Client security policy
Client Phase 1
Client Phase 2
There are security implications in some of the things that are done here - particularly in installing a trusted root CA to your ZyWALL. Read the documentation and understand the implications before blindly following the instructions.Setup used
These instructions were devised and tested using a ZyWALL 35 with 3.64(WZ.3) firmware and the ZyXEL ZyWALL VPN Client 10.3.5 Build 6 on a Windows XP Professional SP2 laptop. They should hold for any ZyWALL with 3.64 firmware and any appropriate version of SafeNet SoftRemote or SoftRemote LT (be it Safenet, ZyXEL or Netgear branded). 10.3.5 Build 6 (or an as yet unknown future version) is required for Windows XP SP2 compatibility.
This example uses certificates - generated using OpenSSL 0.9.7g, as I don't have a Windows server to hand. It is necessary to build a CA to sign the certificates unless you already have one. For this example, I used OpenSSL 0.9.7g on a FreeBSD 5.4 box, and didn't use CA.pl. CA.pl can save time, but it lacks flexibility, especially in terms of setting the lifetime of your certificates.
The instructions below should work on any *NIX box or Cygwin on Windows. If you can find a Win32 OpenSSL binary, you can use that - the equivalent of touch is to create a blank file, the equivalent of rm is del, and simply ignore the chmod command shown below.
I presume you have some way of getting files between whatever you're running OpenSSL on and Windows (in my case, Vandyke's SecureCRT 5 / SecureFX 3).
If you don't want to use certificates, read the comments about pre-shared keys at the end of the document, then skip to the Configuring the ZyWALL
section.Creating a CA
Firstly, we need to make the folders and create a blank index.txt. In a working folder on the box with OpenSSL:
We then need to create the CA certificate - I'm specifying a life of 5 years (1825 days):
openssl req -new -x509 -keyout demoCA/private/cakey.pem -out demoCA/cacert.pem -days 1825
The first thing you'll be asked for is the PEM pass phrase - this protects your CA and should be kept secret. You have to enter it twice to verify it.
You're then asked for the:
Country Name - for me in the UK, it's GB, for the USA it should be US and for Canada CA.
State or Province - I suggest you give this in full.
Locality Name - your city.
Organisation Name - I suggest using your surname unless you're a company.
Organisational Unit Name - unless there's anything obvious, such as a division of a company, why not leave this blank.
These answers should be the same through all the stages. You can set them as the defaults for OpenSSL by changing the OpenSSL configuration file.
For the Common Name of this certificate, I suggest you use your Organisation Name, followed by IPsec CA
. Email address I leave blank.
You then need to create the serial file:
openssl x509 -in demoCA/cacert.pem -noout -next_serial -out demoCA/serial
Finally, I suggest you ensure there's no group or other permissions on the private part of the CA:
Building a PKCS#12 client certificate for the VPN client software
chmod -R go-rwx demoCA/private
Build a client certificate request:
openssl req -new -nodes -newkey rsa:1024 -sha1 -keyform PEM -keyout clientprivate.pem -out
*form PEM -out clientreq.pem
(*) WARNING 1 long line(s) split
(that line wraps - it's -outform all as one, with the whole command on one line)
Again, you'll be asked a series of questions - I suggest making the Common Name VPN Client
if you want to use the same certificate on all machines. That's the setup I'm documenting here - you will need to think this through carefully if you want to deviate from this, in terms of what you specify as the Peer ID on the ZyWALL.
I'd leave the challenge password and optional company name blank.
To sign that request using your CA - in this case for a life of 730 days (2 years):
openssl ca -policy policy_anything -days 730 -out client.pem -infiles clientreq.pem
After entering the passphrase for your CA certificate, there are two questions - answer y to both.
To get the certificate into PKCS#12 format to install into the ZyWALL VPN client:
openssl pkcs12 -export -out client.p12 -in client.pem -inkey clientprivate.pem
You will need to give an export password (twice to confirm), which you need to enter twice into the ZyWALL VPN client when importing the certificate.
For security's sake, I'd then delete the (unprotected) clientprivate.pem:Creating a certificate for the ZyWALL
Firstly, you have to generate a certificate request on the ZyWALL, for which I suggest you use a Dynamic DNS name that you've registered with dyndns.org and enabled on the Dynamic DNS screen. Go to Certificates - My Certificates
on the ZyWALL and press the Create button. Certificate request
is a screen shot of generating a certificate for test.dnsalias.com - obviously replace this with a Dynamic DNS name that belongs to you! Note the use of the same Country Name, Organisation Name and Organisational Unit name as you used in OpenSSL.
Once the request is generated, you can press the Details button and cut and paste the request in .pem format into a file. Upload that to the machine with OpenSSL as zyxelreq.pem, so that you can sign the request - in this case, for a life of 730 days (2 years):
openssl ca -policy policy_anything -days 730 -out zyxel.pem -infiles zyxelreq.pem
After entering the passphrase for your CA certificate, there are two questions - answer y to both.Installing the certificates
Download the zyxel.pem, client.p12 and demoCA/cacert.pem files to your Windows machine.
Install the CA on the ZyWALL by going into Certificates - Trusted CAs
, press Import, and import cacert.pem. Install the signed certificate using Certificates - My Certificates
, press Import, and import zyxel.pem.
On the client, right click its icon in the system tray, and choose Certificate Manager...
. On the Root CA Certificates
tab, press Import Certificate...
. Change the file type to All Files (*.*)
, uncheck Import certificate to local machine store
and select cacert.pem. That installs the CA certificate.
Go to the My Certificates
tab, press Import Certificate...
and ensure that PKCS#12 Personal Certificate
is selected. Uncheck Import certificate to local machine store
, browse to the location of the certificate file, enter the export password you chose when creating the PKCS#12 file and press Import.Configuring the ZyWALL
The setup shown is for access to the the 192.168.128.0/24 subnet from a dynamic IP address using NAT Traversal. NAT Traversal is necessary on my setup, as the client may be using GPRS, and my GPRS network forces NAT. NetBIOS broadcasts are shown as on - this is optional.
The Gateway policy
and associated Network policy
are shown as screen shots. I've masked out the domain name and certificate name, as the screen shots are taken from my live setup - use the appropriate Dynamic DNS name and the certificate you created earlier.
For the Peer ID Content, you want the Distinguished Name of your client certificate in LDAP format. If you followed my suggestion of a Common Name as VPN Client
, you should enter CN=VPN Client, O=[organisation], L=[town or city], ST=[state], C=[country]
with the appropriate substitutions. When using certificates, the ZyWALL enters the Local ID Content for you as CN=[common name - in my suggested setup, it will be a Dynamic DNS name], O=[organisation], C=[country]Configuring the client
Double click the client's icon in the system tray to bring up the Security Policy Editor.
You need to configure the client to allow you to specify an internal network address. In the Options
menu choose Global Policy Settings
. Check Allow to Specify Internal Network Address
and press OK.
Press the New button - the left most of the buttons under the menu bar, then click on New Connection
. Optionally, right click on New Connection
and choose Rename
to give it a more descriptive name.
Enter the details shown in the Client root
screen shot. The Gateway Hostname value is the Dynamic DNS name you're using - it's masked out here as it's taken from my live setup. Under Distinguished Name, press the Edit Name...
button, check Enter Subject Name in LDAP format
, then enter:
CN=[common name - in my suggested setup, it will be a Dynamic DNS name]
with the appropriate substitutions.
I've chosen Only Connect Manually
so as the client doesn't try to connect to the VPN automatically.
The rest of the connection should be filled as as per the Client identity
, Client security policy
, Client Phase 1
and Client Phase 2
The Internal Network IP Address
on the My Identity
be an unique IP address in a subnet you're not otherwise using (this caught me out, too!). I don't use 192.168.130.0/24 for anything, so I chose 192.168.130.1. If I set up a second client, I'll configure it with 192.168.130.2, and so on.
Press the disk button to save the settings.Testing the connection
On the client you should be able to choose the settings you've just made by right clicking the icon, then choosing those settings on the Connect...
menu. If things don't work, the log viewer on the client and the log screen of the ZyWALL should help you out.I don't want the hassle of certificates - how do I use pre-shared keys?
This has shown how to use certificates. If you want to use pre-shared keys instead - either to save time or because you can't get either OpenSSL or another way of generating certificates going, you need to set an appropriate pre-shared key at both ends (make it at least 20 characters, mixed case, numbers and punctuation).
On the ZyWALL end, you choose Pre-Shared Key instead of Certificate and enter the key. You will need to use either DNS or E-mail for each piece of ID. I'd set the Local ID to DNS and use the Dynamic DNS name you're using as the content, and the Peer ID as E-mail and enter vpn@[some domain you own]. However, either of these options designates the content as a textual string - so long as they're the same at both ends, that's all that matters.
On the client end, you choose None
as the certificate on the My Identity
screen, at which point a button appears to enter the Pre-Shared Key. The ID Type shown beneath must match the Peer ID at the ZyWALL end. The Local ID at the ZyWALL end goes in the 'root' screen of the connection.Comments
I'm quite happy to regard this as work in progress - post any comments / mistakes found below!
I hope this helps people.