[strongSwan] Connecting to a Zywall USG 300

Ralf Steppacher ralf at steppacher.name
Tue Dec 20 21:50:28 CET 2011


Anybody?
If I omitted necessary information let me know. Do you need the pluto 
log at a certain log level?

In addition to the leftsourceip I am not sure about the leftid. The 
windows client uses 0.0.0.0 as the id. But if I set this as the leftid 
strongswan does not send the proper xauth user and pwd.
How does the ipsec.secrets entry have to look like if the leftid is not 
equal to my xauth user name?


Thanks in advance!
Ralf


On 12/12/2011 09:58 PM, Ralf Steppacher wrote:
> Hello all,
>
> I am trying to hook up my Linux home computer (Ubuntu 11.10, strongswan
> 4.5.2-1.1ubuntu1) to our corporate network behind a Zywall USG 300.
> Without success so far. I have the configuration of the working ZyWALL
> Windows client as a template.
> Based on that configuration I have worked out one configuration that is
> not leading to a NO_PROPOSAL_CHOSEN response from the ZyWALL:
>
> config setup
> plutodebug=control
> nat_traversal=yes
> charonstart=no
> plutostart=yes
>
> conn roadwarrior
> left=%defaultroute
> leftsourceip=%modeconfig
> leftsubnet=192.168.1.0/255.255.255.0
> leftid=<my_xauth_user>
> right=<firewall_ip>
> rightsubnet=192.168.50.0/255.255.255.0
> authby=xauthpsk
> ike=3des-md5-modp1024
> esp=3des-sha1
> keyexchange=ikev1
> compress=no
> modeconfig=push
> dpdaction=restart
> type=tunnel
> auto=start
>
> Starting up ipsec with these settings gives me the following 'ipsec
> status':
>
> 000 "roadwarrior":
> 192.168.1.0/24===192.168.1.120:4500[<my_xauth_user_id>]---192.168.1.1...<firewall_ip>:4500[<firewall_ip>]===192.168.50.0/24;
> unrouted; eroute owner: #0
> 000 "roadwarrior": newest ISAKMP SA: #1; newest IPsec SA: #0;
> 000
> 000 #1: "roadwarrior" STATE_XAUTH_I2 (sent XAUTH ack, established);
> EVENT_SA_REPLACE in 10499s; newest ISAKMP
> 000 #1: pending Phase 2 for "roadwarrior" replacing #0
> 000
>
> The problem might be with leftsourceip. According to our sys admin the
> ZyWALL is configured to not hand out virtual IPs. But if I set the
> leftsourceip to an arbitrary, unused IP within the corporate network, or
> do not set it at all, I get a NO_PROPOSAL_CHOSEN response and the
> following status:
>
> 000 "roadwarrior":
> 192.168.1.0/24===192.168.1.120:4500[<my_xauth_user_id>]---192.168.1.1...<firewall_ip>:4500[<firewall_ip>]===192.168.50.0/24;
> unrouted; eroute owner: #0
> 000 "roadwarrior": newest ISAKMP SA: #1; newest IPsec SA: #0;
> 000
> 000 #2: "roadwarrior" STATE_QUICK_I1 (sent QI1, expecting QR1);
> EVENT_RETRANSMIT in 0s
> 000 #1: "roadwarrior" STATE_XAUTH_I2 (sent XAUTH ack, established);
> EVENT_SA_REPLACE in 10520s; newest ISAKMP
> 000
>
> According to our admin this actually looks better on the firewall than
> the first scenario that does not give me a NO_PROPOSAL_CHOSEN message.
>
>
> Maybe someone could advise what exactly the two connection statuses mean
> and how to best proceed.
>
>
> Thanks!
> Ralf




More information about the Users mailing list