Difference between revisions of "VPN/Racoon as IPsec client for Zywall"
Jump to navigation
Jump to search
| Line 107: | Line 107: | ||
# setkey -DH |
# setkey -DH |
||
00000000: 02 0a 00 00 02 00 00 00 00 00 00 00 58 15 00 00 |
00000000: 02 0a 00 00 02 00 00 00 00 00 00 00 58 15 00 00 |
||
<span class="highlight">< |
<span class="highlight"><LocalGateway></span> <span class="highlight"><IPsecGatewayAddress></span> |
||
esp mode=tunnel spi=1540133473(0x5bcc9261) reqid=0(0x00000000) |
esp mode=tunnel spi=1540133473(0x5bcc9261) reqid=0(0x00000000) |
||
E: des-cbc 4180bb88 26dcf85d |
E: des-cbc 4180bb88 26dcf85d |
||
| Line 118: | Line 118: | ||
allocated: 5 hard: 0 soft: 0 |
allocated: 5 hard: 0 soft: 0 |
||
sadb_seq=1 pid=5464 refcnt=0 |
sadb_seq=1 pid=5464 refcnt=0 |
||
<span class="highlight"><IPsecGatewayAddress> <span class="highlight">< |
<span class="highlight"><IPsecGatewayAddress></span> <span class="highlight"><LocalGateway></span> |
||
esp mode=tunnel spi=98033518(0x05d7df6e) reqid=0(0x00000000) |
esp mode=tunnel spi=98033518(0x05d7df6e) reqid=0(0x00000000) |
||
E: des-cbc 664ce469 ae2ff311 |
E: des-cbc 664ce469 ae2ff311 |
||
| Line 130: | Line 130: | ||
sadb_seq=0 pid=5464 refcnt=0 |
sadb_seq=0 pid=5464 refcnt=0 |
||
Enable debugging in the <tt>racoon.conf</tt> configuration file and watch the syslog output under <tt>/var/log/{syslog,messages}</tt> for errors. |
|||
log <span class="input">debug2</span>; |
|||
[[Category:IPsec]] |
[[Category:IPsec]] |
||
Revision as of 17:50, 5 June 2012
Zywall comes with a Windows IPSEC client sporting a nice interface and many great features. I wanted to see if I can use any of the IP implementations on Linux to connect to a Zywall I had all the credentials and configuration parameters.
Prerequisites
- A Zywall router
- A configured Windows Zywall IPsec client or the *.tbp configuration file
- An operating system with the Racoon IPsec implementation.
Windows client configuration
This is just to show the configuraion on the Windows host that was used to create the configuration on Linux.
Linux client configuration
This is example is based on the Debian / Ubuntu layout.
Software install
First step is to install racoon and ipsec-tools
sudo apt-get install racoon ipsec-tools
Racoon config
For this example a pre-shared-key (PSK) is used. Hence we have to edit both the /etc/racoon/racoon.conf and the /etc/racoon/psk.txt files.
racoon.conf
# # # Also read the Linux IPSEC Howto up at # http://www.ipsec-howto.org/t1.html # log notify; path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; remote <IPsecGatewayAddress> { exchange_mode main,aggressive; proposal { encryption_algorithm des; hash_algorithm md5; authentication_method pre_shared_key; dh_group 1; } generate_policy on; nat_traversal on; } sainfo anonymous address <RemoteTargetIP> any { #pfs_group none; lifetime time 3600 seconds; encryption_algorithm des; authentication_algorithm hmac_sha1; compression_algorithm deflate; }
psk.txt
# IPv4/v6 addresses
10.160.94.3 mekmitasdigoat
172.16.1.133 0x12345678
194.100.55.1 whatcertificatereally
3ffe:501:410:ffff:200:86ff:fe05:80fa mekmitasdigoat
3ffe:501:410:ffff:210:4bff:fea2:8baa mekmitasdigoat
# USER_FQDN
foo@kame.net mekmitasdigoat
# FQDN
foo.kame.net hoge
#
<IPsecGatewayAddress> <PreSharedKey>
SA configuration
Once the racoon files are in place the SA needs to be set via the /etc/ipsec-tools.conf file.
#!/usr/sbin/setkey -f flush; spdflush; spdadd <LocalIPorSubnet> <RemoteTargetIP> any -P out ipsec esp/tunnel/<LocalGateway>-<IPsecGatewayAddress>/require; spdadd <RemoteTargetIP> <LocalIPorSubnet> any -P in ipsec esp/tunnel/<IPsecGatewayAddress>-<LocalGateway>/require;
Enable configuration
Either use the following commands
setkey -f /etc/ipsec-conf.txt racoonctl reload-config
or restart the services
/etc/init.d/setkey restart /etc/init.d/racoon restart
Bring up the tunnel
racoonctl vpn-connect <IPsecGatewayAddress>
Confirm connection
# ping -c 3 <IPsecGatewayAddress> PING <IPsecGatewayAddress> (<IPsecGatewayAddress>) 56(84) bytes of data. 64 bytes from <IPsecGatewayAddress>: icmp_req=1 ttl=127 time=49.7 ms 64 bytes from <IPsecGatewayAddress>: icmp_req=2 ttl=127 time=50.5 ms 64 bytes from <IPsecGatewayAddress>: icmp_req=3 ttl=127 time=50.5 ms --- <IPsecGatewayAddress> ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2003ms rtt min/avg/max/mdev = 49.734/50.297/50.583/0.398 ms
Troubleshooting
Check if Phase 1 is up and running with racoonctl show-sa isakmp
# racoonctl show-sa isakmp
Destination Cookies Created
<IPsecGatewayAddress>.500 177d11554e3e18aa:276cab39052f7850 2012-06-05 16:47:11
Check if Phase 2 is up and running with racoonctl show-sa esp or setkey -DH
# setkey -DH 00000000: 02 0a 00 00 02 00 00 00 00 00 00 00 58 15 00 00 <LocalGateway> <IPsecGatewayAddress> esp mode=tunnel spi=1540133473(0x5bcc9261) reqid=0(0x00000000) E: des-cbc 4180bb88 26dcf85d A: hmac-sha1 247c6472 bd5431f1 2d2e9c46 b567e6e4 a38cd518 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Jun 5 19:19:03 2012 current: Jun 5 19:22:54 2012 diff: 231(s) hard: 3600(s) soft: 2880(s) last: Jun 5 19:19:04 2012 hard: 0(s) soft: 0(s) current: 420(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 5 hard: 0 soft: 0 sadb_seq=1 pid=5464 refcnt=0 <IPsecGatewayAddress> <LocalGateway> esp mode=tunnel spi=98033518(0x05d7df6e) reqid=0(0x00000000) E: des-cbc 664ce469 ae2ff311 A: hmac-sha1 66b6c9f2 73c61747 23ca88d4 f2bd61a5 d2c89381 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Jun 5 19:19:03 2012 current: Jun 5 19:22:54 2012 diff: 231(s) hard: 3600(s) soft: 2880(s) last: Jun 5 19:19:04 2012 hard: 0(s) soft: 0(s) current: 420(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 5 hard: 0 soft: 0 sadb_seq=0 pid=5464 refcnt=0
Enable debugging in the racoon.conf configuration file and watch the syslog output under /var/log/{syslog,messages} for errors.
log debug2;