[Openswan Users] Fedora Core2, Openswan 2.2.x, VPN & NAT-T

Roberto Fichera kernel at tekno-soft.it
Fri Nov 5 20:44:34 CET 2004 

At 20.11 05/11/2004, you wrote:

>PLease search through the archives, last year I ve investigated problems I 
>had
>with Zyxel equipment. Their implementation has some Quirqs
>
>1st, The longest time you can setup is 3600 seconds.

On my first( see below) Z652R11 test I use:

Phase1 SA Life Time: 3600 (3DES/MD5/ KG DH2)
Phase2 SA Life Time: 9600 (3DES/MD5/ PFS DH2)

without any problem ~1.5 years without hand reset the tunnels :-)!

>2nd, They assume the Phase1 & Phase2 SA's only occur together f.e.
>  when the zyxel drops a connection, Zyxel will correctly Tell the remote
>  to drop the Phase1 SA, but then WONT drop the Phase2 SA.
>  The Zyxel will drop the Phase2 SA exactly 60 seconds after the Phase1.
>
>Still having a Phase2 SA, OpenSwan/FreeSwan will continue to transmit data,
>but alas no more tunnel. (DPD might resolve this, I have not tested that,
>then there was non DPD available and now that Zyxel is in production and i
>can't experiment anymore.  The previous post exactly describe what I did.

Yes! I know! If you remember ;-) we had some email some months ago about it.
Currently I'm experimenting the problem that you describe, but always with
recent Z652R11 that have ZyNOS F/W Version: V3.40(FN.7) | 6/18/2003 and
DSL FW Version: Alcatel, Version 3.9.122 working with Linux RH9 + patches+
Freeswan 2.06. On this machine I've 15 tunnel with the Z652R11, every day I've
to hand reset some tunnels. Also I've another Z652R11 with ZyNOS F/W Version:
V3.40(FN.6) | 3/31/2003 DSL FW Version: Alcatel, Version 3.9.122 working with
Linux RH7.1+patches+Kernel 2.4.19+Linux FreeS/WAN U1.96/K2.00 that doesn't
shows the problem. I never had to hand reset this tunnel in ~1.5 years :-)!
I hope to resolve the dead tunnel with Openswan + DPD in order to avoid to 
lose
time on hand resets :-)!

Do you have any suggest about the configuration that I would like to
implement ;-)?


>Kind Regards,
>
>Nico Baggus..
>
>Oh, BTW please ensure you have firmware from after may this year older
>firmware has some additional problems when running more than 1 live tunnel
>from a Zyxel.
>
>
>
>On Friday 05 November 2004 18:54, Roberto Fichera wrote:
> > Hi All,
> >
> > I would like to configure a box with Fedora Core2 (kernel 2.6.8-1.521) +
> > Openswan 2.2.x
> > as VPN gateway behind to an Zyxel 652R-11 ADSL router, but I don't know
> > how to setup Openswan to make it work. What ipsec.conf I've to write?
> > I guess that I've to use some NAT-T config. My configuration is the follow
> > :
> >
> > Head Quarter:
> > FC2+OW22 (192.168.0.253) <--> Z652R11( LAN:192.168.0.254,
> > WAN:1StaticIP)  <--> Internet
> >
> > Office A:
> > Internet <--> Z652R11( WAN:1StaticIP, LAN:192.168.1.254) <--->
> > 192.168.1.0/24
> >
> > Office B:
> > Internet <--> Z652R11( WAN:1StaticIP, LAN:192.168.2.254) <--->
> > 192.168.2.0/24
> >
> > and so on ;-)!
> >
> > The Zyxel have the default NAT setup as 192.168.0.253, on HQ side, so every
> > packet should be
> > redirected on FC2 box, I hope ;-)!
> >
> > Thanks in advance.
> >
> > Roberto Fichera.
> >
> > _______________________________________________
> > Users mailing list
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
>_______________________________________________
>Users mailing list
>Users at openswan.org
>http://lists.openswan.org/mailman/listinfo/users

Roberto Fichera.

More information about the Users mailing list