| ZyWALL 3.64 firmware / ZyWALL VPN client setup
Certificate request | 
Gateway policy | 
Network policy | 
Client root | 
Client identity | 
Client security policy | 
Client Phase 1 | 
Client Phase 2 |
Setup used
These instructions were devised and tested using a ZyWALL 35 with 3.64(WZ.3) firmware and the ZyXEL ZyWALL VPN Client 10.3.5 Build 6 on a Windows XP Professional SP2 laptop. They should hold for any ZyWALL with 3.64 firmware and any appropriate version of SafeNet SoftRemote or SoftRemote LT (be it Safenet, ZyXEL or Netgear branded). 10.3.5 Build 6 (or an as yet unknown future version) is required for Windows XP SP2 compatibility.
This example uses certificates - generated using OpenSSL 0.9.7g, as I don't have a Windows server to hand. It is necessary to build a CA to sign the certificates unless you already have one. For this example, I used OpenSSL 0.9.7g on a FreeBSD 5.4 box, and didn't use CA.pl. CA.pl can save time, but it lacks flexibility, especially in terms of setting the lifetime of your certificates.
The instructions below should work on any *NIX box or Cygwin on Windows. If you can find a Win32 OpenSSL binary, you can use that - the equivalent of touch is to create a blank file, the equivalent of rm is del, and simply ignore the chmod command shown below.
I presume you have some way of getting files between whatever you're running OpenSSL on and Windows (in my case, Vandyke's SecureCRT 5 / SecureFX 3).
If you don't want to use certificates, read the comments about pre-shared keys at the end of the document, then skip to the Configuring the ZyWALL section.
Creating a CA
Firstly, we need to make the folders and create a blank index.txt. In a working folder on the box with OpenSSL:
mkdir demoCA
mkdir demoCA/certs
mkdir demoCA/crl
mkdir demoCA/newcerts
mkdir demoCA/private
touch demoCA/index.txt
We then need to create the CA certificate - I'm specifying a life of 5 years (1825 days):
openssl req -new -x509 -keyout demoCA/private/cakey.pem -out demoCA/cacert.pem -days 1825
The first thing you'll be asked for is the PEM pass phrase - this protects your CA and should be kept secret. You have to enter it twice to verify it.
You're then asked for the:
Country Name - for me in the UK, it's GB, for the USA it should be US and for Canada CA.
State or Province - I suggest you give this in full.
Locality Name - your city.
Organisation Name - I suggest using your surname unless you're a company.
Organisational Unit Name - unless there's anything obvious, such as a division of a company, why not leave this blank.
These answers should be the same through all the stages. You can set them as the defaults for OpenSSL by changing the OpenSSL configuration file.
For the Common Name of this certificate, I suggest you use your Organisation Name, followed by IPsec CA. Email address I leave blank.
You then need to create the serial file:
openssl x509 -in demoCA/cacert.pem -noout -next_serial -out demoCA/serial
Finally, I suggest you ensure there's no group or other permissions on the private part of the CA:
chmod -R go-rwx demoCA/private
Building a PKCS#12 client certificate for the VPN client software
Build a client certificate request:
openssl req -new -nodes -newkey rsa:1024 -sha1 -keyform PEM -keyout clientprivate.pem -out
*form PEM -out clientreq.pem
(*) WARNING 1 long line(s) split
Again, you'll be asked a series of questions - I suggest making the Common Name VPN Client if you want to use the same certificate on all machines. That's the setup I'm documenting here - you will need to think this through carefully if you want to deviate from this, in terms of what you specify as the Peer ID on the ZyWALL.
I'd leave the challenge password and optional company name blank.
To sign that request using your CA - in this case for a life of 730 days (2 years):
openssl ca -policy policy_anything -days 730 -out client.pem -infiles clientreq.pem
To get the certificate into PKCS#12 format to install into the ZyWALL VPN client:
openssl pkcs12 -export -out client.p12 -in client.pem -inkey clientprivate.pem
For security's sake, I'd then delete the (unprotected) clientprivate.pem:
Creating a certificate for the ZyWALL
Firstly, you have to generate a certificate request on the ZyWALL, for which I suggest you use a Dynamic DNS name that you've registered with dyndns.org and enabled on the Dynamic DNS screen. Go to Certificates - My Certificates on the ZyWALL and press the Create button. Certificate request is a screen shot of generating a certificate for test.dnsalias.com - obviously replace this with a Dynamic DNS name that belongs to you! Note the use of the same Country Name, Organisation Name and Organisational Unit name as you used in OpenSSL.
Once the request is generated, you can press the Details button and cut and paste the request in .pem format into a file. Upload that to the machine with OpenSSL as zyxelreq.pem, so that you can sign the request - in this case, for a life of 730 days (2 years):
openssl ca -policy policy_anything -days 730 -out zyxel.pem -infiles zyxelreq.pem
Installing the certificates
Download the zyxel.pem, client.p12 and demoCA/cacert.pem files to your Windows machine.
Install the CA on the ZyWALL by going into Certificates - Trusted CAs, press Import, and import cacert.pem. Install the signed certificate using Certificates - My Certificates, press Import, and import zyxel.pem.
On the client, right click its icon in the system tray, and choose Certificate Manager.... On the Root CA Certificates tab, press Import Certificate.... Change the file type to All Files (*.*), uncheck Import certificate to local machine store and select cacert.pem. That installs the CA certificate.
Go to the My Certificates tab, press Import Certificate... and ensure that PKCS#12 Personal Certificate is selected. Uncheck Import certificate to local machine store, browse to the location of the certificate file, enter the export password you chose when creating the PKCS#12 file and press Import.
Configuring the ZyWALL
The setup shown is for access to the the 192.168.128.0/24 subnet from a dynamic IP address using NAT Traversal. NAT Traversal is necessary on my setup, as the client may be using GPRS, and my GPRS network forces NAT. NetBIOS broadcasts are shown as on - this is optional.
The Gateway policy and associated Network policy are shown as screen shots. I've masked out the domain name and certificate name, as the screen shots are taken from my live setup - use the appropriate Dynamic DNS name and the certificate you created earlier.
For the Peer ID Content, you want the Distinguished Name of your client certificate in LDAP format. If you followed my suggestion of a Common Name as VPN Client, you should enter CN=VPN Client, O=[organisation], L=[town or city], ST=[state], C=[country] with the appropriate substitutions. When using certificates, the ZyWALL enters the Local ID Content for you as CN=[common name - in my suggested setup, it will be a Dynamic DNS name], O=[organisation], C=[country]
Configuring the client
Double click the client's icon in the system tray to bring up the Security Policy Editor.
You need to configure the client to allow you to specify an internal network address. In the Options menu choose Global Policy Settings. Check Allow to Specify Internal Network Address and press OK.
Press the New button - the left most of the buttons under the menu bar, then click on New Connection. Optionally, right click on New Connection and choose Rename to give it a more descriptive name.
Enter the details shown in the Client root screen shot. The Gateway Hostname value is the Dynamic DNS name you're using - it's masked out here as it's taken from my live setup. Under Distinguished Name, press the Edit Name... button, check Enter Subject Name in LDAP format, then enter:
CN=[common name - in my suggested setup, it will be a Dynamic DNS name]
O=[organisation]
C=[country]
I've chosen Only Connect Manually so as the client doesn't try to connect to the VPN automatically.
The rest of the connection should be filled as as per the Client identity, Client security policy, Client Phase 1 and Client Phase 2 screen shots.
The Internal Network IP Address on the My Identity screen must be an unique IP address in a subnet you're not otherwise using (this caught me out, too!). I don't use 192.168.130.0/24 for anything, so I chose 192.168.130.1. If I set up a second client, I'll configure it with 192.168.130.2, and so on.
Press the disk button to save the settings.
Testing the connection
On the client you should be able to choose the settings you've just made by right clicking the icon, then choosing those settings on the Connect... menu. If things don't work, the log viewer on the client and the log screen of the ZyWALL should help you out.
I don't want the hassle of certificates - how do I use pre-shared keys?
This has shown how to use certificates. If you want to use pre-shared keys instead - either to save time or because you can't get either OpenSSL or another way of generating certificates going, you need to set an appropriate pre-shared key at both ends (make it at least 20 characters, mixed case, numbers and punctuation).
On the ZyWALL end, you choose Pre-Shared Key instead of Certificate and enter the key. You will need to use either DNS or E-mail for each piece of ID. I'd set the Local ID to DNS and use the Dynamic DNS name you're using as the content, and the Peer ID as E-mail and enter vpn@[some domain you own]. However, either of these options designates the content as a textual string - so long as they're the same at both ends, that's all that matters.
On the client end, you choose None as the certificate on the My Identity screen, at which point a button appears to enter the Pre-Shared Key. The ID Type shown beneath must match the Peer ID at the ZyWALL end. The Local ID at the ZyWALL end goes in the 'root' screen of the connection.
Comments
I'm quite happy to regard this as work in progress - post any comments / mistakes found below!
I hope this helps people.
David |
|
 BranoI hate VogonsPremium,MVM
join:2002-06-25
Burlington, ON
kudos:3
1 edit | Excellent, thanks for sharing.
There's a nice GUI front-end to openssl if you don't want to use command line called TinyCA. |
|
|
|
 bbarreraPremium,MVM
join:2000-10-23
Sacramento, CA
kudos:1 | Even better than TinyCA is CACert.org at »www.cacert.org/ which offers free certificates and is actively working toward inclusion in browsers. Recommended. |
|
bbarreraPremium,MVM
join:2000-10-23
Sacramento, CA
kudos:1 Reviews:
 ·SureWest Internet
| reply to DavidJWood
Thanks for taking the time to document the setup, it will surely help folks. |
|
 AnavSarcastic Llama? Naw, Just AcerbicPremium
join:2001-07-16
Dartmouth, NS
kudos:3
4 edits | reply to DavidJWood
Awesome, perhaps we can DrTCP to get this sticky or perhaps put in the FAQ or links above. I think many users want to be able to hook up from their client (regardless of location) to a zywall at the office, and have something similar (easy how to guide) This seems to be it. (going back to your other thread...
said by david(mvm in my book):
I believe what I've done is the way that many people would want to use VPN client software - single IP address to subnet from an unknown IP address using NAT Traversal.
Others, perhaps, can comment on the solution provided by the P1 in this regard, a comparison... |
|
| reply to bbarrera
I hadn't come across CAcert before, but I like the idea.
I've just submitted my request for 150 points via tverify - as I'm a (maximum 35 point) notary in the Thawte WoT.
David |
|
| reply to DavidJWood
I can't edit the original post now, but wanted to note that the use of .pfx rather than .p12 is more standard for PKCS#12 files in Windows. The instructions, however, work as given.
David |
|
| reply to DavidJWood
Just as a further little piece of information - if you want the certificates available for all users, it's easiest to import them to the local machine store (which my original instructions suggested not doing).
David |
|
| reply to DavidJWood
One further thing that comes to mind - if you do use a PSK, make sure it has sufficient entropy. I believe the same recommendations as for WPA PSKs hold - at least 20 characters, including upper case, lower case, punctuation and numbers. Ideally don't use dictionary words. Meaningless rubbish is ideal.
If you can, use certificates - Safenet suggest that PSKs should only be used for testing. If you want Cygwin to run OpenSSL in a *NIX like environment under Windows, that can be got free of charge from »www.cygwin.com
As an aside, the X server in Cygwin is excellent - better than many of the commercial products IMHO, though I tend to use the Xming build that isn't dependent on cygwin.dll.
David |
|
bbarreraPremium,MVM
join:2000-10-23
Sacramento, CA
kudos:1 Reviews:
·SureWest Internet
| Certificates prevent man-in-the-middle (MiTM) attacks. That's why PSK should only be used for testing.
You don't need OpenSSL if you've got a Windows Server, Mac or Linux. Without Windows Server, Linux or a Mac, I recommend obtaining free certificates from »www.CaCert.org instead of OpenSSL. The CaCert organization is working hard for browser inclusion.
If you are intent on generating your own certificate requests (CSR) in Windows, rather than installing Cygwin I recommend trying MyCertificate Wizard:
»www.sweb.cz/mycert/
The Easy-RSA tool in OpenVPN is also an easy way to setup CA and certificates in Windows without Cygwin or Windows Server.
»openvpn.net/easyrsa.html
»openvpn.net/howto.html#pki
While I have Cygwin installed it is not the easiest way to setup a CA or to generate CSR. |
|
 MarkyDPremium
join:2002-08-20
Oklahoma City, OK | reply to DavidJWood
Any update for ZyNOS 4?  |
|
| The VPN mechanisms and options in 4.00 have not altered since 3.64 so should continue to work as before. |
|
| There's no update needed for 4.00. The new VPN code came along in 3.64 and was carried forward to 4.00 - the same instructions work perfectly under 4.00.
David |
|
MarkyDPremium
join:2002-08-20
Oklahoma City, OK | said by DavidJWood:There's no update needed for 4.00. The new VPN code came along in 3.64 and was carried forward to 4.00 - the same instructions work perfectly under 4.00. David Perfect. Thank You.
--
"IBM PCs were built by people who drank alcohol. Macs were built by people who smoked pot." |
|
| reply to bbarrera
said by bbarrera:Even better than TinyCA is CACert.org at » www.cacert.org/ which offers free certificates and is actively working toward inclusion in browsers. Recommended. I have just upgraded our test Z5 & Z35 to 4.0 and was trying to follow David's certificate setup, but using cacert as per Barrera's suggestion.
I followed David's instructions to create the PEM file :
said by DavidJWood:Firstly, you have to generate a certificate request on the ZyWALL, for which I suggest you use a Dynamic DNS name that you've registered with dyndns.org and enabled on the Dynamic DNS screen. Go to Certificates - My Certificates on the ZyWALL and press the Create button. Certificate request is a screen shot of generating a certificate for test.dnsalias.com - obviously replace this with a Dynamic DNS name that belongs to you! Note the use of the same Country Name, Organisation Name and Organisational Unit name as you used in OpenSSL. Once the request is generated, you can press the Details button and cut and paste the request in .pem format into a file. However when I paste the certificate request in the cacert server request dialog, it gets rejected with this error message : "Unable to continue as no valid commonNames or subjectAltNames were present on your certificate request."
Anyone who can give me some hints on how to proceed ?
Basically I am trying to generate certificates based on the dyndns entry for each of the zywall's. The idea is that it will be a bit easier to re-use these each time that a firmware upgrade calls for a "reset to defaults" vs the auto-generated ones.
The Dyndns name is only used to identify the zywall, there is no website, mailserver, ... using the same name.
|
|
bbarreraPremium,MVM
join:2000-10-23
Sacramento, CA
kudos:1 Reviews:
·SureWest Internet
1 edit | Last I checked, you must own the domain to generate certificates @ cacert.org. Free domains from dyndns.org won't work. This page summarizes the requirements:
»www.cacert.org/help.php?id=6
For example suppose I own zywall-123.com and therefore I would make all routers a subdomain (e.g. office.zywall-123.com). Then I can generate CSR on Zywall (commonName = office.zywall-123.com) and request certificate from cacert.org. |
|
| reply to DavidJWood
I was afraid this would be the reason.
We do own a couple of domains that we could use for the registration, but we won't be able to make the fqdn of (all) the zywalls resolvable. Will that be an issue ? |
|
 HankIts all relativePremium
join:2002-05-21
Burlington, WV | reply to DavidJWood
David - The information is very much appreciated. Thank you. Additionally some very good responses. |
|
bbarreraPremium,MVM
join:2000-10-23
Sacramento, CA
kudos:1 Reviews:
·SureWest Internet
| reply to Eric_T
said by Eric_T:I was afraid this would be the reason. We do own a couple of domains that we could use for the registration, but we won't be able to make the fqdn of (all) the zywalls resolvable. Will that be an issue ? If you want to use certs then fully resolvable fqdn are required. Why can you make some fqdn resolvable, but not all? |
|
| Well, I'm looking at implementing (in production) 2 Z35's, 2 Z5's and 4 Prestige 653's to be upgraded so that they support certs.
In this collection, only WAN1 of both Z35's is fixed ip everything else is dynamic. I would like to use certificates for all the VPN's between all units and CACERT seemed like an interesting way to avoid setting up my own CA. |
|
