[Openswan Users] Zywall 5

Peter McGill petermcgill at goco.net
Mon Mar 24 10:20:51 EDT 2008


I think you need left=%defaultroute.

You'll also need to have your internet connection and
default route working before you start openswan.

Note that the configuration your using should work given
the above assuming that your Xubuntu is connected to the
internet router directly with a public ip.

Note that if you can, changing to main mode instead of
aggressive mode, and turning on pfs will increase your
security level, and is advised.

Peter McGill
 

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of Carlo Magistrelli
> Sent: March 20, 2008 7:03 PM
> To: users at openswan.org
> Subject: [Openswan Users] Zywall 5
> 
> Hi all!
> 
> I tried to work around the sequent situation by myself, but I didn't
> succeed: so, I'm surrender and asking for some kind help.
> 
> I would like to connect from home to my office, using a Linux box with
> Xubuntu 7.10 and OpenSwan.
> Usually I connect myself to my office with Windows XP and 
> SSHSentinel, or
> activating a VPN rule on a home based Zywall 2.
> Actually, I'm interested in connections without an appliance 
> like Zywall 2
> and without a static IP address (they call this scenario 
> "road warrior",
> isn't it?)
> 
> OFFICE.
> Local network 192.168.254.0/255.255.255.0
> Zywall 5 (Lan side: 192.168.254.254 - Wan side: 10.0.0.1)
> Zyxel Prestige (Lan side: 10.0.0.254 - Wan side: AA.BB.CC.DD static IP
> address)
> 
> On Zywall 5:
> Static route: name=default, destination=0.0.0.0 gateway=10.0.0.254
> Firewall rule: Wan to WAN/Zywall: Any source address Any 
> Destination address
> Forward IKE (UDP:500)
> 
> VPN
> 	Name: 			Sede
> 	Key Management: 		IKE
> 	Negotiation: 		Aggressive
> 	Encapsulation: 		Tunnel
> 	DNS server: 		0.0.0.0
> 	Local policy: 		Subnet addresses 
> 192.168.254.0/255.255.255.0
> 	Remote policy: 		Single address 0.0.0.0
> 
> 	Pre shared Key: 		xxxxxxxx
> 	Local ID type: 		IP
> 	Content: 			AA.BB.CC.DD
> 	Peer ID type: 		IP
> 	Content: 			0.0.0.0
> 	Gateway information:	10.0.0.1
> 	Secure gateway address:	0.0.0.0
> 	IPSec algorithm: 		ESP, Encryption: 3DES,
> Authentication: MD5
> 
> Advanced:
> 	Phase1
> 	Negotiation mode: 	Aggressive
> 	Encryption algorithm: 	3DES
> 	Auth. algorithm: 		MD5
> 	SA life time: 		28800 sec
> 	Key group: 			DH2
> 
> 	Phase2
> 	Active protocol: 		ESP
> 	Encryption algorithm: 	3DES
> 	Auth. algorithm: 		MD5
> 	SA life time: 		28800 sec
> 	Encapsulation: 		Tunnel
> 	PFS: 				none
> 	Enable replay detection	yes
> 
> On Zyxel Prestige (router): 	NAT SUA only: all ports 10.0.0.1
> 
> HOME:
> Local network 10.1.0.0/255.255.255.0
> Zyxel Prestige (lan side: 10.1.0.254 - Wan side: dynamic)
> NAT SUA Only:	all ports 10.1.0.1 (10.1.0.1 is a Zywall 2 to 
> some other pc)
>       		Start/end Port 500 10.1.0.5 (is my 
> Linux machine - Xubuntu
> 7.10)
>       
> On 10.1.0.5 OpenSwan
> 
> This is my /etc/ipsec.conf
> 
> # /etc/ipsec.conf - Openswan IPsec configuration file RCSID $Id:
> ipsec.conf.in,v 1.15.2.4 2006/07/11 16:17:53 paul Exp $
> 
> # This file:  /usr/share/doc/openswan/ipsec.conf-sample
> #
> # Manual:     ipsec.conf.5
> 
> 
> version	2.0	# conforms to second version of 
> ipsec.conf specification
> 
> # basic configuration
> config setup
> 	interfaces="ipsec0=eth0"
> 	# plutodebug / klipsdebug = "all", "none" or a 
> combation from below:
> 	klipsdebug=none
> 	plutodebug=none
> 	# "raw crypt parsing emitting control klips pfkey natt 
> x509 private"
> 	# eg:
> 	# plutodebug="control parsing"
> 	#
> 	# Only enable klipsdebug=all if you are a developer
> 	#
> 	# NAT-TRAVERSAL support, see README.NAT-Traversal
> 	# nat_traversal=no
> 	#
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
> 	#
> 	# enable this if you see "failed to find any available worker"
> 	# nhelpers=0
> 
> conn %default
> 	keyingtries=3
> 	disablearrivalcheck=no
> 	authby=secret
> 
> # Add connections here
> 
> conn Sede
> 	type=tunnel
> 	left=0.0.0.0
> 	leftid=@pctarocco
> 	leftsubnet=10.1.0.0/24
> 	#leftnexthop=????
> 	right= AA.BB.CC.DD
> 	rightid=@sekmet
> 	rightsubnet=192.168.254.0/24
> 	#rightnexthop=??????
> 	#rightxauthserver=yes
> 	auto=add
> 	aggrmode=yes
> 	auth=esp
> 	esp=3des-md5
> 	ike=3des-md5-modp1024
> 	#xauth=no
> 	pfs=no
> 	keylife=9600s
> 	keyingtries=0
> 
> 
> # sample VPN connections, see /etc/ipsec.d/examples/
> 
> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf
> 
> and this is my /etc/ipsec.secrets
> 
> @pctarocco	@sekmet : PSK	"xxxxxxxxxx"
> 
> 
> 
> On the Linux machine I hit:
> 
> sudo /etc/init.d/ipsec stop
> sudo /etc/init.d/ipsec start
> sudo ipsec auto --up Sede
> 
> And I get: 022 "Sede": We cannot identify ourselves with 
> either end of this
> connection.
> (and this is my best result!!! Not to say of thousands of 
> errors in other
> experiments).
> 
> Thanks in advance for help. Please, let me leave Windows!
> 
> NB: sorry for my poor english and my poor understanding of 
> computer mistery.
> 
> 
> 
> 
> 
> 
> 
> 
>  
> 
> 
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155



More information about the Users mailing list