Racoon as IPsec client for Zywall
Zywall comes with a Windows IPSEC client sporting a nice interface and many great features. I wanted to see if I can use any of the IP implementations on Linux to connect to a Zywall I had all the credentials and configuration parameters.
Prerequisites
- A Zywall router
- A configured Windows Zywall IPsec client or the *.tbp configuration file
- An operating system with the Racoon IPsec implementation.
Windows client configuration
This is just to show the configuraion on the Windows host that was used to create the configuration on Linux.
Linux client configuration
This is example is based on the Debian / Ubuntu layout.
Software install
First step is to install racoon and ipsec-tools
sudo apt-get install racoon ipsec-tools
Racoon config
For this example a pre-shared-key (PSK) is used. Hence we have to edit both the /etc/racoon/racoon.conf and the /etc/racoon/psk.txt files.
racoon.conf
# # # Also read the Linux IPSEC Howto up at # http://www.ipsec-howto.org/t1.html # log notify; path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; remote <IPsecGatewayAddress> { exchange_mode main,aggressive; proposal { encryption_algorithm des; hash_algorithm md5; authentication_method pre_shared_key; dh_group 1; } generate_policy on; nat_traversal on; } sainfo anonymous address <RemoteTargetIP> any { #pfs_group none; lifetime time 3600 seconds; encryption_algorithm des; authentication_algorithm hmac_sha1; compression_algorithm deflate; }
psk.txt
# IPv4/v6 addresses
10.160.94.3 mekmitasdigoat
172.16.1.133 0x12345678
194.100.55.1 whatcertificatereally
3ffe:501:410:ffff:200:86ff:fe05:80fa mekmitasdigoat
3ffe:501:410:ffff:210:4bff:fea2:8baa mekmitasdigoat
# USER_FQDN
foo@kame.net mekmitasdigoat
# FQDN
foo.kame.net hoge
#
<IPsecGatewayAddress> <PreSharedKey>
SA configuration
Once the racoon files are in place the SA needs to be set via the /etc/ipsec-tools.conf file.
#!/usr/sbin/setkey -f flush; spdflush; spdadd <LocalIPorSubnet> <RemoteTargetIP> any -P out ipsec esp/tunnel/<LocalGateway>-<IPsecGatewayAddress>/require; spdadd <RemoteTargetIP> <LocalIPorSubnet> any -P in ipsec esp/tunnel/<IPsecGatewayAddress>-<LocalGateway>/require;