[strongSwan] Connecting to a Zywall USG 300

Ralf Steppacher ralf at steppacher.name
Mon Dec 12 21:58:29 CET 2011 

Hello all,

I am trying to hook up my Linux home computer (Ubuntu 11.10, strongswan 
4.5.2-1.1ubuntu1) to our corporate network behind a Zywall USG 300. 
Without success so far. I have the configuration of the working ZyWALL 
Windows client as a template.
Based on that configuration I have worked out one configuration that is 
not leading to a NO_PROPOSAL_CHOSEN response from the ZyWALL:

config setup
         plutodebug=control
         nat_traversal=yes
         charonstart=no
         plutostart=yes

conn roadwarrior
        left=%defaultroute
        leftsourceip=%modeconfig
        leftsubnet=192.168.1.0/255.255.255.0
        leftid=<my_xauth_user>
        right=<firewall_ip>
        rightsubnet=192.168.50.0/255.255.255.0
        authby=xauthpsk
        ike=3des-md5-modp1024
        esp=3des-sha1
        keyexchange=ikev1
        compress=no
        modeconfig=push
        dpdaction=restart
        type=tunnel
        auto=start

Starting up ipsec with these settings gives me the following 'ipsec status':

000 "roadwarrior": 
192.168.1.0/24===192.168.1.120:4500[<my_xauth_user_id>]---192.168.1.1...<firewall_ip>:4500[<firewall_ip>]===192.168.50.0/24; 
unrouted; eroute owner: #0
000 "roadwarrior":   newest ISAKMP SA: #1; newest IPsec SA: #0;
000
000 #1: "roadwarrior" STATE_XAUTH_I2 (sent XAUTH ack, established); 
EVENT_SA_REPLACE in 10499s; newest ISAKMP
000 #1: pending Phase 2 for "roadwarrior" replacing #0
000

The problem might be with leftsourceip. According to our sys admin the 
ZyWALL is configured to not hand out virtual IPs. But if I set the 
leftsourceip to an arbitrary, unused IP within the corporate network, or 
do not set it at all, I get a NO_PROPOSAL_CHOSEN response and the 
following status:

000 "roadwarrior": 
192.168.1.0/24===192.168.1.120:4500[<my_xauth_user_id>]---192.168.1.1...<firewall_ip>:4500[<firewall_ip>]===192.168.50.0/24; 
unrouted; eroute owner: #0
000 "roadwarrior":   newest ISAKMP SA: #1; newest IPsec SA: #0;
000
000 #2: "roadwarrior" STATE_QUICK_I1 (sent QI1, expecting QR1); 
EVENT_RETRANSMIT in 0s
000 #1: "roadwarrior" STATE_XAUTH_I2 (sent XAUTH ack, established); 
EVENT_SA_REPLACE in 10520s; newest ISAKMP
000

According to our admin this actually looks better on the firewall than 
the first scenario that does not give me a NO_PROPOSAL_CHOSEN message.


Maybe someone could advise what exactly the two connection statuses mean 
and how to best proceed.


Thanks!
Ralf

More information about the Users mailing list