[Openswan Users] Openswan and Zyxel?
Roberto Fichera
kernel at tekno-soft.it
Wed Feb 16 14:33:06 CET 2005
At 14.12 16/02/2005, Nicole.Haehnel wrote:
>Hi,
>
>I tried the configs below and now my connection is established.
>But I have still the problem that I can't access the zywall after
>activating the vpn connection.
>And although I have a connection established, I can not ping or send any
>other packages.
>
>Does anybody know the problem?
I have the same problem on the box acting as VPN gateway
(Openswan side) but any problems from other machines which uses
the VPN gateway as router.
Just to know, did you have a linux 2.6.x kernel?
>Thanks!
>
>Nicole
>
>
>Roberto Fichera wrote:
>
>>At 11.27 04/02/2005, Roberto Fichera wrote:
>>
>>>At 10.09 04/02/2005, you wrote:
>>>
>>>>Hi,
>>>>
>>>>has anybody configured a Zyxel Prestige or Zywall with openswan?
>>>>And is it working?
>>>
>>>
>>>Yes works well :-)!
>>>
>>>
>>>>If so, please post the configs.
>>>
>>>
>>>This's my /etc/ipsec.conf
>>>
>>># This file: /usr/share/doc/openswan/ipsec.conf-sample
>>>#
>>># Manual: ipsec.conf.5
>>>
>>>
>>>version 2.0 # conforms to second version of ipsec.conf specification
>>>
>>># basic configuration
>>>config setup
>>> interfaces="ipsec0=eth0"
>>> klipsdebug=none
>>> plutodebug=none
>>> # Debug-logging controls: "none" for (almost) none, "all" for
>>> lots.
>>> # klipsdebug=none
>>> # plutodebug="control parsing"
>>>
>>>conn %default
>>> keyingtries=3
>>> disablearrivalcheck=no
>>> authby=secret
>>>
>>># Add connections here
>>>
>>>conn VPN1
>>> left=XX.YY.11.141
>>> leftsubnet=192.168.0.0/24
>>> leftnexthop=XX.YY.11.137
>>> right=ZZ.KK.11.131
>>> rightsubnet=192.168.2.0/24
>>> rightnexthop=ZZ.KK.11.129
>>> pfs=yes
>>> auto=start
>>> keylife=9600s
>>> keyingtries=0
>>>
>>>#Disable Opportunistic Encryption
>>>include /etc/ipsec.d/examples/no_oe.conf
>>>
>>>this's the /etc/ipsec.secrets
>>>
>>>XX.YY.11.141 ZZ.KK.11.131 : PSK "yourpresharedkey"
>>>
>>>: RSA {
>>> .........
>>> ........
>>> }
>>># do not change the indenting of that "}"
>>>
>>>
>>>the Zywall-10 configuration is the follow:
>>>
>>> Menu 27.1.1 - IPSec Setup
>>>
>>> Index #= 1 Name= VPN1
>>> Active= Yes Keep Alive= No
>>> Local ID type= IP Content= ZZ.KK.11.131
>>> My IP Addr= 217.59.11.131
>>> Peer ID type= IP Content= XX.YY.11.141
>>> Secure Gateway Addr= XX.YY.11.141
>>> Protocol= 0
>>> Local: Addr Type= SUBNET
>>> IP Addr Start= 192.168.2.0 End/Subnet Mask=
>>> 255.255.255.0
>>> Port Start= 0 End= N/A
>>> Remote: Addr Type= SUBNET
>>> IP Addr Start= 192.168.0.0 End/Subnet Mask=
>>> 255.255.255.0
>>> Port Start= 0 End= N/A
>>> Enable Replay Detection= Yes
>>> Key Management= IKE
>>> Edit Key Management Setup= No
>>>
>>> Press ENTER to Confirm or ESC to Cancel:
>>>
>>> Menu 27.1.1.1 - IKE Setup
>>>
>>> Phase 1
>>> Negotiation Mode= Main
>>> Pre-Shared Key= yourpresharedkey
>>> Encryption Algorithm= 3DES
>>> Authentication Algorithm= MD5
>>> SA Life Time (Seconds)= 3600
>>> Key Group= DH2
>>>
>>> Phase 2
>>> Active Protocol= ESP
>>> Encryption Algorithm= 3DES
>>> Authentication Algorithm= MD5
>>> SA Life Time (Seconds)= 9600
>>> Encapsulation= Tunnel
>>> Perfect Forward Secrecy (PFS)= DH2
>>>
>>> Press ENTER to Confirm or ESC to Cancel:
>>>
>>>That's all!
>>
>>
>>I forgot the changes to the autoexec.net on the Zywall1-10 side, you have
>>to add
>>the "ipsec timer chk_conn 0" in order to avoid to disconnect the VPN
>>when
>>there isn't traffic on the tunel.
>>
>>Copyright (c) 1994 - 2002 ZyXEL Communications Corp.
>>Zywall> sys view autoexec.net
>>sys errctl 0
>>sys trcl level 5
>>sys trcl type 1180
>>sys trcp cr 96 128
>>sys trcl sw off
>>ip tcp mss 1400
>>ip tcp limit 2
>>ip tcp irtt 65000
>>ip tcp window 16
>>ip tcp ceiling 6000
>>ip rip activate
>>ip rip merge on
>>ip icmp disc enif0 off
>>ppp ipcp com off
>>sys wd sw on
>>sys wd cnt 600
>>sys mbuf debug off
>>ip urlfilter listServerName urllist.zyxel.com
>>ip nat loopback on
>>---> ipsec timer chk_conn 0
>>Zywall>
>>
>>
>>
>>
>>>>I tried to configure a Zywall, but if I start vpn activity, I can not
>>>>access the router again
>>>>and the tunnel is also not working.
>>>>
>>>>Thanks!
>>>>
>>>>Nicole
>>>>_______________________________________________
>>>>Users mailing list
>>>>Users at openswan.org
>>>>http://lists.openswan.org/mailman/listinfo/users
>>>
>>>
>>>Roberto Fichera.
>>>_______________________________________________
>>>Users mailing list
>>>Users at openswan.org
>>>http://lists.openswan.org/mailman/listinfo/users
>>
>>
>>Roberto Fichera.
Roberto Fichera.
More information about the Users
mailing list