This document describes the setup of an IPSEC tunnel between a Linux machine running FreeS/WAN and a SonicWall Pro-300 with the use of NAT-T (NAT-Traversal).
This document can be seen as an extension of a previously written document where I describe a normal tunnel setup between those two pieces of hardware. This document can be found here.
Because I moved to a new home, where we already have a network and a gateway, I had to figure out a new setup for my Linux machine. At first, I tried to setup FreeS/WAN on our home Linux gateway (P100/32mb), but this machine didn't want to compile a new kernel.
I also didn't want to give corporate access to all my house-mates. I could have firewalled some stuff on the gateway, but since I'm not the only root on that machine, it didn't seem like a good idea.
I found out that the SonicWall and (a patched) FreeS/WAN can both do NAT-Traversal. This enables both devices to setup a tunnel through a NAT-enabled device.
Because of the fact that I use NAT-T and become some kind of a road-warrior, I was able to use the GroupVPN SA on the SonicWall (this SA should be preconfigured)
I'm using a SonicWall Pro-300, firmware version 6.3.1.0 and
FreeS/WAN 1.98b with Mathieu Lafon's NAT Traversal v0.4 Patch [v1.98b] on Debian GNU/Linux 3.0, kernel 2.4.19.
This is my setup:
| Corporate Networks (192.168.0.0/24;192.168.1.0/24;172.16.0.0/16) | SonicWall Firewall (100.0.0.243) | Corporate Router (100.0.0.241) | |
For security reasons, public IP's are forged
Because there are multiple networks on the corporate side, you need to configure multiple SA's on the FreeS/WAN side. This doesn't have to be done at the SonicWall.
SonicWall setup:
- Unique Firewall Identifier: firewall@corporate.com
Security Association: GroupVPN
IPSec Keying Mode: IKE using Preshared Secret
Phase 1 DH Group: Group 1SA Lifetime (secs): 28800
Phase 1 Encryption/Authentication: 3DES & SHA1
Phase 2 Encryption/Authenticaton: Strong Encrypt and Authenticate (ESP 3DES HMAC MD5)
Shared Secret: thisisatest
Advanced Options:
Phase 2 DH Group: Group 2
FreeS/WAN Setup:
- /etc/ipsec.conf:
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=all
plutoload=%search
plutostart=%search
uniqueids=yes
nat_traversal=yes NOTE THIS!
conn GroupVPN0
type=tunnel
auto=start
auth=esp
authby=secret
pfs=no
keyingtries=1
left=192.168.10.66
leftnexthop=192.168.10.110
leftsubnet=192.168.10.66/32 NOTE: subnet becomes 1 host
right=100.0.0.243
rightnexthop=100.0.0.241
rightsubnet=192.168.0.0/24
esp=3des-hmac-md5
keyexchange=ike
conn GroupVPN1
type=tunnel
auto=start
auth=esp
authby=secret
pfs=no
keyingtries=1
left=192.168.10.66
leftnexthop=192.168.10.110
leftsubnet=192.168.10.66/32 NOTE: subnet becomes 1 host
right=100.0.0.243
rightnexthop=100.0.0.241
rightsubnet=192.168.1.0/24
esp=3des-hmac-md5
keyexchange=ike
conn GroupVPN2
type=tunnel
auto=start
auth=esp
authby=secret
pfs=no
keyingtries=1
left=192.168.10.66
leftnexthop=192.168.10.110
leftsubnet=192.168.10.66/32 NOTE: subnet becomes 1 host
right=100.0.0.243
rightnexthop=100.0.0.241
rightsubnet=172.16.0.0/16
esp=3des-hmac-md5
keyexchange=ike
/etc/ipsec.secrets
100.0.0.243 192.168.10.66 : PSK "thisisatest"
I tested this with our home gateway only doing NAT (masquerading). No other firewall rules where active. If running a firewall, you must be sure that all 500/udp packets can travel freely. If you have any questions, mail them to freeswan at evenflow.nl
Recent Comments