Wednesday, May 17, 2006
OpenSWAN/Watchguard IPSEC interoperability
After running head-first into a brick wall a year or two ago trying to make openswan and a Watchguard SOHO6 interoperate, I had occasion to revisit this combination with a more recent version of openswan and a Watchguard X50 Edge.
Executive summary: openswan and the Edge interoperate, MUVPN and openswan interoperate. See below the fold for details.
To create a tunnel between openswan and the Edge gateways, nothing fancy needs to be done. On the Edge, use a manual VPN configured like:
- Name: YourName
- Shared Key: YourPassphrase
- Phase 1 Settings
- Mode: Main Mode
- Local ID: A.B.C.D (IP Address)
- Remote ID: E.F.G.H (IP Address)
- Authentication Algorithm: SHA1-HMAC
- Encryption Algorithm: 3DES-CBC
- Negotiation expires in 0 kilobytes
- Negotiation expires in 24 hours
- Diffie-Helman Group 1
- check Send IKE Keep Alive Messages
- Phase 2 Settings
- Authentication Algorithm SHA1-HMAC
- Encryption Algorithm 3DES-CBC
- check Enable Perfect Forward Secrecy
- Key expires in 8192 kilobytes
- Key expires in 24 hours
- add local and remote networks as needed
The openswan looks like this:
ipsec.secrets:
: PSK "pre-shared key goes here"
ipsec.conf
version 2.0 config setup interfaces=%defaultroute plutowait=no nat_traversal=yes uniqueids=no
conn %default keyingtries=0 pfs=yes left=%defaultroute
conn watchguard keylife=24h authby=secret auto=start leftsubnet=192.168.0.0/24 right=A.B.C.D rightnexthop=%direct rightsubnet=192.168.1.0/24
include /etc/ipsec.d/examples/no_oe.conf
Next installment - getting Watchguard’s Mobile User VPN client (MUVPN, something like an OEM version of SoftRemote) to work with openswan.
(To be continued)