[Openswan Users] Zywall 5

Carlo Magistrelli carlo at magistrelli.it
Thu Mar 20 19:02:47 EDT 2008


Hi all!

I tried to work around the sequent situation by myself, but I didn't
succeed: so, I'm surrender and asking for some kind help.

I would like to connect from home to my office, using a Linux box with
Xubuntu 7.10 and OpenSwan.
Usually I connect myself to my office with Windows XP and SSHSentinel, or
activating a VPN rule on a home based Zywall 2.
Actually, I'm interested in connections without an appliance like Zywall 2
and without a static IP address (they call this scenario "road warrior",
isn't it?)

OFFICE.
Local network 192.168.254.0/255.255.255.0
Zywall 5 (Lan side: 192.168.254.254 - Wan side: 10.0.0.1)
Zyxel Prestige (Lan side: 10.0.0.254 - Wan side: AA.BB.CC.DD static IP
address)

On Zywall 5:
Static route: name=default, destination=0.0.0.0 gateway=10.0.0.254
Firewall rule: Wan to WAN/Zywall: Any source address Any Destination address
Forward IKE (UDP:500)

VPN
	Name: 			Sede
	Key Management: 		IKE
	Negotiation: 		Aggressive
	Encapsulation: 		Tunnel
	DNS server: 		0.0.0.0
	Local policy: 		Subnet addresses 192.168.254.0/255.255.255.0
	Remote policy: 		Single address 0.0.0.0

	Pre shared Key: 		xxxxxxxx
	Local ID type: 		IP
	Content: 			AA.BB.CC.DD
	Peer ID type: 		IP
	Content: 			0.0.0.0
	Gateway information:	10.0.0.1
	Secure gateway address:	0.0.0.0
	IPSec algorithm: 		ESP, Encryption: 3DES,
Authentication: MD5

Advanced:
	Phase1
	Negotiation mode: 	Aggressive
	Encryption algorithm: 	3DES
	Auth. algorithm: 		MD5
	SA life time: 		28800 sec
	Key group: 			DH2

	Phase2
	Active protocol: 		ESP
	Encryption algorithm: 	3DES
	Auth. algorithm: 		MD5
	SA life time: 		28800 sec
	Encapsulation: 		Tunnel
	PFS: 				none
	Enable replay detection	yes

On Zyxel Prestige (router): 	NAT SUA only: all ports 10.0.0.1

HOME:
Local network 10.1.0.0/255.255.255.0
Zyxel Prestige (lan side: 10.1.0.254 - Wan side: dynamic)
NAT SUA Only:	all ports 10.1.0.1 (10.1.0.1 is a Zywall 2 to some other pc)
      		Start/end Port 500 10.1.0.5 (is my Linux machine - Xubuntu
7.10)
      
On 10.1.0.5 OpenSwan

This is my /etc/ipsec.conf

# /etc/ipsec.conf - Openswan IPsec configuration file RCSID $Id:
ipsec.conf.in,v 1.15.2.4 2006/07/11 16:17:53 paul Exp $

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version	2.0	# conforms to second version of ipsec.conf specification

# basic configuration
config setup
	interfaces="ipsec0=eth0"
	# plutodebug / klipsdebug = "all", "none" or a combation from below:
	klipsdebug=none
	plutodebug=none
	# "raw crypt parsing emitting control klips pfkey natt x509 private"
	# eg:
	# plutodebug="control parsing"
	#
	# Only enable klipsdebug=all if you are a developer
	#
	# NAT-TRAVERSAL support, see README.NAT-Traversal
	# nat_traversal=no
	#
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
	#
	# enable this if you see "failed to find any available worker"
	# nhelpers=0

conn %default
	keyingtries=3
	disablearrivalcheck=no
	authby=secret

# Add connections here

conn Sede
	type=tunnel
	left=0.0.0.0
	leftid=@pctarocco
	leftsubnet=10.1.0.0/24
	#leftnexthop=????
	right= AA.BB.CC.DD
	rightid=@sekmet
	rightsubnet=192.168.254.0/24
	#rightnexthop=??????
	#rightxauthserver=yes
	auto=add
	aggrmode=yes
	auth=esp
	esp=3des-md5
	ike=3des-md5-modp1024
	#xauth=no
	pfs=no
	keylife=9600s
	keyingtries=0


# sample VPN connections, see /etc/ipsec.d/examples/

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

and this is my /etc/ipsec.secrets

@pctarocco	@sekmet : PSK	"xxxxxxxxxx"



On the Linux machine I hit:

sudo /etc/init.d/ipsec stop
sudo /etc/init.d/ipsec start
sudo ipsec auto --up Sede

And I get: 022 "Sede": We cannot identify ourselves with either end of this
connection.
(and this is my best result!!! Not to say of thousands of errors in other
experiments).

Thanks in advance for help. Please, let me leave Windows!

NB: sorry for my poor english and my poor understanding of computer mistery.








 





More information about the Users mailing list