHANGE_TYPE = QUICK_MODE
Suites = <span class="input"><TunnelName></span>-quick-mode-suite
[<span class="input"><TunnelName></span>-quick-mode-suite]
Protocols = TGBQM-ESP-DES-SHA-TUN
[TGBQM-ESP-DES-SHA-TUN]
PROTOCOL_ID = IPSEC_ESP
Transforms = TGBQM-ESP-DES-SHA-TUN-XF
[TGBQM-ESP-DES-SHA-TUN-XF]
TRANSFORM_ID = DES
AUTHENTICATION_ALGORITHM = HMAC_SHA
ENCAPSULATION_MODE = TUNNEL
Life = Default-phase-2-lifetime
# ==================== CERTIFICATES ====================


== Linux client configuration ==
== Linux client configuration ==
Line 63: Line 142:
#
#
<span class="input"><IPsecGatewayAddress> <PreSharedKey></span>
<span class="input"><IPsecGatewayAddress> <PreSharedKey></span>



=== SA configuration ===
=== SA configuration ===
Line 72: Line 150:
spdflush;
spdflush;
spdadd <span class="input"><LocalIPorSubnet></span> <span class="input"><RemoteTargetIP></span> any -P out ipsec
spdadd <span class="input"><LocalIPorSubnet></span> <span class="input"><RemoteTargetIP></span> any -P out ipsec
esp/tunnel/<span class="input"><LocalGateway></span>-<span class="input"><IPsecGatewayIP></span>/require;
esp/tunnel/<span class="input"><LocalGateway></span>-<span class="input"><IPsecGatewayAddress></span>/require;
spdadd <span class="input"><RemoteTargetIP></span> <span class="input"><LocalIPorSubnet></span> any -P in ipsec
spdadd <span class="input"><RemoteTargetIP></span> <span class="input"><LocalIPorSubnet></span> any -P in ipsec
esp/tunnel/<span class="input"><IPsecGatewayIP>-<span class="input"><LocalGateway></span>/require;
esp/tunnel/<span class="input"><IPsecGatewayAddress></span>-<span class="input"><LocalGateway></span>/require;

=== Enable configuration ===
Either use the following commands
setkey -f /etc/ipsec-conf.txt
racoonctl reload-config
or restart the services
/etc/init.d/setkey restart
/etc/init.d/racoon restart

=== Bring up the tunnel ===
racoonctl vpn-connect <span class="input"><IPsecGatewayAddress></span>

=== Confirm connection ===
# ping -c 3 <span class="input"><IPsecGatewayAddress></span>
PING <span class="highlight"><IPsecGatewayAddress></span> (<span class="highlight"><IPsecGatewayAddress></span>) 56(84) bytes of data.
64 bytes from <span class="highlight"><IPsecGatewayAddress></span>: icmp_req=1 ttl=127 time=49.7 ms
64 bytes from <span class="highlight"><IPsecGatewayAddress></span>: icmp_req=2 ttl=127 time=50.5 ms
64 bytes from <span class="highlight"><IPsecGatewayAddress></span>: icmp_req=3 ttl=127 time=50.5 ms
--- <span class="highlight"><IPsecGatewayAddress></span> ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 49.734/50.297/50.583/0.398 ms

== Troubleshooting ==
This is a very brief overview of commands to help with troubleshooting.
=== Phase 1 ===
Check if Phase 1 is up and running with <tt>racoonctl show-sa isakmp</tt>
# racoonctl show-sa isakmp
Destination Cookies Created
<span class="highlight"><IPsecGatewayAddress></span>.500 177d11554e3e18aa:276cab39052f7850 2012-06-05 16:47:11

=== Phase 2 ===
Check if Phase 2 is up and running with <tt>racoonctl show-sa esp</tt> or <tt>setkey -DH</tt>
# setkey -DH
00000000: 02 0a 00 00 02 00 00 00 00 00 00 00 58 15 00 00
<span class="highlight"><LocalGateway></span> <span class="highlight"><IPsecGatewayAddress></span>
esp mode=tunnel spi=1540133473(0x5bcc9261) reqid=0(0x00000000)
E: des-cbc 4180bb88 26dcf85d
A: hmac-sha1 247c6472 bd5431f1 2d2e9c46 b567e6e4 a38cd518
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Jun 5 19:19:03 2012 current: Jun 5 19:22:54 2012
diff: 231(s) hard: 3600(s) soft: 2880(s)
last: Jun 5 19:19:04 2012 hard: 0(s) soft: 0(s)
current: 420(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 5 hard: 0 soft: 0
sadb_seq=1 pid=5464 refcnt=0
<span class="highlight"><IPsecGatewayAddress></span> <span class="highlight"><LocalGateway></span>
esp mode=tunnel spi=98033518(0x05d7df6e) reqid=0(0x00000000)
E: des-cbc 664ce469 ae2ff311
A: hmac-sha1 66b6c9f2 73c61747 23ca88d4 f2bd61a5 d2c89381
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Jun 5 19:19:03 2012 current: Jun 5 19:22:54 2012
diff: 231(s) hard: 3600(s) soft: 2880(s)
last: Jun 5 19:19:04 2012 hard: 0(s) soft: 0(s)
current: 420(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 5 hard: 0 soft: 0
sadb_seq=0 pid=5464 refcnt=0

=== Racoon debugging ===
Enable debugging in the <tt>racoon.conf</tt> configuration file and watch the syslog output under <tt>/var/log/{syslog,messages}</tt> for errors.
log <span class="input">debug2</span>;


[[Category:IPsec]]
[[Category:IPsec]]

Latest revision as of 18:47, 12 January 2013

Zywall comes with a Windows IPSEC client sporting a nice interface and many great features. I wanted to see if I can use any of the IP implementations on Linux to connect to a Zywall I had all the credentials and configuration parameters. This particular configuration is for a roadwarrior type setup. It was tested with Ubuntu 12.04 as the client and a ZyWALL 10W as the concentrator.

Prerequisites

  • A Zywall router
  • A configured Windows Zywall IPsec client or the *.tbp configuration file
  • An operating system with the Racoon IPsec implementation.

Windows client configuration

This is just to show the configuraion on the Windows host that was used to create the configuration on Linux. The below exerpt is a configuration file (<ConnectionName>.tgb) produced by vpnconf.exe which is part of the Zywall IPsec Client.

# Do not edit this file. It is overwritten by VpnConf.
# SIGNATURE MD5 = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# Creation Date : 2008-05-13 at 09:50:11
# Written by VpnConf 4.10
#

[General]
Shared-SADB = Defined
Retransmits = 2
Exchange-max-time = 15
Default-phase-1-lifetime = 3600,360:28800
Bitblocking = 0
Xauth-interval = 60
DPD-interval = 30
DPD_retrans = 5
DPD_wait = 15

[Default-phase-2-lifetime]
LIFE_TYPE = SECONDS
LIFE_DURATION = 3600,300:28800

# ==================== PHASES 1 ====================

[Phase 1]
<IPsecGatewayAddress> = <ConnectionName>-P1

[<ConnectionName>-main-mode]
DOI = IPSEC
EXCHANGE_TYPE = ID_PROT
Transforms = DES-MD5-GRP1

[<ConnectionName>-P1]
Phase = 1
Address = <IPsecGatewayAddress>
Transport = udp
Configuration = <IPsecGatewayAddress>-main-mode
Authentication = "<PreSharedKey>"

# ==================== PHASES 2 ====================

[Phase 2]
Manual-connections = <ConnectionName>-<TunnelName>-P2

[<ConnectionName>-<TunnelName>-P2]
Phase = 2
ISAKMP-peer = <ConnectionName>-P1
Remote-ID = <TunnelName>-remote-addr
Configuration = <TunnelName>-quick-mode
AutoStart = 0
USBStart = 0

# ==================== Ipsec ID ====================

[<TunnelName>-remote-addr]
ID-type = IPV4_ADDR
Address = <RemoteTargetIP>

# ==================== TRANSFORMS ====================

[<TunnelName>-quick-mode]
DOI = IPSEC
EXCHANGE_TYPE = QUICK_MODE
Suites = <TunnelName>-quick-mode-suite

[<TunnelName>-quick-mode-suite]
Protocols = TGBQM-ESP-DES-SHA-TUN

[TGBQM-ESP-DES-SHA-TUN]
PROTOCOL_ID = IPSEC_ESP
Transforms = TGBQM-ESP-DES-SHA-TUN-XF

[TGBQM-ESP-DES-SHA-TUN-XF]
TRANSFORM_ID = DES
AUTHENTICATION_ALGORITHM = HMAC_SHA
ENCAPSULATION_MODE = TUNNEL
Life = Default-phase-2-lifetime

# ==================== CERTIFICATES ====================

Linux client configuration

This is example is based on the Debian / Ubuntu layout.

Software install

First step is to install racoon and ipsec-tools

sudo apt-get install racoon ipsec-tools

Racoon config

For this example a pre-shared-key (PSK) is used. Hence we have to edit both the /etc/racoon/racoon.conf and the /etc/racoon/psk.txt files.

racoon.conf

#
#
# Also read the Linux IPSEC Howto up at
# http://www.ipsec-howto.org/t1.html
#
log notify;
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";

remote <IPsecGatewayAddress> {
        exchange_mode main,aggressive;
        proposal {
                encryption_algorithm des;
                hash_algorithm md5;
                authentication_method pre_shared_key;
                dh_group 1;
        }
        generate_policy on;
        nat_traversal on;
}

sainfo anonymous address <RemoteTargetIP> any {
        #pfs_group none;
        lifetime time 3600 seconds;
        encryption_algorithm des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}

psk.txt

# IPv4/v6 addresses
10.160.94.3     mekmitasdigoat
172.16.1.133    0x12345678
194.100.55.1    whatcertificatereally
3ffe:501:410:ffff:200:86ff:fe05:80fa    mekmitasdigoat
3ffe:501:410:ffff:210:4bff:fea2:8baa    mekmitasdigoat
# USER_FQDN
foo@kame.net    mekmitasdigoat
# FQDN
foo.kame.net    hoge
#
<IPsecGatewayAddress>     <PreSharedKey>

SA configuration

Once the racoon files are in place the SA needs to be set via the /etc/ipsec-tools.conf file.

#!/usr/sbin/setkey -f

flush;
spdflush;
spdadd <LocalIPorSubnet> <RemoteTargetIP> any -P out ipsec
    esp/tunnel/<LocalGateway>-<IPsecGatewayAddress>/require;
spdadd <RemoteTargetIP> <LocalIPorSubnet> any -P in ipsec
    esp/tunnel/<IPsecGatewayAddress>-<LocalGateway>/require;

Enable configuration

Either use the following commands

setkey -f /etc/ipsec-conf.txt
racoonctl reload-config 

or restart the services

/etc/init.d/setkey restart
/etc/init.d/racoon restart

Bring up the tunnel

racoonctl vpn-connect <IPsecGatewayAddress>

Confirm connection

# ping -c 3 <IPsecGatewayAddress>
PING <IPsecGatewayAddress> (<IPsecGatewayAddress>) 56(84) bytes of data.
64 bytes from <IPsecGatewayAddress>: icmp_req=1 ttl=127 time=49.7 ms
64 bytes from <IPsecGatewayAddress>: icmp_req=2 ttl=127 time=50.5 ms
64 bytes from <IPsecGatewayAddress>: icmp_req=3 ttl=127 time=50.5 ms

--- <IPsecGatewayAddress> ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 49.734/50.297/50.583/0.398 ms

Troubleshooting

This is a very brief overview of commands to help with troubleshooting.

Phase 1

Check if Phase 1 is up and running with racoonctl show-sa isakmp

# racoonctl show-sa isakmp
Destination                      Cookies                           Created
<IPsecGatewayAddress>.500        177d11554e3e18aa:276cab39052f7850 2012-06-05 16:47:11

Phase 2

Check if Phase 2 is up and running with racoonctl show-sa esp or setkey -DH

# setkey -DH
00000000: 02 0a 00 00 02 00 00 00 00 00 00 00 58 15 00 00
<LocalGateway> <IPsecGatewayAddress>
        esp mode=tunnel spi=1540133473(0x5bcc9261) reqid=0(0x00000000)
        E: des-cbc  4180bb88 26dcf85d
        A: hmac-sha1  247c6472 bd5431f1 2d2e9c46 b567e6e4 a38cd518
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Jun  5 19:19:03 2012   current: Jun  5 19:22:54 2012
        diff: 231(s)    hard: 3600(s)   soft: 2880(s)
        last: Jun  5 19:19:04 2012      hard: 0(s)      soft: 0(s)
        current: 420(bytes)     hard: 0(bytes)  soft: 0(bytes)
        allocated: 5    hard: 0 soft: 0
        sadb_seq=1 pid=5464 refcnt=0
<IPsecGatewayAddress> <LocalGateway>
        esp mode=tunnel spi=98033518(0x05d7df6e) reqid=0(0x00000000)
        E: des-cbc  664ce469 ae2ff311
        A: hmac-sha1  66b6c9f2 73c61747 23ca88d4 f2bd61a5 d2c89381
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Jun  5 19:19:03 2012   current: Jun  5 19:22:54 2012
        diff: 231(s)    hard: 3600(s)   soft: 2880(s)
        last: Jun  5 19:19:04 2012      hard: 0(s)      soft: 0(s)
        current: 420(bytes)     hard: 0(bytes)  soft: 0(bytes)
        allocated: 5    hard: 0 soft: 0
        sadb_seq=0 pid=5464 refcnt=0

Racoon debugging

Enable debugging in the racoon.conf configuration file and watch the syslog output under /var/log/{syslog,messages} for errors.

log debug2;