Racoon as IPsec client for Zywall

From braindump
Jump to navigation Jump to search

Zywall comes with a Windows IPSEC client sporting a nice interface and many great features. I wanted to see if I can use any of the IP implementations on Linux to connect to a Zywall I had all the credentials and configuration parameters.

Prerequisites

  • A Zywall router
  • A configured Windows Zywall IPsec client or the *.tbp configuration file
  • An operating system with the Racoon IPsec implementation.

Windows client configuration

This is just to show the configuraion on the Windows host that was used to create the configuration on Linux.

Linux client configuration

This is example is based on the Debian / Ubuntu layout.

Software install

First step is to install racoon and ipsec-tools

sudo apt-get install racoon ipsec-tools

Racoon config

For this example a pre-shared-key (PSK) is used. Hence we have to edit both the /etc/racoon/racoon.conf and the /etc/racoon/psk.txt files.

racoon.conf

#
#
# Also read the Linux IPSEC Howto up at
# http://www.ipsec-howto.org/t1.html
#
log notify;
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";

remote <IPsecGatewayAddress> {
        exchange_mode main,aggressive;
        proposal {
                encryption_algorithm des;
                hash_algorithm md5;
                authentication_method pre_shared_key;
                dh_group 1;
        }
        generate_policy on;
        nat_traversal on;
}

sainfo anonymous address <RemoteTargetIP> any {
        #pfs_group none;
        lifetime time 3600 seconds;
        encryption_algorithm des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}

psk.txt

# IPv4/v6 addresses
10.160.94.3     mekmitasdigoat
172.16.1.133    0x12345678
194.100.55.1    whatcertificatereally
3ffe:501:410:ffff:200:86ff:fe05:80fa    mekmitasdigoat
3ffe:501:410:ffff:210:4bff:fea2:8baa    mekmitasdigoat
# USER_FQDN
foo@kame.net    mekmitasdigoat
# FQDN
foo.kame.net    hoge
#
<IPsecGatewayAddress>     <PreSharedKey>


SA configuration

Once the racoon files are in place the SA needs to be set via the /etc/ipsec-tools.conf file.

#!/usr/sbin/setkey -f

flush;
spdflush;
spdadd <LocalIPorSubnet> <RemoteTargetIP> any -P out ipsec
    esp/tunnel/<LocalGateway>-<IPsecGatewayIP>/require;
spdadd <RemoteTargetIP> <LocalIPorSubnet> any -P in ipsec
    esp/tunnel/<IPsecGatewayIP>-<LocalGateway>/require;