Linux FreeS/WAN and SonicWall Pro-300 Setup

I'm using a SonicWall Pro-300, firmware version 6.3.1.0 and FreeS/WAN 1.97 on Debian GNU/Linux 2.4, kernel 2.4.18.

This is my setup:

Corporate Networks
(192.168.0.0/24;192.168.1.0/24;172.16.0.0/16)
|
SonicWall Firewall (100.0.0.243)
|
Corporate Router
(100.0.0.241)
|
[INTERNET]|
Home Gateway
(200.0.0.1)
|
FreeS/Wan
(200.0.0.17)

|
Local Lan
(192.168.10.0/24)

For security reasons, public IP's are forged

Because there are multiple networks on the corporate side, you need to configure multiple SA's on the FreeS/WAN side. This doesn't have to be done at the SonicWall.

SonicWall setup:

    Unique Firewall Identifier: firewall@corporate.com
    Security Association: FreeSwan
    IPSec Keying Mode: IKE using Preshared Secret
    Name: FreeSwan
    IPSec Gateway Address: 200.0.0.17
    Phase 1 DH Group: Group 2
    SA Lifetime (secs): 28800
    Phase 1 Encryption/Authentication: 3DES & MD5Phase 2 Encryption/Authenticaton: Strong Encrypt and Authenticate (ESP 3DES HMAC MD5)
    Shared Secret: thisisatest
    Destination Networks:
    192.168.10.0 255.255.255.0Advanced Options:
    Enable Perfect Forward Secrecy : Checked
    Phase 2 DH Group: Group 2

FreeS/WAN Setup:

    /etc/ipsec.conf:

    
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=all
plutoload=%search
plutostart=%search
uniqueids=yes

conn Corpnet1
    type=tunnel
    auto=add
    auth=esp
    authby=secret
    pfs=yes
    keyingtries=1
    left=200.0.0.17

    leftnexthop=200.0.0.1
    leftsubnet=192.168.10.0/24
    right=100.0.0.243
    rightnexthop=100.0.0.241
    rightsubnet=192.168.0.0/24
    rightid=100.0.0.243
    esp=3des-hmac-md5
    keyexchange=ike

conn Corpnet2
    type=tunnel
    auto=add
    auth=esp
    authby=secret
    pfs=yes
    keyingtries=1
    left=200.0.0.17
    leftnexthop=200.0.0.1

    leftsubnet=192.168.10.0/24
    right=100.0.0.243
    rightnexthop=100.0.0.241
    rightsubnet=192.168.1.0/24
    rightid=100.0.0.243
    esp=3des-hmac-md5
    keyexchange=ike

conn Corpnet3

    type=tunnel
    auto=add
    auth=esp
    authby=secret
    pfs=yes
    keyingtries=1
    left=200.0.0.17
    leftnexthop=200.0.0.1
    leftsubnet=192.168.10.0/24

    right=100.0.0.243
    rightnexthop=100.0.0.241
    rightsubnet=172.16.0.0/16
    rightid=100.0.0.243
    esp=3des-hmac-md5
    keyexchange=ike

    /etc/ipsec.secrets
    100.0.0.243 200.0.0.17 : PSK "thisisatest"

I ran into some problems during phase1 of the IKE negotiation, until I noticed that outgoing IKE packets were denied in the firewall. After I fixed this, I got nice responses from the SW on the FreeS/WAN side.
I tested this setup without iptables/ipchains disabled, to make sure no packets were being dropped.

Because my FreeS/WAN machine is also my own workstation, I wanted to access the corporate LANs form my gateway, as well as
from machines from my local LAN. Because of this, I masqueraded all traffic to the corporate LAN with the address of my internal networkcard (192.168.1.10):


iptables -t nat -A POSTROUTING -o ipsec0 -j SNAT --to 192.168.1.10

This line should be before any other masquerade rules.

If you have any questions, mail them to freeswan at evenflow.nl (don't forget to remove the _REMOVE_)