Difference between revisions of "VPN/Racoon as IPsec client for Zywall"
Jump to navigation
Jump to search
(Created page with "{{DISPLAYTITLE:Racoon as IPSEC client for Zywall}} Category:IPSEC Category:VPN Category:Linux Category:Zyxel") |
|||
| Line 1: | Line 1: | ||
{{DISPLAYTITLE:Racoon as |
{{DISPLAYTITLE:Racoon as IPsec client for Zywall}} |
||
Zywall comes with a Windows IPSEC client sporting a nice interface and many great features. I wanted to see if I can use any of the IP implementations on Linux to connect to a Zywall I had all the credentials and configuration parameters. |
|||
== Prerequisites == |
|||
| ⚫ | |||
* A Zywall router |
|||
* A configured Windows Zywall IPsec client or the *.tbp configuration file |
|||
* An operating system with the Racoon IPsec implementation. |
|||
== Windows client configuration == |
|||
This is just to show the configuraion on the Windows host that was used to create the configuration on Linux. |
|||
== Linux client configuration == |
|||
This is example is based on the Debian / Ubuntu layout. |
|||
=== Software install === |
|||
First step is to install <tt>racoon</tt> and <tt>ipsec-tools</tt> |
|||
sudo apt-get install racoon ipsec-tools |
|||
=== Racoon config === |
|||
For this example a pre-shared-key (PSK) is used. Hence we have to edit both the <tt>/etc/racoon/racoon.conf</tt> and the <tt>/etc/racoon/psk.txt</tt> files. |
|||
==== racoon.conf ==== |
|||
# |
|||
# |
|||
# Also read the Linux IPSEC Howto up at |
|||
# http://www.ipsec-howto.org/t1.html |
|||
# |
|||
log notify; |
|||
path pre_shared_key "/etc/racoon/psk.txt"; |
|||
path certificate "/etc/racoon/certs"; |
|||
remote <span class="input"><IPsecGatewayAddress></span> { |
|||
exchange_mode main,aggressive; |
|||
proposal { |
|||
encryption_algorithm des; |
|||
hash_algorithm md5; |
|||
authentication_method pre_shared_key; |
|||
dh_group 1; |
|||
} |
|||
generate_policy on; |
|||
nat_traversal on; |
|||
} |
|||
sainfo anonymous address <span class="input"><TargetIP></span> any { |
|||
#pfs_group none; |
|||
lifetime time 3600 seconds; |
|||
encryption_algorithm des; |
|||
authentication_algorithm hmac_sha1; |
|||
compression_algorithm deflate; |
|||
} |
|||
==== psk.txt ==== |
|||
# IPv4/v6 addresses |
|||
10.160.94.3 mekmitasdigoat |
|||
172.16.1.133 0x12345678 |
|||
194.100.55.1 whatcertificatereally |
|||
3ffe:501:410:ffff:200:86ff:fe05:80fa mekmitasdigoat |
|||
3ffe:501:410:ffff:210:4bff:fea2:8baa mekmitasdigoat |
|||
# USER_FQDN |
|||
foo@kame.net mekmitasdigoat |
|||
# FQDN |
|||
foo.kame.net hoge |
|||
# |
|||
<span class="input"><IPsecGatewayAddress> <PreSharedKey></span> |
|||
=== SA configuration === |
|||
Once this has been completed there are a few files that need to be configured. Namely <tt>/etc/ipsec-tools.conf</tt>, |
|||
| ⚫ | |||
[[Category:VPN]] |
[[Category:VPN]] |
||
[[Category:Linux]] |
[[Category:Linux]] |
||
Revision as of 14:44, 5 June 2012
Zywall comes with a Windows IPSEC client sporting a nice interface and many great features. I wanted to see if I can use any of the IP implementations on Linux to connect to a Zywall I had all the credentials and configuration parameters.
Prerequisites
- A Zywall router
- A configured Windows Zywall IPsec client or the *.tbp configuration file
- An operating system with the Racoon IPsec implementation.
Windows client configuration
This is just to show the configuraion on the Windows host that was used to create the configuration on Linux.
Linux client configuration
This is example is based on the Debian / Ubuntu layout.
Software install
First step is to install racoon and ipsec-tools
sudo apt-get install racoon ipsec-tools
Racoon config
For this example a pre-shared-key (PSK) is used. Hence we have to edit both the /etc/racoon/racoon.conf and the /etc/racoon/psk.txt files.
racoon.conf
# # # Also read the Linux IPSEC Howto up at # http://www.ipsec-howto.org/t1.html # log notify; path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; remote <IPsecGatewayAddress> { exchange_mode main,aggressive; proposal { encryption_algorithm des; hash_algorithm md5; authentication_method pre_shared_key; dh_group 1; } generate_policy on; nat_traversal on; } sainfo anonymous address <TargetIP> any { #pfs_group none; lifetime time 3600 seconds; encryption_algorithm des; authentication_algorithm hmac_sha1; compression_algorithm deflate; }
psk.txt
# IPv4/v6 addresses
10.160.94.3 mekmitasdigoat
172.16.1.133 0x12345678
194.100.55.1 whatcertificatereally
3ffe:501:410:ffff:200:86ff:fe05:80fa mekmitasdigoat
3ffe:501:410:ffff:210:4bff:fea2:8baa mekmitasdigoat
# USER_FQDN
foo@kame.net mekmitasdigoat
# FQDN
foo.kame.net hoge
#
<IPsecGatewayAddress> <PreSharedKey>
SA configuration
Once this has been completed there are a few files that need to be configured. Namely /etc/ipsec-tools.conf,