Establish a VPN connection between Sonicwall and Linux

PDF

Sonicwall provides client software to establish a VPN connection between their VPN routers and Windows. Unfortunately a Linux client is not available on their website. The IPSEC implementation for Linux, Openswan, is the solution. First configure your Sonicwall. (This example is based on a Sonicwall TZ170 and TZ190)

Login using the webinterface and add a new address object (Network > Address Objects > Add).
Give this object a name, for example VPN1.
Select VPN for Zone assignment, Type: Host and 192.168.1.1 as IP-address and confirm these settings. From the left menu select VPN > Settings.
Enable VPN at the global setting and add a new policy.

In the popup window select the first tab 'general'.
- Authethication Method: IKE using Preshared Secret
- Name: Linux
- IPsec Primary Gateway Name or Address: your clients WAN ip-address
- IPsec Secondary Gateway Name or Address: 0.0.0.0
- Shared Secret and Confirm Shared Secret: yourpassword
- Local IKE ID: IP Address: Your Sonicwall WAN ip-address
- Peer IKE ID: IP Address: 192.168.1.2

At the tab 'Network':
Local Networks
- 'Choose local network from list' and select LAN Primary Subnet

Destination Networks:
- 'Choose destination network from list' and select the Address Object matching the name VPN1.

At the tab 'Proposals' edit the settings:
Exchange: Main Mode
DH Group: Group 2
Encryption: 3DES
Authentication: MD5
Life Time (seconds): 28800

Ipsec (Phase 2) Proposal
Protocol: ESP
Encryption: 3DES
Authentication: MD5
Check: Enable Perfect Forward Secrecy
DH Group: Group 2
Life Time (seconds): 28800

The last tab 'Advanced': Uncheck everything, set the Default LAN Gateway to 0.0.0.0 and VPN Policy bount to: 'Interface WAN'.

Click Ok and at the main menu check 'Enable' for this VPN policy.

Next go to the advanced menu.
Check and enable:
Enable IKE Dead Peer Detection
Dead Peer Detection Interval (seconds) = 60
Failure Trigger Level (missed heartbeats) = 3
Enable Dead Peer Detection for Idle VPN sessions
Dead Peer Detection Interval for Idle VPN sessions (seconds) = 900
Enable Fragmented Packet Handling
Ignore DF (Don't Fragment) Bit
Enable NAT Traversal
Clean up Active tunnels when Peer Gateway DNS name resolves to a different IP Address

Uncheck:
Preserve IKE Port for Pass Through Connections
Enable OCSP Checking
CSP Responder URL
Send VPN Tunnel Traps only when tunnel status changes
Use RADIUS in MSCHAP MSCHAPv2 mode for XAUTH (allows users to change expired passwords)
Send IKEv2 Cookie Notify

On your Linux clinet download and install the latest Openswan package:

yum install openswan
Open and edit /etc/ipsec.conf:
config setup
nat_traversal=no
forwardcontrol=yes
include /etc/ipsec.d/*.conf
Create a new file in the directory /etc/ipsec.d/
conn vpn1
type=tunnel
left=192.168.1.2
leftsubnet=192.168.1.2/32
right=xxx.xxx.xxx.xxx
rightsubnet=192.168.0.0/24
rightxauthserver=yes
rightid=xxx.xxx.xxx.xxx
rightnexthop=192.168.0.1
authby=secret
keyingtries=0
pfs=yes
auto=add
auth=esp
esp=3des-md5
ike=3des-md5
keyexchange=ike
xauth=no
Note xxx.xxx.xxx.xxx is your Sonicwall WAN ip-address, rightnexthop the default gateway of your Sonicwall. Edit /ect/ipsec.secrets and add
192.168.1.2 xxx.xxx.xxx.xxx : PSK "yourpassword"
Now you can establish the vpn connection from your Linux client by:
/etc/init.d/ipsec start
/usr/sbin/ipsec whack --name vpn1 --listen --initiate
You can close the vpn connection using
/usr/sbin/ipsec whack --name vpn1 --unlisten –terminate
 

Please login first before adding a comment.

Search






You are here: Home Howtos and FAQs VPN Establish a VPN connection between Sonicwall and Linux