This tutorial will run through creating an IPSEC VPN tunnel between a central Netscreen firewall and a Linux server (CentOS) running OpenSWAN.
Network Summary
I am working with the following network scenario -:
Central NetScreen firewall - 1.1.1.1 Linux OpenSWAN Server - 2.2.2.2 NetScreen Private Subnet - 192.168.0.0/24 Linux Private Subnet - 192.168.61.0/24
OpenSWAN Configuration
First configure your shared secret file for OpessWAN (/etc/ipsec.secrets) -:
1.1.1.1 2.2.2.2 : PSK "supersecretkey"
Now edit /etc/ipsec.conf and add connection details for your tunnel -:
conn sonic auth=esp auto=add esp=3des-sha1 ike=3des-sha1 keyexchange=ike keyingtries=1 pfs=no type=tunnel right=1.1.1.1 rightsubnet=192.168.0.0/24 left=2.2.2.2 leftsubnet=192.168.61.0/24
I also had to enable IP forwarding on my Linux server -:
sysctl -w net.ipv4.ip_forward=1
Configuring the Sonicwall
Please check every setting as you go, IPSEC is very particular about settings and a mistake will break your tunnel. Login to your Sonicwall and click the VPN menu, then the Add button.
Ok so fill in the information on the first page as per screenshot below (click to see full size version) -:
Next click on the network tab, you local network list needs to be your local subnets, in my case “LAN Subnets”. For the Destination Network, create a new network object for the remote VPN subnet, in my case 192.168.61.0/24.
Now for the proposal tab, I have decided to use 3DES/SHA1 and have left Perfect Forward Secrecy disabled -:
Once both sides have been configured, go back to your Linux machine and launch the VPN by running -:
/etc/init.d/ipsec restart ipsec auto --up sonic
Hopefully the tunnel will come up and you should be able to ping across it, if not look at the output in the Sonicwall logs and also check /var/log/secure on your Linux machine.
Incoming search terms:
- openswan metscreen