[Vpn-help] Commercial IPSec Gateway (ZyWall xxxx)

Matthew Grooms mgrooms at shrew.net
Fri Nov 30 17:48:06 CST 2007 

Stephen Cohoon wrote:
> Matthew,
> 

Hey Stephen,

I hope you don't mind but I CCd this reply to the list so other Zywall 
users can benefit from the information.

> Good belated Thanksgiving to you. I've been inching along with the 
> client and zywall. This is what I have so far.
> 

Thanks and thanks.

> If I configure the client with "Pull," the client banner will show that 
> its connected but the log reports that phase 2 was not found.
> 

In this instance, the client is sending a configuration pull request 
message and never receives a response. The phase2 not found message is 
not necessarily an error. Please see the following reply for details.

http://lists.shrew.net/pipermail/vpn-help/2007-November/000820.html

> If I configure the client with "Push," the client will stop at phase 2 
> reporting a the same. In both instances, though, phase 1 completes 
> successfully.
> 

In this instance, the client is waiting on a configuration push message 
that never arrives.

> I've tried removing extra variables by not using NATT but leaving the 
> configuration as "enabled" -- I read in the help documentation that it 
> would determine on its own whether to use it or not.
> 

The recent patch added to get us past the 8 byte SA length problem seems 
to have done its job as the client now successfully completes phase1 
negotiations as shown in your log output. The Pull and Push methods are 
not supported by Zywall gateways which is why you are having so many 
problems. To get any farther, you will need to begin testing using the 
2.1.0 alpha client release and setup DHCP over IPsec on your Zywall. The 
only other option is to try the direct adapter mode which uses the 
public address to communicate with the protected networks. This is 
supported by all 2.x versions of the client.

You will have to forgive my limited knowledge of the Zywall product line 
as a used Zygate 50a was the only model I could afford to purchase for 
testing. I also know very little about L2TP over IPsec as this transport 
is not supported by the Shrew Soft VPN client. What is supported is 
standards based IPsec connectivity which works quite well with the model 
in my test lab. I will do my best to pass on what information I know 
regarding the configuration :)

The Zygate 50a ( and I assume all bigger/later models ) support auto 
configuration of the client via DHCP over IPsec. This mechanism is new 
to the 2.1.0 client code base and was implemented specifically to 
support Zywall products. This is easy enough to do with the 50a by 
following the procedures outlined in this document ...

http://docs.forticare.com/fgt/techdocs/FortiGate_IPSec_VPN_User_Guide_01-30005-0065-20070716.pdf

Pay close attention to the following sections ...

FortiClient dialip-client configurations
  \Configuration Overview
   \Using virtual IP addresses
  \FortiClient dialup-client configuration example
   \Configuring FortiGate_1
    \Configure FortiGate_1 to assign VIPs

Phase 2 parameters
  \Advanced phase 2 settings
   \DHCP-IPSec

The basic idea is that you setup your phase2 advanced settings to allow 
the client to request a DHCP address over the IPsec Connection. An 
external DHCP server needs to be created that assigns the client an 
dynamic address to be used by the virtual adapter. Be sure to setup the 
DHCP pool for a network that does not exist behind the fortigate or you 
will have policy conflicts. Here is what my DHCP pool looks like for 
reference ...

Name - vpnclient_dhcp
Enable - checked
Type - IPSEC
IP Range - x.x.x.2 - x.x.x.254 ( dhcp pool network used by clients )
Network Mask - 255.255.255.0
Default Gateway - [ IP Address of zywall internal interface ]
Domain - shrew.net
Lease Time - 5 minutes ( or whatever you deem appropriate )

You then create a policy to allow the client to establish a temporary 
IPsec SA. This is used to support a DHCP conversation that takes place 
between the client public adapter and the Zygate public interface. 
Please note that all Zygate IPsec policies are defined as LOCAL -> 
REMOTE. Here is what mine looks like for reference ...

Source Interface/Zone - external
Source Address - [ IP Address of zywall external interface ]
Destination Interface/Zone - external
Destination Address - [ Any 0.0.0.0/0.0.0.0 ]
Schedule = always
Service = DHCP ( limit to only DHCP )
Action = IPSEC

VPN Tunnel - [ phase1 name used by dialup group ]
Allow inbound - checked
Allow outbound - checked
Inbound NAT - unchecked
Outbound NAT - unchecked

Eventually, you will need one or more policies that allow clients to 
establish IPsec SAs for communicating with private networks. Here is 
what mine looks like for reference ...

Source Interface/Zone - internal
Source Address - [ private network behind the gateway ]
Destination Interface/Zone - external
Destination Address - x.x.x.0/24 ( dhcp pool network used by clients )
Schedule = always
Service = ANY ( or whatever you deem appropriate )
Action = IPSEC

VPN Tunnel - [ phase1 name used by dialup group ]
Allow inbound - checked
Allow outbound - checked
Inbound NAT - unchecked
Outbound NAT - unchecked

The only other configuration required is to setup phase1 and phase2 
under Auto IKE but you already have this squared away. The only thing to 
remember is that the phase2 DHCP-IPsec option needs to be checked which 
allows IPsec protected DHCP requests to be inspected by the dhcp server 
on the external interface.

To test client connectivity, you will need to use the VPN Client 2.1.0 
alpha build or later. Please remember to change your Site Configuration 
Auto Configuration option to "dhcp over ipsec" under the General tab. 
That should be it.

The Zywall documentation link shown above is compliments of Harondel J. 
Sibble. His knowledge of the Zywall platform dwarfs my own. We can only 
hope that if any information included in this email is botched, he will 
jump in and set us straight :)

Hope this helps,

-Matthew

More information about the vpn-help mailing list