Difference between revisions of "VPN/Racoon as IPsec client for Zywall"

From braindump
Jump to navigation Jump to search
Line 86: Line 86:
=== Bring up the tunnel ===
=== Bring up the tunnel ===
racoonctl vpn-connect <span class="input"><IPsecGatewayAddress></span>
racoonctl vpn-connect <span class="input"><IPsecGatewayAddress></span>

=== Confirm connection ===
# racoonctl show-sa isakmp
Destination Cookies Created
<span class="highlight"><IPsecGatewayAddress></span>.500 177d11554e3e18aa:276cab39052f7850 2012-06-05 16:47:11


[[Category:IPsec]]
[[Category:IPsec]]

Revision as of 17:17, 5 June 2012

Zywall comes with a Windows IPSEC client sporting a nice interface and many great features. I wanted to see if I can use any of the IP implementations on Linux to connect to a Zywall I had all the credentials and configuration parameters.

Prerequisites

  • A Zywall router
  • A configured Windows Zywall IPsec client or the *.tbp configuration file
  • An operating system with the Racoon IPsec implementation.

Windows client configuration

This is just to show the configuraion on the Windows host that was used to create the configuration on Linux.

Linux client configuration

This is example is based on the Debian / Ubuntu layout.

Software install

First step is to install racoon and ipsec-tools

sudo apt-get install racoon ipsec-tools

Racoon config

For this example a pre-shared-key (PSK) is used. Hence we have to edit both the /etc/racoon/racoon.conf and the /etc/racoon/psk.txt files.

racoon.conf

#
#
# Also read the Linux IPSEC Howto up at
# http://www.ipsec-howto.org/t1.html
#
log notify;
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";

remote <IPsecGatewayAddress> {
        exchange_mode main,aggressive;
        proposal {
                encryption_algorithm des;
                hash_algorithm md5;
                authentication_method pre_shared_key;
                dh_group 1;
        }
        generate_policy on;
        nat_traversal on;
}

sainfo anonymous address <RemoteTargetIP> any {
        #pfs_group none;
        lifetime time 3600 seconds;
        encryption_algorithm des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}

psk.txt

# IPv4/v6 addresses
10.160.94.3     mekmitasdigoat
172.16.1.133    0x12345678
194.100.55.1    whatcertificatereally
3ffe:501:410:ffff:200:86ff:fe05:80fa    mekmitasdigoat
3ffe:501:410:ffff:210:4bff:fea2:8baa    mekmitasdigoat
# USER_FQDN
foo@kame.net    mekmitasdigoat
# FQDN
foo.kame.net    hoge
#
<IPsecGatewayAddress>     <PreSharedKey>


SA configuration

Once the racoon files are in place the SA needs to be set via the /etc/ipsec-tools.conf file.

#!/usr/sbin/setkey -f

flush;
spdflush;
spdadd <LocalIPorSubnet> <RemoteTargetIP> any -P out ipsec
    esp/tunnel/<LocalGateway>-<IPsecGatewayAddress>/require;
spdadd <RemoteTargetIP> <LocalIPorSubnet> any -P in ipsec
    esp/tunnel/<IPsecGatewayAddress>-<LocalGateway>/require;

Enable configuration

Either use the following commands

setkey -f /etc/ipsec-conf.txt
racoonctl reload-config 

or restart the services

/etc/init.d/setkey restart
/etc/init.d/racoon restart

Bring up the tunnel

racoonctl vpn-connect <IPsecGatewayAddress>

Confirm connection

# racoonctl show-sa isakmp
Destination                      Cookies                           Created
<IPsecGatewayAddress>.500        177d11554e3e18aa:276cab39052f7850 2012-06-05 16:47:11