[Openswan Users] Openswan and Zyxel?
Nicole.Haehnel
nicole.haehnel at gmx.net
Fri Feb 4 11:57:36 CET 2005
THANKS!
I'll try it.
Nicole
Roberto Fichera wrote:
> At 11.27 04/02/2005, Roberto Fichera wrote:
>
>> At 10.09 04/02/2005, you wrote:
>>
>>> Hi,
>>>
>>> has anybody configured a Zyxel Prestige or Zywall with openswan?
>>> And is it working?
>>
>>
>> Yes works well :-)!
>>
>>
>>> If so, please post the configs.
>>
>>
>> This's my /etc/ipsec.conf
>>
>> # This file: /usr/share/doc/openswan/ipsec.conf-sample
>> #
>> # Manual: ipsec.conf.5
>>
>>
>> version 2.0 # conforms to second version of ipsec.conf specification
>>
>> # basic configuration
>> config setup
>> interfaces="ipsec0=eth0"
>> klipsdebug=none
>> plutodebug=none
>> # Debug-logging controls: "none" for (almost) none, "all"
>> for lots.
>> # klipsdebug=none
>> # plutodebug="control parsing"
>>
>> conn %default
>> keyingtries=3
>> disablearrivalcheck=no
>> authby=secret
>>
>> # Add connections here
>>
>> conn VPN1
>> left=XX.YY.11.141
>> leftsubnet=192.168.0.0/24
>> leftnexthop=XX.YY.11.137
>> right=ZZ.KK.11.131
>> rightsubnet=192.168.2.0/24
>> rightnexthop=ZZ.KK.11.129
>> pfs=yes
>> auto=start
>> keylife=9600s
>> keyingtries=0
>>
>> #Disable Opportunistic Encryption
>> include /etc/ipsec.d/examples/no_oe.conf
>>
>> this's the /etc/ipsec.secrets
>>
>> XX.YY.11.141 ZZ.KK.11.131 : PSK "yourpresharedkey"
>>
>> : RSA {
>> .........
>> ........
>> }
>> # do not change the indenting of that "}"
>>
>>
>> the Zywall-10 configuration is the follow:
>>
>> Menu 27.1.1 - IPSec Setup
>>
>> Index #= 1 Name= VPN1
>> Active= Yes Keep Alive= No
>> Local ID type= IP Content= ZZ.KK.11.131
>> My IP Addr= 217.59.11.131
>> Peer ID type= IP Content= XX.YY.11.141
>> Secure Gateway Addr= XX.YY.11.141
>> Protocol= 0
>> Local: Addr Type= SUBNET
>> IP Addr Start= 192.168.2.0 End/Subnet Mask=
>> 255.255.255.0
>> Port Start= 0 End= N/A
>> Remote: Addr Type= SUBNET
>> IP Addr Start= 192.168.0.0 End/Subnet Mask=
>> 255.255.255.0
>> Port Start= 0 End= N/A
>> Enable Replay Detection= Yes
>> Key Management= IKE
>> Edit Key Management Setup= No
>>
>> Press ENTER to Confirm or ESC to Cancel:
>>
>> Menu 27.1.1.1 - IKE Setup
>>
>> Phase 1
>> Negotiation Mode= Main
>> Pre-Shared Key= yourpresharedkey
>> Encryption Algorithm= 3DES
>> Authentication Algorithm= MD5
>> SA Life Time (Seconds)= 3600
>> Key Group= DH2
>>
>> Phase 2
>> Active Protocol= ESP
>> Encryption Algorithm= 3DES
>> Authentication Algorithm= MD5
>> SA Life Time (Seconds)= 9600
>> Encapsulation= Tunnel
>> Perfect Forward Secrecy (PFS)= DH2
>>
>> Press ENTER to Confirm or ESC to Cancel:
>>
>> That's all!
>
>
> I forgot the changes to the autoexec.net on the Zywall1-10 side, you
> have to add
> the "ipsec timer chk_conn 0" in order to avoid to disconnect the VPN
> when
> there isn't traffic on the tunel.
>
> Copyright (c) 1994 - 2002 ZyXEL Communications Corp.
> Zywall> sys view autoexec.net
> sys errctl 0
> sys trcl level 5
> sys trcl type 1180
> sys trcp cr 96 128
> sys trcl sw off
> ip tcp mss 1400
> ip tcp limit 2
> ip tcp irtt 65000
> ip tcp window 16
> ip tcp ceiling 6000
> ip rip activate
> ip rip merge on
> ip icmp disc enif0 off
> ppp ipcp com off
> sys wd sw on
> sys wd cnt 600
> sys mbuf debug off
> ip urlfilter listServerName urllist.zyxel.com
> ip nat loopback on
> ---> ipsec timer chk_conn 0
> Zywall>
>
>
>
>
>>> I tried to configure a Zywall, but if I start vpn activity, I can
>>> not access the router again
>>> and the tunnel is also not working.
>>>
>>> Thanks!
>>>
>>> Nicole
>>> _______________________________________________
>>> Users mailing list
>>> Users at openswan.org
>>> http://lists.openswan.org/mailman/listinfo/users
>>
>>
>> Roberto Fichera.
>> _______________________________________________
>> Users mailing list
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>
>
> Roberto Fichera.
>
More information about the Users
mailing list