This document describes the setup of an IPSEC tunnel between a FreeBSD machine running FreeBSD 4.7 and a SonicWall Pro-300.
This document can be seen as an extension of a previously written document where I describe a normal tunnel setup between those two pieces of hardware. This document can be found here.
In another document I in described the setup of Linux FreeS/WAN and NAT-T setup. This document uses the same situation, but then I use FreeBSD instead of Linux.
Because of the fact that I use NAT-T and become some kind of a road-warrior, I was able to use the GroupVPN SA on the SonicWall (this SA should be preconfigured)
I'm using a SonicWall Pro-300, firmware version 6.3.1.0 and FreeBSD 4.7-RELEASE with racoon for IKE negotiation. (found in /usr/ports/security/racoon).
This is my setup:
| Corporate Networks (192.168.0.0/24;192.168.1.0/24;172.16.0.0/16) | SonicWall Firewall (100.0.0.243) | Corporate Router (100.0.0.241) | [INTERNET] | Home (adsl) Router My FreeBSD laptop |
For security reasons, public IP's are forged Because there are multiple networks on the corporate side, you need to configure multiple SA's on the FreeS/WAN side. This doesn't have to be done at the SonicWall.
SonicWall setup:
- Unique Firewall Identifier: firewall@corporate.comSecurity Association: GroupVPN
IPSec Keying Mode: IKE using Preshared Secret
Phase 1 DH Group: Group 1
SA Lifetime (secs): 28800
Phase 1 Encryption/Authentication: 3DES & SHA1
Phase 2 Encryption/Authenticaton: Strong Encrypt and Authenticate (ESP 3DES HMAC MD5)
Shared Secret: thisisatest
Advanced Options:
Phase 2 DH Group: Group 2
FreeBSD Setup:
- Kernel configuration
options IPSEC #IP security
options IPSEC_ESP #IP security (crypto; define w/IPSEC)
/usr/local/etc/racoon/psk.txt
100.0.0.241 thisisatest
/usr/local/etc/racoon/racoon.conf
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
log notify;
padding
{
maximum_length 20; # maximum padding length.
randomize on; # enable randomize length.
randomize_length on;
strict_check off; # enable strict check.
exclusive_tail on; # extract last one octet.
}
listen {
#isakmp ::1 [7000];
#isakmp 202.249.11.124 [500];
#admin [7002]; # administrative's port by kmpstat.
#strict_address; # required all addresses must be bound.
}
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 40 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
# timer for waiting to complete each phase.
phase1 300 sec;
phase2 300 sec;
}
remote anonymous
{
#exchange_mode main,aggressive;
exchange_mode main,aggressive,base;
doi ipsec_doi;
#situation identity_only;
verify_identifier off;
send_cert off;
send_cr off;
nonce_size 16;
lifetime time 15 min; # sec,min,hour
#lifetime byte 5 MB; # B,KB,GB
initial_contact on;
support_mip6 off;
proposal_check claim; # obey, strict or claim
# If clients are connecting from dynamic addresses
# set generate_policy to "on"
generate_policy on;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
sainfo anonymous
{
#pfs_group 1;
# commented out pfs_group so that any pfs_group would be accepted
lifetime time 3600 sec;
#lifetime byte 50 MB;
encryption_algorithm 3des,des,cast128 ;
authentication_algorithm hmac_md5,hmac_sha1;
compression_algorithm deflate;
}
### end ###
setkey
# setkey -c spdadd 192.168.10.217/32 192.168.0.0/24 any -P out ipsec esp/tunnel/192.168.10.217-100.0.0.241/unique ; spdadd 192.168.0.0/24 192.168.10.217/32 any -P in ipsec esp/tunnel/100.0.0.241-192.168.10.217/unique ; spdadd 192.168.10.217/32 192.168.1.0/24 any -P out ipsec esp/tunnel/192.168.10.217-100.0.0.241/unique ; spdadd 192.168.1.0/24 192.168.10.217/32 any -P in ipsec esp/tunnel/100.0.0.241-192.168.10.217/unique ; spdadd 192.168.10.217/32 172.16.0.0/16 any -P out ipsec esp/tunnel/192.168.10.217-100.0.0.241/unique ; spdadd 172.16.0.0/16 192.168.10.217/32 any -P in ipsec esp/tunnel/100.0.0.241-192.168.10.217/unique ; ^D
I tested this with our home gateway only doing NAT (masquerading). No other firewall rules where active. If running a firewall, you must be sure that all 500/udp packets can travel freely. If you have any questions, mail them to freeswan at evenflow.nl
Recent Comments