[Openswan Users] Openswan and Zyxel?

Roberto Fichera kernel at tekno-soft.it
Fri Feb 4 11:41:23 CET 2005


At 11.27 04/02/2005, Roberto Fichera wrote:
>At 10.09 04/02/2005, you wrote:
>
>>Hi,
>>
>>has anybody configured a Zyxel Prestige or Zywall with openswan?
>>And is it working?
>
>Yes works well :-)!
>
>
>>If so, please post the configs.
>
>This's my /etc/ipsec.conf
>
># This file:  /usr/share/doc/openswan/ipsec.conf-sample
>#
># Manual:     ipsec.conf.5
>
>
>version 2.0     # conforms to second version of ipsec.conf specification
>
># basic configuration
>config setup
>         interfaces="ipsec0=eth0"
>         klipsdebug=none
>         plutodebug=none
>         # Debug-logging controls:  "none" for (almost) none, "all" for lots.
>         # klipsdebug=none
>         # plutodebug="control parsing"
>
>conn %default
>         keyingtries=3
>         disablearrivalcheck=no
>         authby=secret
>
># Add connections here
>
>conn VPN1
>         left=XX.YY.11.141
>         leftsubnet=192.168.0.0/24
>         leftnexthop=XX.YY.11.137
>         right=ZZ.KK.11.131
>         rightsubnet=192.168.2.0/24
>         rightnexthop=ZZ.KK.11.129
>         pfs=yes
>         auto=start
>         keylife=9600s
>         keyingtries=0
>
>#Disable Opportunistic Encryption
>include /etc/ipsec.d/examples/no_oe.conf
>
>this's the /etc/ipsec.secrets
>
>XX.YY.11.141 ZZ.KK.11.131 : PSK  "yourpresharedkey"
>
>: RSA   {
>         .........
>         ........
>         }
># do not change the indenting of that "}"
>
>
>the Zywall-10 configuration is the follow:
>
>                             Menu 27.1.1 - IPSec Setup
>
>           Index #= 1        Name= VPN1
>           Active= Yes       Keep Alive= No
>           Local ID type= IP         Content= ZZ.KK.11.131
>           My IP Addr= 217.59.11.131
>           Peer ID type= IP          Content= XX.YY.11.141
>           Secure Gateway Addr= XX.YY.11.141
>           Protocol= 0
>           Local:  Addr Type= SUBNET
>               IP Addr Start= 192.168.2.0      End/Subnet Mask= 255.255.255.0
>                  Port Start= 0                End= N/A
>           Remote: Addr Type= SUBNET
>               IP Addr Start= 192.168.0.0      End/Subnet Mask= 255.255.255.0
>                  Port Start= 0                End= N/A
>           Enable Replay Detection= Yes
>           Key Management= IKE
>           Edit Key Management Setup= No
>
>                     Press ENTER to Confirm or ESC to Cancel:
>
>                             Menu 27.1.1.1 - IKE Setup
>
>                     Phase 1
>                       Negotiation Mode= Main
>                       Pre-Shared Key= yourpresharedkey
>                       Encryption Algorithm= 3DES
>                       Authentication Algorithm= MD5
>                       SA Life Time (Seconds)= 3600
>                       Key Group= DH2
>
>                     Phase 2
>                       Active Protocol= ESP
>                       Encryption Algorithm= 3DES
>                       Authentication Algorithm= MD5
>                       SA Life Time (Seconds)= 9600
>                       Encapsulation= Tunnel
>                       Perfect Forward Secrecy (PFS)= DH2
>
>                     Press ENTER to Confirm or ESC to Cancel:
>
>That's all!

I forgot the changes to the autoexec.net on the Zywall1-10 side, you have 
to add
the "ipsec timer chk_conn 0" in order to avoid to disconnect the VPN  when
there isn't traffic on the tunel.

Copyright (c) 1994 - 2002 ZyXEL Communications Corp.
Zywall> sys view autoexec.net
sys errctl 0
sys trcl level 5
sys trcl type 1180
sys trcp cr 96 128
sys trcl sw off
ip tcp mss 1400
ip tcp limit 2
ip tcp irtt 65000
ip tcp window 16
ip tcp ceiling 6000
ip rip activate
ip rip merge on
ip icmp disc enif0 off
ppp ipcp com off
sys wd sw on
sys wd cnt 600
sys mbuf debug off
ip urlfilter listServerName urllist.zyxel.com
ip nat loopback on
---> ipsec timer chk_conn 0
Zywall>




>>I tried to configure a Zywall, but if I start vpn activity, I can not 
>>access the router again
>>and the tunnel is also not working.
>>
>>Thanks!
>>
>>Nicole
>>_______________________________________________
>>Users mailing list
>>Users at openswan.org
>>http://lists.openswan.org/mailman/listinfo/users
>
>Roberto Fichera.
>_______________________________________________
>Users mailing list
>Users at openswan.org
>http://lists.openswan.org/mailman/listinfo/users

Roberto Fichera. 



More information about the Users mailing list