Racoon as IPsec client for Zywall

From braindump
Jump to navigation Jump to search

Zywall comes with a Windows IPSEC client sporting a nice interface and many great features. I wanted to see if I can use any of the IP implementations on Linux to connect to a Zywall I had all the credentials and configuration parameters.

Prerequisites

  • A Zywall router
  • A configured Windows Zywall IPsec client or the *.tbp configuration file
  • An operating system with the Racoon IPsec implementation.

Windows client configuration

This is just to show the configuraion on the Windows host that was used to create the configuration on Linux.

# Do not edit this file. It is overwritten by VpnConf.
# SIGNATURE MD5 = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# Creation Date : 2008-05-13 at 09:50:11
# Written by VpnConf 4.10
#

[General]
Shared-SADB = Defined
Retransmits = 2
Exchange-max-time = 15
Default-phase-1-lifetime = 3600,360:28800
Bitblocking = 0
Xauth-interval = 60
DPD-interval = 30
DPD_retrans = 5
DPD_wait = 15

[Default-phase-2-lifetime]
LIFE_TYPE = SECONDS
LIFE_DURATION = 3600,300:28800

# ==================== PHASES 1 ====================

[Phase 1]
<IPsecGatewayAddress> = <ConnectionName>-P1

[<ConnectionName>-main-mode]
DOI = IPSEC
EXCHANGE_TYPE = ID_PROT
Transforms = DES-MD5-GRP1

[<ConnectionName>-P1]
Phase = 1
Address = <IPsecGatewayAddress>
Transport = udp
Configuration = <IPsecGatewayAddress>-main-mode
Authentication = "<PreSharedKey>"

# ==================== PHASES 2 ====================

[Phase 2]
Manual-connections = <ConnectionName>-<TunnelName>-P2

[<ConnectionName>-<TunnelName>-P2]
Phase = 2
ISAKMP-peer = <ConnectionName>-P1
Remote-ID = <TunnelName>-remote-addr
Configuration = <TunnelName>-quick-mode
AutoStart = 0
USBStart = 0

# ==================== Ipsec ID ====================

[<TunnelName>-remote-addr]
ID-type = IPV4_ADDR
Address = <RemoteTargetIP>

# ==================== TRANSFORMS ====================

[<TunnelName>-quick-mode]
DOI = IPSEC
EXCHANGE_TYPE = QUICK_MODE
Suites = <TunnelName>-quick-mode-suite

[<TunnelName>-quick-mode-suite]
Protocols = TGBQM-ESP-DES-SHA-TUN

[TGBQM-ESP-DES-SHA-TUN]
PROTOCOL_ID = IPSEC_ESP
Transforms = TGBQM-ESP-DES-SHA-TUN-XF

[TGBQM-ESP-DES-SHA-TUN-XF]
TRANSFORM_ID = DES
AUTHENTICATION_ALGORITHM = HMAC_SHA
ENCAPSULATION_MODE = TUNNEL
Life = Default-phase-2-lifetime

# ==================== CERTIFICATES ====================

Linux client configuration

This is example is based on the Debian / Ubuntu layout.

Software install

First step is to install racoon and ipsec-tools

sudo apt-get install racoon ipsec-tools

Racoon config

For this example a pre-shared-key (PSK) is used. Hence we have to edit both the /etc/racoon/racoon.conf and the /etc/racoon/psk.txt files.

racoon.conf

#
#
# Also read the Linux IPSEC Howto up at
# http://www.ipsec-howto.org/t1.html
#
log notify;
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";

remote <IPsecGatewayAddress> {
        exchange_mode main,aggressive;
        proposal {
                encryption_algorithm des;
                hash_algorithm md5;
                authentication_method pre_shared_key;
                dh_group 1;
        }
        generate_policy on;
        nat_traversal on;
}

sainfo anonymous address <RemoteTargetIP> any {
        #pfs_group none;
        lifetime time 3600 seconds;
        encryption_algorithm des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}

psk.txt

# IPv4/v6 addresses
10.160.94.3     mekmitasdigoat
172.16.1.133    0x12345678
194.100.55.1    whatcertificatereally
3ffe:501:410:ffff:200:86ff:fe05:80fa    mekmitasdigoat
3ffe:501:410:ffff:210:4bff:fea2:8baa    mekmitasdigoat
# USER_FQDN
foo@kame.net    mekmitasdigoat
# FQDN
foo.kame.net    hoge
#
<IPsecGatewayAddress>     <PreSharedKey>

SA configuration

Once the racoon files are in place the SA needs to be set via the /etc/ipsec-tools.conf file.

#!/usr/sbin/setkey -f

flush;
spdflush;
spdadd <LocalIPorSubnet> <RemoteTargetIP> any -P out ipsec
    esp/tunnel/<LocalGateway>-<IPsecGatewayAddress>/require;
spdadd <RemoteTargetIP> <LocalIPorSubnet> any -P in ipsec
    esp/tunnel/<IPsecGatewayAddress>-<LocalGateway>/require;

Enable configuration

Either use the following commands

setkey -f /etc/ipsec-conf.txt
racoonctl reload-config 

or restart the services

/etc/init.d/setkey restart
/etc/init.d/racoon restart

Bring up the tunnel

racoonctl vpn-connect <IPsecGatewayAddress>

Confirm connection

# ping -c 3 <IPsecGatewayAddress>
PING <IPsecGatewayAddress> (<IPsecGatewayAddress>) 56(84) bytes of data.
64 bytes from <IPsecGatewayAddress>: icmp_req=1 ttl=127 time=49.7 ms
64 bytes from <IPsecGatewayAddress>: icmp_req=2 ttl=127 time=50.5 ms
64 bytes from <IPsecGatewayAddress>: icmp_req=3 ttl=127 time=50.5 ms

--- <IPsecGatewayAddress> ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 49.734/50.297/50.583/0.398 ms

Troubleshooting

Check if Phase 1 is up and running with racoonctl show-sa isakmp

# racoonctl show-sa isakmp
Destination                      Cookies                           Created
<IPsecGatewayAddress>.500        177d11554e3e18aa:276cab39052f7850 2012-06-05 16:47:11

Check if Phase 2 is up and running with racoonctl show-sa esp or setkey -DH

# setkey -DH
00000000: 02 0a 00 00 02 00 00 00 00 00 00 00 58 15 00 00
<LocalGateway> <IPsecGatewayAddress>
        esp mode=tunnel spi=1540133473(0x5bcc9261) reqid=0(0x00000000)
        E: des-cbc  4180bb88 26dcf85d
        A: hmac-sha1  247c6472 bd5431f1 2d2e9c46 b567e6e4 a38cd518
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Jun  5 19:19:03 2012   current: Jun  5 19:22:54 2012
        diff: 231(s)    hard: 3600(s)   soft: 2880(s)
        last: Jun  5 19:19:04 2012      hard: 0(s)      soft: 0(s)
        current: 420(bytes)     hard: 0(bytes)  soft: 0(bytes)
        allocated: 5    hard: 0 soft: 0
        sadb_seq=1 pid=5464 refcnt=0
<IPsecGatewayAddress> <LocalGateway>
        esp mode=tunnel spi=98033518(0x05d7df6e) reqid=0(0x00000000)
        E: des-cbc  664ce469 ae2ff311
        A: hmac-sha1  66b6c9f2 73c61747 23ca88d4 f2bd61a5 d2c89381
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Jun  5 19:19:03 2012   current: Jun  5 19:22:54 2012
        diff: 231(s)    hard: 3600(s)   soft: 2880(s)
        last: Jun  5 19:19:04 2012      hard: 0(s)      soft: 0(s)
        current: 420(bytes)     hard: 0(bytes)  soft: 0(bytes)
        allocated: 5    hard: 0 soft: 0
        sadb_seq=0 pid=5464 refcnt=0

Enable debugging in the racoon.conf configuration file and watch the syslog output under /var/log/{syslog,messages} for errors.

log debug2;