[Vpn-help] Zyall Commercial IPSec Gateway

Matthew Grooms mgrooms at shrew.net
Fri Nov 30 19:34:57 CST 2007 

Stephen Cohoon wrote:
> Matthew,
> 
> Good belated Thanksgiving to you. I've been inching along with the 
> client and zywall. This is what I have so far.
> 

Lets try again. But this time, I will do my best to actually stick to 
the subject of Zywall gateways :) As you have observed, the client is 
passing phase1 authentication successfully. Where its getting stuck is 
when it attempts to obtain a virtual adapter address automatically from 
the gateway.

> If I configure the client with "Pull," the client banner will show that 
> its connected but the log reports that phase 2 was not found.
> 

In this instance, the client is sending a configuration pull request 
message and never receives a response. The phase2 not found message is 
not necessarily an error. Please see the following reply for details.

http://lists.shrew.net/pipermail/vpn-help/2007-November/000820.html

> If I configure the client with "Push," the client will stop at phase 2 
> reporting a the same. In both instances, though, phase 1 completes 
> successfully.
> 

In this instance, the client is waiting on a configuration push message 
that never arrives.

> I've tried removing extra variables by not using NATT but leaving the 
> configuration as "enabled" -- I read in the help documentation that it 
> would determine on its own whether to use it or not.
> 

If NATT is set to enabled, the client will use this feature only if the 
peer gateway supports it. This is determined by inspecting the vendor 
IDs produced by the gateway during phase1 negotiation.

The only model I have in my test lab is a Zywall 5 security appliance. 
If you use an authentication method that does not require XAuth, the 
2.0.3 client may be able to work. The 2.1.0 alpha 1 and later client 
builds include a work-around for an invalid hash value that gets sent by 
the Zywall during Xauth. So if you plan yo use extended authentication, 
2.0.3 is not an option.

To my knowledge, the Zywall product line does not support any auto 
configuraion method that can be used to obtain a unique virtual adapter 
address for VPN clients. If anyone has information that is contrary to 
this, please speak up. I have been known to get my wires crossed from 
time to time :)

For now, you only have a few options ...

If you use a 2.0.x version of the Shrew Soft client, you will need to 
make sure to disable all options that require a configuration exchange. 
If you use the 2.1.0 alpha 1 or later, simply disable Auto Configuration 
in the general tab.

1) Select the "Use a virtual adapter and assigned address" method. Each 
client that connects to the gateway will need to have a unique virtual 
address manually configured. If more that one client connects to the 
gateway simultaneously using the same address, it will have conflicts 
and I assume one of them will stop working unexpectedly.

2) Select the "Use an existing adapter and current address" option under 
the General tab. This also works with my Zywall but will has some severe 
limitations in a production environment ...

   a) Two clients cannot use the same public adapter address
   simultaneously when connecting to the Zywall gateway. This can
   happen easily if two clients exist behind different SOHO firewalls
   and receive the same address via DHCP. Essentially, this creates
   a similar problem to using  option (1) and configuring identical
   virtual adapter address for more than one client.

   b) The Zywall needs to be the default gateway for the network it
   protects or NAT all inbound IPsec traffic that passes to the private
   network. Otherwise, the return traffic destined to the client will
   go out your default gateway instead of being seen by the Zywall.

   c) The client cannot use a public adapter address that exists in any
   private network protected by the Zywall. If this happens, you will
   end up with a very confused gateway that doesn't know which direction
   to pass the traffic. This can easily happen, again, if the client
   exists behind a SOHO firewall that uses an IP pool that maps to one
   of your internal networks.

Getting phase1 to work shouldn't be much of a problem. The phase2 policy 
just needs to be created using a wildcard remote network ID. Here is how 
mine is configured for reference ...

Active - checked
Name - clientpolicy
Protocol - 0 ( or whatever you deem appropriate )
Nailed-Up - unchecked
Allow NetBIOS broadcast Traffic Through IPSec Tunnel - unchecked
Check IPSec Tunnel Connectivity - unchecked

Gateway Policy - [ phase1 client gateway policy name ]

Local Network - Subnet Addr : x.x.x.0/24 [ protected private network ]
Local port start - 0
Local port end - 0

Remote Network - Single Addr : 0.0.0.0

Encapsulation Mode - Tunnel
Active Protocol - ESP
Encryption Algorithm - 3DES
Authentication Algorithm - MD4
SA Life Time (Seconds) - 3600
Perfect Forward Secrecy (PFS) NONE

Enable Replay Detection - enabled
Enable Multiple Proposals - disabled

So there you have it. Zywall is far from my favorite appliance because 
it lacks the ability to manage client virtual adapter addresses. Cisco, 
Juniper, Fortigate and SonicWalls ( just picked up a TZ 150 ) all seem 
to do better in this respect. Open source software such as ipsec-tools, 
Shrew Soft iked and even some of the Free/Open/Strong/Swan products are 
capable of this as well. Hopefully this limitation will be removed in a 
future release of the Zywall firmware.

Thanks,

-Matthew

More information about the vpn-help mailing list