[Vpn-help] Zyall Commercial IPSec Gateway
Matthew Grooms
mgrooms at shrew.net
Fri Nov 30 19:34:57 CST 2007
Stephen Cohoon wrote:
> Matthew,
>
> Good belated Thanksgiving to you. I've been inching along with the
> client and zywall. This is what I have so far.
>
Lets try again. But this time, I will do my best to actually stick to
the subject of Zywall gateways :) As you have observed, the client is
passing phase1 authentication successfully. Where its getting stuck is
when it attempts to obtain a virtual adapter address automatically from
the gateway.
> If I configure the client with "Pull," the client banner will show that
> its connected but the log reports that phase 2 was not found.
>
In this instance, the client is sending a configuration pull request
message and never receives a response. The phase2 not found message is
not necessarily an error. Please see the following reply for details.
http://lists.shrew.net/pipermail/vpn-help/2007-November/000820.html
> If I configure the client with "Push," the client will stop at phase 2
> reporting a the same. In both instances, though, phase 1 completes
> successfully.
>
In this instance, the client is waiting on a configuration push message
that never arrives.
> I've tried removing extra variables by not using NATT but leaving the
> configuration as "enabled" -- I read in the help documentation that it
> would determine on its own whether to use it or not.
>
If NATT is set to enabled, the client will use this feature only if the
peer gateway supports it. This is determined by inspecting the vendor
IDs produced by the gateway during phase1 negotiation.
The only model I have in my test lab is a Zywall 5 security appliance.
If you use an authentication method that does not require XAuth, the
2.0.3 client may be able to work. The 2.1.0 alpha 1 and later client
builds include a work-around for an invalid hash value that gets sent by
the Zywall during Xauth. So if you plan yo use extended authentication,
2.0.3 is not an option.
To my knowledge, the Zywall product line does not support any auto
configuraion method that can be used to obtain a unique virtual adapter
address for VPN clients. If anyone has information that is contrary to
this, please speak up. I have been known to get my wires crossed from
time to time :)
For now, you only have a few options ...
If you use a 2.0.x version of the Shrew Soft client, you will need to
make sure to disable all options that require a configuration exchange.
If you use the 2.1.0 alpha 1 or later, simply disable Auto Configuration
in the general tab.
1) Select the "Use a virtual adapter and assigned address" method. Each
client that connects to the gateway will need to have a unique virtual
address manually configured. If more that one client connects to the
gateway simultaneously using the same address, it will have conflicts
and I assume one of them will stop working unexpectedly.
2) Select the "Use an existing adapter and current address" option under
the General tab. This also works with my Zywall but will has some severe
limitations in a production environment ...
a) Two clients cannot use the same public adapter address
simultaneously when connecting to the Zywall gateway. This can
happen easily if two clients exist behind different SOHO firewalls
and receive the same address via DHCP. Essentially, this creates
a similar problem to using option (1) and configuring identical
virtual adapter address for more than one client.
b) The Zywall needs to be the default gateway for the network it
protects or NAT all inbound IPsec traffic that passes to the private
network. Otherwise, the return traffic destined to the client will
go out your default gateway instead of being seen by the Zywall.
c) The client cannot use a public adapter address that exists in any
private network protected by the Zywall. If this happens, you will
end up with a very confused gateway that doesn't know which direction
to pass the traffic. This can easily happen, again, if the client
exists behind a SOHO firewall that uses an IP pool that maps to one
of your internal networks.
Getting phase1 to work shouldn't be much of a problem. The phase2 policy
just needs to be created using a wildcard remote network ID. Here is how
mine is configured for reference ...
Active - checked
Name - clientpolicy
Protocol - 0 ( or whatever you deem appropriate )
Nailed-Up - unchecked
Allow NetBIOS broadcast Traffic Through IPSec Tunnel - unchecked
Check IPSec Tunnel Connectivity - unchecked
Gateway Policy - [ phase1 client gateway policy name ]
Local Network - Subnet Addr : x.x.x.0/24 [ protected private network ]
Local port start - 0
Local port end - 0
Remote Network - Single Addr : 0.0.0.0
Encapsulation Mode - Tunnel
Active Protocol - ESP
Encryption Algorithm - 3DES
Authentication Algorithm - MD4
SA Life Time (Seconds) - 3600
Perfect Forward Secrecy (PFS) NONE
Enable Replay Detection - enabled
Enable Multiple Proposals - disabled
So there you have it. Zywall is far from my favorite appliance because
it lacks the ability to manage client virtual adapter addresses. Cisco,
Juniper, Fortigate and SonicWalls ( just picked up a TZ 150 ) all seem
to do better in this respect. Open source software such as ipsec-tools,
Shrew Soft iked and even some of the Free/Open/Strong/Swan products are
capable of this as well. Hopefully this limitation will be removed in a
future release of the Zywall firmware.
Thanks,
-Matthew
More information about the vpn-help
mailing list