Openswan to SonicWALL TZ170
Let me start off by saying that, in general, I like SonicWALL products. They were the first firewalls I ever sold and, as such, they are still the ones I feel most familiar with, and know best. It’s also no secret that their GlobalVPN Client makes it ludicrously easy to create and connect to a VPN. Unfortunately, though, SonicWALL’s focus is very Windows-centric. This means that, now I have a need to connect my Ubuntu laptop to a SonicWALL VPN, I have to leave the warm and fuzzy comfort of the GlobalVPN client and get to know Openswan a bit better.
According to what I have read and researched, many people have difficulties connecting Openswan to a SonicWALL appliance. I was no different. At one stage I had decided that it would be easier for me to gnaw a tunnel to my client’s office through solid granite, rather than persevere trying to get the VPN tunnel running. In the end, though, I got it working – here’s how.
So, first things first. You’re going to need a GroupVPN policy defined on the SonicWALL box. The TZ170 I’m connecting to has SonicOS Enhanced. If some of the following screenshots look different to yours, then that’s probably why. Firstly, make sure that the VPN is enabled, and that your SonicWALL has a unique identifier. You can leave it at the default, if you wish, but here we’ve called it DUBLIN01.
Next, create a GroupVPN policy. We’re using XAUTH for authorisation, so you would need to add some local users afterwards. On the first screen, define the policy authentication method, and the shared secret:
Now define your proposals. Use Diffie-Hellman Group 5, encryption 3DES, authentication SHA1 with 28800 lifetime. For the second phase, use ESP protocol with 3DES encryption and SHA1 authentication. Do not enable Perfect Forward Secrecy.
On the Advanced screen, click to enable XAUTH. We’re using a custom group called VPN. If you choose to do the same, then define this under the Users -> Local Groups section. We added access to LAN Subnets.
Finally, on the Client tab, uncheck all the boxes and make sure that the Virtual Adapter Settings are set to “DHCP Lease or Manual Configuration”. If you are not going to be using any Windows clients with this connection, then you can set this to “None”. This option gives the ability to use any client, though.
Now click OK to apply all of these settings, and we can move to the Ubuntu box.
If you haven’t already installed Openswan on your Ubuntu box, then do it now:
sudo apt-get install openswan
You can safely accept all the defaults during the installation. When Openswan is installed, it will have created a couple of files, which we’ll need to edit. The first of these is /etc/ipsec.conf, so type:
sudo gedit /etc/ipsec.conf
Change this file, so it reads as follows:
version 2.0 # conforms to second version of ipsec.conf specification
# Add connections here
leftsubnet=xxx.xxx.xxx.xxx/24 # Your local subnet, eg: 192.168.0.0/24
leftid=@GroupVPN # Do not change this!
right=xxx.xxx.xxx.xxx # Change this to the external IP of your router
rightsubnet=xxx.xxx.xxx.xxx/24 # The subnet at the router end, eg: 192.168.2.0/24
rightid=@DUBLIN01 # This must be the Unique ID of the SonicWALL router
Note that the unique ID of the router must be preceded by an @ sign. I’ve supplied @DUBLIN01, because that was the example I gave above. Save the file, and then edit the /etc/ipsec.secrets file:
sudo gedit /etc/ipsec.secrets
Add a line to the file, as follows:
@GroupVPN @DUBLIN01 : PSK "JRC1981IMMAKIKHF4E"
The first section has to be identical to the
leftid supplied in the ipsec.conf file. The second is the unique router ID, and must be identical to
rightid. In the quotes, supply the shared secret that you put into the VPN config on the SonicWALL. This example is pre-populated with the sample ID (DUBLIN01) and shared secret from the screenshots above.
Save this file.
Now, from the command prompt type:
sudo ipsec setup --start sudo ipsec whack --listen sudo ipsec whack --name sonicwall --initiate
You can put these into a shell script, if you wish. If you get any errors, then check the log on the SonicWALL side. Make sure that your leftid and rightid are correct, and that the subnet on your side and the VPN side match. For example, I initially had the right subnet set to 192.168.2.0/24, but the actual subnet was 192.168.2.0/27. It failed due to this.
Once the connection is established, try pinging servers on the remote side. I’ve found the tunnel to be very stable and easy to use….eventually!!