Difference between revisions of "VPN/Racoon as IPsec client for Zywall"

From braindump
Jump to navigation Jump to search
Line 8: Line 8:


== Windows client configuration ==
== Windows client configuration ==
This is just to show the configuraion on the Windows host that was used to create the configuration on Linux.
This is just to show the configuraion on the Windows host that was used to create the configuration on Linux. The below exerpt is a configuration file (<tt><span class="input"><ConnectionName></span>.tgb</tt>) produced by <tt>vpnconf.exe</tt> which is part of the Zywall IPsec Client.


# Do not edit this file. It is overwritten by VpnConf.
# Do not edit this file. It is overwritten by VpnConf.

Revision as of 20:16, 5 June 2012

Zywall comes with a Windows IPSEC client sporting a nice interface and many great features. I wanted to see if I can use any of the IP implementations on Linux to connect to a Zywall I had all the credentials and configuration parameters.

Prerequisites

  • A Zywall router
  • A configured Windows Zywall IPsec client or the *.tbp configuration file
  • An operating system with the Racoon IPsec implementation.

Windows client configuration

This is just to show the configuraion on the Windows host that was used to create the configuration on Linux. The below exerpt is a configuration file (<ConnectionName>.tgb) produced by vpnconf.exe which is part of the Zywall IPsec Client.

# Do not edit this file. It is overwritten by VpnConf.
# SIGNATURE MD5 = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# Creation Date : 2008-05-13 at 09:50:11
# Written by VpnConf 4.10
#

[General]
Shared-SADB = Defined
Retransmits = 2
Exchange-max-time = 15
Default-phase-1-lifetime = 3600,360:28800
Bitblocking = 0
Xauth-interval = 60
DPD-interval = 30
DPD_retrans = 5
DPD_wait = 15

[Default-phase-2-lifetime]
LIFE_TYPE = SECONDS
LIFE_DURATION = 3600,300:28800

# ==================== PHASES 1 ====================

[Phase 1]
<IPsecGatewayAddress> = <ConnectionName>-P1

[<ConnectionName>-main-mode]
DOI = IPSEC
EXCHANGE_TYPE = ID_PROT
Transforms = DES-MD5-GRP1

[<ConnectionName>-P1]
Phase = 1
Address = <IPsecGatewayAddress>
Transport = udp
Configuration = <IPsecGatewayAddress>-main-mode
Authentication = "<PreSharedKey>"

# ==================== PHASES 2 ====================

[Phase 2]
Manual-connections = <ConnectionName>-<TunnelName>-P2

[<ConnectionName>-<TunnelName>-P2]
Phase = 2
ISAKMP-peer = <ConnectionName>-P1
Remote-ID = <TunnelName>-remote-addr
Configuration = <TunnelName>-quick-mode
AutoStart = 0
USBStart = 0

# ==================== Ipsec ID ====================

[<TunnelName>-remote-addr]
ID-type = IPV4_ADDR
Address = <RemoteTargetIP>

# ==================== TRANSFORMS ====================

[<TunnelName>-quick-mode]
DOI = IPSEC
EXCHANGE_TYPE = QUICK_MODE
Suites = <TunnelName>-quick-mode-suite

[<TunnelName>-quick-mode-suite]
Protocols = TGBQM-ESP-DES-SHA-TUN

[TGBQM-ESP-DES-SHA-TUN]
PROTOCOL_ID = IPSEC_ESP
Transforms = TGBQM-ESP-DES-SHA-TUN-XF

[TGBQM-ESP-DES-SHA-TUN-XF]
TRANSFORM_ID = DES
AUTHENTICATION_ALGORITHM = HMAC_SHA
ENCAPSULATION_MODE = TUNNEL
Life = Default-phase-2-lifetime

# ==================== CERTIFICATES ====================

Linux client configuration

This is example is based on the Debian / Ubuntu layout.

Software install

First step is to install racoon and ipsec-tools

sudo apt-get install racoon ipsec-tools

Racoon config

For this example a pre-shared-key (PSK) is used. Hence we have to edit both the /etc/racoon/racoon.conf and the /etc/racoon/psk.txt files.

racoon.conf

#
#
# Also read the Linux IPSEC Howto up at
# http://www.ipsec-howto.org/t1.html
#
log notify;
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";

remote <IPsecGatewayAddress> {
        exchange_mode main,aggressive;
        proposal {
                encryption_algorithm des;
                hash_algorithm md5;
                authentication_method pre_shared_key;
                dh_group 1;
        }
        generate_policy on;
        nat_traversal on;
}

sainfo anonymous address <RemoteTargetIP> any {
        #pfs_group none;
        lifetime time 3600 seconds;
        encryption_algorithm des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}

psk.txt

# IPv4/v6 addresses
10.160.94.3     mekmitasdigoat
172.16.1.133    0x12345678
194.100.55.1    whatcertificatereally
3ffe:501:410:ffff:200:86ff:fe05:80fa    mekmitasdigoat
3ffe:501:410:ffff:210:4bff:fea2:8baa    mekmitasdigoat
# USER_FQDN
foo@kame.net    mekmitasdigoat
# FQDN
foo.kame.net    hoge
#
<IPsecGatewayAddress>     <PreSharedKey>

SA configuration

Once the racoon files are in place the SA needs to be set via the /etc/ipsec-tools.conf file.

#!/usr/sbin/setkey -f

flush;
spdflush;
spdadd <LocalIPorSubnet> <RemoteTargetIP> any -P out ipsec
    esp/tunnel/<LocalGateway>-<IPsecGatewayAddress>/require;
spdadd <RemoteTargetIP> <LocalIPorSubnet> any -P in ipsec
    esp/tunnel/<IPsecGatewayAddress>-<LocalGateway>/require;

Enable configuration

Either use the following commands

setkey -f /etc/ipsec-conf.txt
racoonctl reload-config 

or restart the services

/etc/init.d/setkey restart
/etc/init.d/racoon restart

Bring up the tunnel

racoonctl vpn-connect <IPsecGatewayAddress>

Confirm connection

# ping -c 3 <IPsecGatewayAddress>
PING <IPsecGatewayAddress> (<IPsecGatewayAddress>) 56(84) bytes of data.
64 bytes from <IPsecGatewayAddress>: icmp_req=1 ttl=127 time=49.7 ms
64 bytes from <IPsecGatewayAddress>: icmp_req=2 ttl=127 time=50.5 ms
64 bytes from <IPsecGatewayAddress>: icmp_req=3 ttl=127 time=50.5 ms

--- <IPsecGatewayAddress> ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 49.734/50.297/50.583/0.398 ms

Troubleshooting

Check if Phase 1 is up and running with racoonctl show-sa isakmp

# racoonctl show-sa isakmp
Destination                      Cookies                           Created
<IPsecGatewayAddress>.500        177d11554e3e18aa:276cab39052f7850 2012-06-05 16:47:11

Check if Phase 2 is up and running with racoonctl show-sa esp or setkey -DH

# setkey -DH
00000000: 02 0a 00 00 02 00 00 00 00 00 00 00 58 15 00 00
<LocalGateway> <IPsecGatewayAddress>
        esp mode=tunnel spi=1540133473(0x5bcc9261) reqid=0(0x00000000)
        E: des-cbc  4180bb88 26dcf85d
        A: hmac-sha1  247c6472 bd5431f1 2d2e9c46 b567e6e4 a38cd518
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Jun  5 19:19:03 2012   current: Jun  5 19:22:54 2012
        diff: 231(s)    hard: 3600(s)   soft: 2880(s)
        last: Jun  5 19:19:04 2012      hard: 0(s)      soft: 0(s)
        current: 420(bytes)     hard: 0(bytes)  soft: 0(bytes)
        allocated: 5    hard: 0 soft: 0
        sadb_seq=1 pid=5464 refcnt=0
<IPsecGatewayAddress> <LocalGateway>
        esp mode=tunnel spi=98033518(0x05d7df6e) reqid=0(0x00000000)
        E: des-cbc  664ce469 ae2ff311
        A: hmac-sha1  66b6c9f2 73c61747 23ca88d4 f2bd61a5 d2c89381
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Jun  5 19:19:03 2012   current: Jun  5 19:22:54 2012
        diff: 231(s)    hard: 3600(s)   soft: 2880(s)
        last: Jun  5 19:19:04 2012      hard: 0(s)      soft: 0(s)
        current: 420(bytes)     hard: 0(bytes)  soft: 0(bytes)
        allocated: 5    hard: 0 soft: 0
        sadb_seq=0 pid=5464 refcnt=0

Enable debugging in the racoon.conf configuration file and watch the syslog output under /var/log/{syslog,messages} for errors.

log debug2;