Racoon as IPsec client for Zywall
Zywall comes with a Windows IPSEC client sporting a nice interface and many great features. I wanted to see if I can use any of the IP implementations on Linux to connect to a Zywall I had all the credentials and configuration parameters.
Prerequisites
- A Zywall router
- A configured Windows Zywall IPsec client or the *.tbp configuration file
- An operating system with the Racoon IPsec implementation.
Windows client configuration
This is just to show the configuraion on the Windows host that was used to create the configuration on Linux.
# Do not edit this file. It is overwritten by VpnConf. # SIGNATURE MD5 = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx # Creation Date : 2008-05-13 at 09:50:11 # Written by VpnConf 4.10 #
[General] Shared-SADB = Defined Retransmits = 2 Exchange-max-time = 15 Default-phase-1-lifetime = 3600,360:28800 Bitblocking = 0 Xauth-interval = 60 DPD-interval = 30 DPD_retrans = 5 DPD_wait = 15
[Default-phase-2-lifetime] LIFE_TYPE = SECONDS LIFE_DURATION = 3600,300:28800
# ==================== PHASES 1 ====================
[Phase 1] <IPsecGatewayAddress> = <ConnectionName>-P1
[<ConnectionName>-main-mode]
DOI = IPSEC
EXCHANGE_TYPE = ID_PROT
Transforms = DES-MD5-GRP1
[<ConnectionName>-P1] Phase = 1 Address = <IPsecGatewayAddress> Transport = udp Configuration = <IPsecGatewayAddress>-main-mode Authentication = "<PreSharedKey>"
# ==================== PHASES 2 ====================
[Phase 2] Manual-connections = <ConnectionName>-<TunnelName>-P2
[<ConnectionName>-<TunnelName>-P2] Phase = 2 ISAKMP-peer = <ConnectionName>-P1 Remote-ID = <TunnelName>-remote-addr Configuration = <TunnelName>-quick-mode AutoStart = 0 USBStart = 0
# ==================== Ipsec ID ====================
[<TunnelName>-remote-addr] ID-type = IPV4_ADDR Address = <RemoteIP>
# ==================== TRANSFORMS ====================
[<TunnelName>-quick-mode] DOI = IPSEC EXCHANGE_TYPE = QUICK_MODE Suites = <TunnelName>-quick-mode-suite
[<TunnelName>-quick-mode-suite]
Protocols = TGBQM-ESP-DES-SHA-TUN
[TGBQM-ESP-DES-SHA-TUN] PROTOCOL_ID = IPSEC_ESP Transforms = TGBQM-ESP-DES-SHA-TUN-XF
[TGBQM-ESP-DES-SHA-TUN-XF] TRANSFORM_ID = DES AUTHENTICATION_ALGORITHM = HMAC_SHA ENCAPSULATION_MODE = TUNNEL Life = Default-phase-2-lifetime
# ==================== CERTIFICATES ====================
Linux client configuration
This is example is based on the Debian / Ubuntu layout.
Software install
First step is to install racoon and ipsec-tools
sudo apt-get install racoon ipsec-tools
Racoon config
For this example a pre-shared-key (PSK) is used. Hence we have to edit both the /etc/racoon/racoon.conf and the /etc/racoon/psk.txt files.
racoon.conf
# # # Also read the Linux IPSEC Howto up at # http://www.ipsec-howto.org/t1.html # log notify; path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; remote <IPsecGatewayAddress> { exchange_mode main,aggressive; proposal { encryption_algorithm des; hash_algorithm md5; authentication_method pre_shared_key; dh_group 1; } generate_policy on; nat_traversal on; } sainfo anonymous address <RemoteTargetIP> any { #pfs_group none; lifetime time 3600 seconds; encryption_algorithm des; authentication_algorithm hmac_sha1; compression_algorithm deflate; }
psk.txt
# IPv4/v6 addresses
10.160.94.3 mekmitasdigoat
172.16.1.133 0x12345678
194.100.55.1 whatcertificatereally
3ffe:501:410:ffff:200:86ff:fe05:80fa mekmitasdigoat
3ffe:501:410:ffff:210:4bff:fea2:8baa mekmitasdigoat
# USER_FQDN
foo@kame.net mekmitasdigoat
# FQDN
foo.kame.net hoge
#
<IPsecGatewayAddress> <PreSharedKey>
SA configuration
Once the racoon files are in place the SA needs to be set via the /etc/ipsec-tools.conf file.
#!/usr/sbin/setkey -f flush; spdflush; spdadd <LocalIPorSubnet> <RemoteTargetIP> any -P out ipsec esp/tunnel/<LocalGateway>-<IPsecGatewayAddress>/require; spdadd <RemoteTargetIP> <LocalIPorSubnet> any -P in ipsec esp/tunnel/<IPsecGatewayAddress>-<LocalGateway>/require;
Enable configuration
Either use the following commands
setkey -f /etc/ipsec-conf.txt racoonctl reload-config
or restart the services
/etc/init.d/setkey restart /etc/init.d/racoon restart
Bring up the tunnel
racoonctl vpn-connect <IPsecGatewayAddress>
Confirm connection
# ping -c 3 <IPsecGatewayAddress> PING <IPsecGatewayAddress> (<IPsecGatewayAddress>) 56(84) bytes of data. 64 bytes from <IPsecGatewayAddress>: icmp_req=1 ttl=127 time=49.7 ms 64 bytes from <IPsecGatewayAddress>: icmp_req=2 ttl=127 time=50.5 ms 64 bytes from <IPsecGatewayAddress>: icmp_req=3 ttl=127 time=50.5 ms --- <IPsecGatewayAddress> ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2003ms rtt min/avg/max/mdev = 49.734/50.297/50.583/0.398 ms
Troubleshooting
Check if Phase 1 is up and running with racoonctl show-sa isakmp
# racoonctl show-sa isakmp
Destination Cookies Created
<IPsecGatewayAddress>.500 177d11554e3e18aa:276cab39052f7850 2012-06-05 16:47:11
Check if Phase 2 is up and running with racoonctl show-sa esp or setkey -DH
# setkey -DH 00000000: 02 0a 00 00 02 00 00 00 00 00 00 00 58 15 00 00 <LocalGateway> <IPsecGatewayAddress> esp mode=tunnel spi=1540133473(0x5bcc9261) reqid=0(0x00000000) E: des-cbc 4180bb88 26dcf85d A: hmac-sha1 247c6472 bd5431f1 2d2e9c46 b567e6e4 a38cd518 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Jun 5 19:19:03 2012 current: Jun 5 19:22:54 2012 diff: 231(s) hard: 3600(s) soft: 2880(s) last: Jun 5 19:19:04 2012 hard: 0(s) soft: 0(s) current: 420(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 5 hard: 0 soft: 0 sadb_seq=1 pid=5464 refcnt=0 <IPsecGatewayAddress> <LocalGateway> esp mode=tunnel spi=98033518(0x05d7df6e) reqid=0(0x00000000) E: des-cbc 664ce469 ae2ff311 A: hmac-sha1 66b6c9f2 73c61747 23ca88d4 f2bd61a5 d2c89381 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Jun 5 19:19:03 2012 current: Jun 5 19:22:54 2012 diff: 231(s) hard: 3600(s) soft: 2880(s) last: Jun 5 19:19:04 2012 hard: 0(s) soft: 0(s) current: 420(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 5 hard: 0 soft: 0 sadb_seq=0 pid=5464 refcnt=0
Enable debugging in the racoon.conf configuration file and watch the syslog output under /var/log/{syslog,messages} for errors.
log debug2;