Difference between revisions of "VPN/Racoon as IPsec client for Zywall"
Jump to navigation
Jump to search
Line 86: | Line 86: | ||
=== Bring up the tunnel === |
=== Bring up the tunnel === |
||
racoonctl vpn-connect <span class="input"><IPsecGatewayAddress></span> |
racoonctl vpn-connect <span class="input"><IPsecGatewayAddress></span> |
||
=== Confirm connection === |
|||
# racoonctl show-sa isakmp |
|||
Destination Cookies Created |
|||
<span class="highlight"><IPsecGatewayAddress></span>.500 177d11554e3e18aa:276cab39052f7850 2012-06-05 16:47:11 |
|||
[[Category:IPsec]] |
[[Category:IPsec]] |
Revision as of 17:17, 5 June 2012
Zywall comes with a Windows IPSEC client sporting a nice interface and many great features. I wanted to see if I can use any of the IP implementations on Linux to connect to a Zywall I had all the credentials and configuration parameters.
Prerequisites
- A Zywall router
- A configured Windows Zywall IPsec client or the *.tbp configuration file
- An operating system with the Racoon IPsec implementation.
Windows client configuration
This is just to show the configuraion on the Windows host that was used to create the configuration on Linux.
Linux client configuration
This is example is based on the Debian / Ubuntu layout.
Software install
First step is to install racoon and ipsec-tools
sudo apt-get install racoon ipsec-tools
Racoon config
For this example a pre-shared-key (PSK) is used. Hence we have to edit both the /etc/racoon/racoon.conf and the /etc/racoon/psk.txt files.
racoon.conf
# # # Also read the Linux IPSEC Howto up at # http://www.ipsec-howto.org/t1.html # log notify; path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; remote <IPsecGatewayAddress> { exchange_mode main,aggressive; proposal { encryption_algorithm des; hash_algorithm md5; authentication_method pre_shared_key; dh_group 1; } generate_policy on; nat_traversal on; } sainfo anonymous address <RemoteTargetIP> any { #pfs_group none; lifetime time 3600 seconds; encryption_algorithm des; authentication_algorithm hmac_sha1; compression_algorithm deflate; }
psk.txt
# IPv4/v6 addresses
10.160.94.3 mekmitasdigoat
172.16.1.133 0x12345678
194.100.55.1 whatcertificatereally
3ffe:501:410:ffff:200:86ff:fe05:80fa mekmitasdigoat
3ffe:501:410:ffff:210:4bff:fea2:8baa mekmitasdigoat
# USER_FQDN
foo@kame.net mekmitasdigoat
# FQDN
foo.kame.net hoge
#
<IPsecGatewayAddress> <PreSharedKey>
SA configuration
Once the racoon files are in place the SA needs to be set via the /etc/ipsec-tools.conf file.
#!/usr/sbin/setkey -f flush; spdflush; spdadd <LocalIPorSubnet> <RemoteTargetIP> any -P out ipsec esp/tunnel/<LocalGateway>-<IPsecGatewayAddress>/require; spdadd <RemoteTargetIP> <LocalIPorSubnet> any -P in ipsec esp/tunnel/<IPsecGatewayAddress>-<LocalGateway>/require;
Enable configuration
Either use the following commands
setkey -f /etc/ipsec-conf.txt racoonctl reload-config
or restart the services
/etc/init.d/setkey restart /etc/init.d/racoon restart
Bring up the tunnel
racoonctl vpn-connect <IPsecGatewayAddress>
Confirm connection
# racoonctl show-sa isakmp
Destination Cookies Created
<IPsecGatewayAddress>.500 177d11554e3e18aa:276cab39052f7850 2012-06-05 16:47:11