|
robr
Member
2005-Dec-7 2:46 pm
zywall 35 vpn configurationLove the new Zywall, thanks for the recommandation. I have it doing just about everything I need except VPN. The user manual that came with it really only discusses configuring the router to connect to another Zywall via VPN, not configuring it for client connections. Can someone point me to any info on how to configure it for that? I assume I'll also need the Zywall VPN software, hopefully Zyxel makes it easier to get to than Cisco does . Thanks! |
|
|
|
|
|
robr
Member
2005-Dec-7 4:05 pm
thanks. have a pointer to the VPN software? i cant find it in the software download library and the only CDs that came with this thing are the Vantage Report CD and the ZyWall 35 documentation CD.
I think I have the VPN and RADIUS stuff configured and want to give this a try. |
|
janderso1Jim MVM join:2000-04-15 Saint Petersburg, FL |
The Zyxel VPN client isnt free (street price about $50 quantity one). |
|
|
robr
Member
2005-Dec-7 4:13 pm
you have to be kidding me. i thought cisco was bad....sigh, ok time to look at the alternatives. |
|
|
AnavSarcastic Llama? Naw, Just Acerbic Premium Member join:2001-07-16 Dartmouth, NS 1 edit |
Anav to robr
Premium Member
2005-Dec-7 4:33 pm
to robr
Why not get the ZyWALL P1 instead. Its a portable VPN router! You know the ole saying, TWIXClients are for Kids! |
|
|
robr
Member
2005-Dec-7 4:36 pm
one more thing for people to carry around in their laptop bags and potentially break and lose and an added expense? i'll try the free client route first... next stop, MS IPsec. |
|
janderso1Jim MVM join:2000-04-15 Saint Petersburg, FL |
Here is a free client but it is a very old version and may have problems with XP. » ftp.up.ac.za/pub/linux/s ··· entinel/I am currently using the Netgear Client (about $40) » www.amazon.com/exec/obid ··· -7491035but they dont supply free updates. How many licenses doe you need. It is difficult to get the MS cleint to work if the host doesnt have a static IP address. |
|
|
robr
Member
2005-Dec-7 6:40 pm
probably 5 clients. the vpn host does have a static ip, only the clients have dynamic ip. |
|
AnavSarcastic Llama? Naw, Just Acerbic Premium Member join:2001-07-16 Dartmouth, NS |
Anav to robr
Premium Member
2005-Dec-7 7:16 pm
to robr
Netgear sells it cheap by the five pack, not sure which version it is though. |
|
|
to robr
Setup informatIon for the ZyXEL client (or any of the rebrands of Safenet SoftRemote LT) can be found at » ZyWALL 3.64 firmware / ZyWALL VPN client setupDespite the thread title, the information is just as valid for 4.00 as 3.64 (the significance of 3.64 is that the ZyWALLs got new VPN code from 3.64 onwards). There's not much hope of getting the MS IPsec stuff working in a dynamic IP scenario, though it may be possible with static IP. The ZyXEL branded client is pretty cheap in the UK - one of the few things that is! The Netgear branded version may be cheaper, but apparently it can be hard to get updates. You need at least 10.3 5 Build 6 for Windows XP SP2 support. David |
|
maxusa Premium Member join:2004-05-05 USA |
to Anav
Netgear ProSafe VPN Client = rebranded SafeNet SoftRemoteLT 10.3.5 (Build 6). The 5-license CD is around $136.43 shipped from Provantage, which is $27.29 per client. The software installs without any keys or registration, so I don't know how they control that number. |
|
AnavSarcastic Llama? Naw, Just Acerbic Premium Member join:2001-07-16 Dartmouth, NS |
Anav
Premium Member
2005-Dec-8 9:53 am
Can you confirm that build, release Max? Ie was it a recent purchase. I had asked the question earlier in another thread and the only response was a much older variant! |
|
|
to maxusa
Is the Netgear/Safenet client 'always on' or is it like the Cisco client where I run the application when I want to connect. I've played with clients in the past that filter all traffic all the time even when you're on the local LAN and have run into issues with those (it appears Zyxel's client is one such). |
|
maxusa Premium Member join:2004-05-05 USA |
to Anav
The purchase was made around 6~8 months ago. Version 10.3.5 (build 6) is WinXP SP2 compliant. Most users know that ZyXEL changed the VPN client provider from SSH to SafeNet. Therefore, the newer ZyXEL VPN clients, like Netgear, are rebranded SafeNet SoftRemoteLT, a great choice. By default, SoftRemoteLT automatically establishes and terminates connections when needed. The connection remains up until one of these conditions occurs: - The remote gateway, network, Internet, or ISP dropped the tunnel.
- The user turned off/logged off the computer.
- The user imported or reloaded the security policy.
- The user terminated the tunnel manually.
However, if the "only connect manually" checkbox is selected for a given policy, the client does not automatically dial or drop tunnels. The user must manually connect/disconnect such tunnels. For the client to load with the operating system, you may want to manually add the client shortcut (C:\Program Files\SafeNet SoftRemoteLT\SafeCfg.exe) to the Startup folder. You will see the "S" icon in the System Tray. It will load automatically, and will behave according to the "only connect manually" checkbox in each configured policy. Hope this helps. |
|
|
robr
Member
2005-Dec-8 9:26 pm
ok, i think i'm close to having this working (i shut off radius to try and minimize the complexity). i'm using SafeNet SoftRemoteLT
The client log shows: 12-08: 21:16:13.906 12-08: 21:16:13.921 My Connections\bleh - Attempting to resolve Hostname (vpn.bleh.com) 12-08: 21:16:13.937 My Connections\bleh - Initiating IKE Phase 1 (Hostname=vpn.bleh.com) (IP ADDR=1.2.3.4) 12-08: 21:16:13.937 My Connections\bleh - Generic entry match with remote address 0.0.0.0. 12-08: 21:16:13.937 My Connections\bleh - SENDING>>>> ISAKMP OAK MM (SA, VID 2x) 12-08: 21:16:14.078 My Connections\bleh - RECEIVED>>> ISAKMP OAK MM (KE, NON, VID 3x) 12-08: 21:16:14.343 My Connections\bleh - RECEIVED>>> ISAKMP OAK MM *(ID, HASH, NOTIFY:STATUS_INITIAL_CONTACT) 12-08: 21:16:14.406 My Connections\bleh - RECEIVED ISAKMP OAK MM *(ID, HASH, NOTIFY:STATUS_INITIAL_CONTACT) 12-08: 21:16:14.406 My Connections\bleh - Established IKE SA 12-08: 21:16:14.406 MY COOKIE 1a 2b 3c 4d 5e 6f 7a 8b 12-08: 21:16:14.406 HIS COOKIE 11 22 33 44 55 66 77 88
At this point the connection is still trying to connect and eventually times out and says to check the log. There is nothing written to the log after the above. The last entry in the ZyWall log is similar: 1 2005-12-08 21:16:12 Phase 1 IKE SA process done 1.2.3.4 5.6.7.8 IKE
Any ideas on what to look at next to troubleshoot? Thanks, I'll be continuing to work on this. |
|
robr |
robr
Member
2005-Dec-8 9:59 pm
just an update, made it past the above problem, working on the 2nd phase key exchange now. Phase 2 currently looks like this :
12-08: 21:53:52.890 My Connections\bleh - Initiating IKE Phase 2 with Client IDs (message id: BACF9D32) 12-08: 21:53:52.890 Initiator = IP ADDR=192.168.1.103, prot = 0 port = 0 12-08: 21:53:52.890 Responder = IP ADDR=0.0.0.0, prot = 0 port = 0 12-08: 21:53:52.890 My Connections\bleh - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, ID 2x) 12-08: 21:53:52.937 My Connections\bleh - RECEIVED ISAKMP OAK INFO *(HASH, NOTIFY:INVALID_ID_INFO) 12-08: 21:53:52.937 My Connections\bleh - Discarding SA negotiation 12-08: 21:53:52.937 My Connections\bleh - Deleting IKE SA (IP ADDR=71.243.117.216) 12-08: 21:53:52.937 MY COOKIE xx xx xx xxx xx xx 12-08: 21:53:52.937 HIS COOKIE yy yy yy yy yy yy 12-08: 21:53:52.953 My Connections\bleh - RECEIVED ISAKMP OAK INFO *(HASH, DEL) 12-08: 21:53:52.953 My Connections\bleh - Received message for non-active IKE SA 12-08: 21:53:52.968 My Connections\bleh - RECEIVED ISAKMP OAK INFO *(HASH, DEL) 12-08: 21:53:52.968 My Connections\bleh - Received message for non-active IKE SA |
|
robr |
robr
Member
2005-Dec-8 10:26 pm
i think this thread will help solve my problem: » ZyWALL 3.64 firmware / ZyWALL VPN client setup |
|
|
» ZyWALL 3.64 firmware / ZyWALL VPN client setup should help - that's the reason I wrote the thread and pointed it to you earlier! Though the title says 3.64, it applies equally to 4.00 - the point is that ZyXEL made significant changes to the VPN functionality in 3.64. If you have Phase 1 completing, the chances are that the certificates and/or PSK setup is correct. The log shows you're going wrong with the IDs; with dynamic IP addresses, you can't use IP IDs. If you're using certificates, use distinguished names (called subject names at the ZyWALL end) as per that thread. If you're using PSK, read the second paragraph of I don't want the hassle of certificates - how do I use pre-shared keys? for some suggestions. Certificates and subject/distinguished name IDs really are the best solution, though it's not quite as easy to set up in the first place as PSK. The next hurdle may be the IP addressing - that was where I got stuck for some time. The instructions are in that thread under Configuring the client - make sure you read the bit about enabling internal network addresses in the client, and choose an otherwise unused address. David |
|
|
robr
Member
2005-Dec-9 10:43 am
i had to take a break last night but will get back to this tonight. have you done this while setting up RADIUS as well per chance? |
|
|
The only thing you can use RADIUS for with the VPN functionality is Extended Authentication (XAUTH). I've used XAUTH with the built-in authentication server, but not with an external RADIUS server, even though I have one. I'm not quite sure what the ZyWALL would be expecting of the RADIUS server when used for XAUTH - I don't necessarily think it would be using EAP. If you want to harden the VPN, put the effort into setting up a certificate based infrastructure before worrying about XAUTH. The ideal would be if you set up a CA with a CRL (which is a refinement I didn't document) so that you could revoke individual certificates as necessary. I do use RADIUS with my Z35, but that's for WPA Enterprise (using EAP-TLS). I keep meaning to write an up to date set of instructions for configuring FreeRADIUS for wireless network authentication - the instructions that jbibe has posted in the past are based on an obsolete version of FreeRADIUS. David |
|
|
robr
Member
2005-Dec-9 11:24 am
hmm... I was hoping to just integrate the VPN with Active Directory. I'll give it a shot anyway, I'm not doing anything that needs mega security, I just wanteed an easy way to revoke VPN access easily (and I don't find certificates easy at all, especially in a Windows environment). |
|
|
Well, there's nothing wrong with experimenting. I have no experience whatsoever with Active Directory; my server experience is all UNIX rather than Windows Server.
Get things working without XAUTH first, then you can see what happens when you enable XAUTH.
Certificates really would be a good idea - Safenet, authors of the ZyWALL client, only recommend PSKs for testing and debugging.
If you can write up some instructions as to how to generate the necessary infrastructure in Windows Server, by all means add it to the original thread if you can, or post it in a new one. So long as you can generate a CA, sign the ZyWALL's CSR with that CA (which you may be able to do via SCEP on Windows Server), then generate one or more client certificates, you're away. If you can handle a CRL using your Windows Server, all the better.
David |
|
3 edits |
robr
Member
2005-Dec-9 3:19 pm
i'm back at this and still stuck. im using netgears 10.3.5 build 6 and looking at the screen shots, on the My Identity screen, they show a box labelled Internal Network IP Address beneath the Virtual Adapter Disabled selection. I don't have this box and I think I read that if I didn't put an unused IP address in this box that something like this might result.
EDIT: nevermind - i just figured out you have to turn on that option in Global Policy Settings. Didnt help.
When I get to Phase2 I'm getting an INVALID_ID_INFO error still. Note that for now I'm using PSK.
12-09: 15:12:52.171 My Connections\bleh VPN - Initiating IKE Phase 2 with Client IDs (message id: 15373266) 12-09: 15:12:52.171 My Connections\bleh VPN - Initiator = IP ADDR=192.168.1.103, prot = 0 port = 0 12-09: 15:12:52.171 My Connections\bleh VPN - Responder = IP SUBNET/MASK=192.168.128.0/255.255.255.0, prot = 0 port = 0 12-09: 15:12:52.171 My Connections\bleh VPN - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, KE, ID 2x) 12-09: 15:12:52.218 My Connections\bleh VPN - RECEIVED ISAKMP OAK INFO *(HASH, NOTIFY:INVALID_ID_INFO) 12-09: 15:12:52.218 My Connections\bleh VPN - Discarding SA negotiation 12-09: 15:12:52.218 My Connections\bleh VPN - Deleting IKE SA (IP ADDR=71.243.117.216) 12-09: 15:12:52.218 MY COOKIE a0 d3 2c ab d3 9a 74 d4 12-09: 15:12:52.218 HIS COOKIE 9f e8 a2 26 9 58 dc 62 12-09: 15:12:52.218 My Connections\bleh VPN - RECEIVED ISAKMP OAK INFO *(HASH, DEL) 12-09: 15:12:52.234 My Connections\bleh VPN - RECEIVED ISAKMP OAK INFO *(HASH, DEL) |
|
maxusa Premium Member join:2004-05-05 USA |
to robr
To integrate VPN with the Active Directory, your will need to forget about the ZyWALL. Neither of the 2 native Microsoft VPN types are supported by ZyXEL except the pass-trough.
If you are talking about integrating Certificates with the Active Directory, you can do this just like with any other certification authority. Be prepared to manage the increased complexity and inter-dependencies of such a system.
ZyWALL VPN + Certificates + Microsoft AD + RADIUS seems like an unnecessarily complicated setup. It's hard to tell what your goals are in this exercise. Having said that, if your organization is a Microsoft shop, have you considered a straight Microsoft VPN solution? |
|
|
robr
Member
2005-Dec-9 6:02 pm
actually i wanted to use MS AD/Radius to keep this simple. Certificates make things complex in my mind, not AD. The only MS piece I'm interested in is just using RADIUS to authenticate username/PW against their AD info. However that's not really all that important to me, so forget about that for right now.
Here's where I am at this point. I have the VPN working if set up the ZyWall connection as static, pointing back to my dyndns.org FQDN. As soon as I try to configure it as dynamic, I get the error I specified above. I've tried specifying the client IP I want in the VPN client, I've tried to not specify it in the client, I've tried to just assign it via the ZyWall... no matter what I do, I get the INVALID_ID_INFO error during phase 2. This is just getting frustrating. |
|
maxusa Premium Member join:2004-05-05 USA |
maxusa
Premium Member
2005-Dec-9 7:11 pm
Ok, here is what I managed to decypher from your logs: ZyWALL Gateway RequirementsDynamic IP on WAN1 with DDNS account BLEH.DYNDNS.ORG set. You want to have a single VPN rule for many remote clients. You want to use PSK (for now). Remote Clients RequirementsDynamic IP remote clients. You want many SoftRemoteLT-equipped clients connect to your ZyWALL. SolutionOn the ZyWALL, set a WAN-to-WAN/ZyWALL firewall rule to permit any source address IKE(UDP:500). Then create a VPN gateway policy with the following settings: - Name = dynamic_gateway_psk
- My ZyWALL > My Address = 0.0.0.0
- Pre-Shared Key = 123456789
- Negotiation Mode = Main
- Encryption Algorithm = DES
- Authentication Algorithm = MD5
- SA Life Time = 28800
- Key Group = DH1
Then create a network policy like this: - Active = check
- Name = dynamic_gateway_psk
- Protocol = 0
- Local Network > Address Type = Subnet Address
- Local Network > Starting IP = 192.168.1.0
- Local Network > Subnet Mask = 255.255.255.0
- Local Port > Start/End = 0/0
- Remote Network > Address Type = Single Address
- Remote Network > Starting IP = 0.0.0.0
- Remote Port > Start/End = 0/0
- Encapsulation = Tunnel
- Active Protocol = ESP
- Encryption Algorithm = DES
- Authentication Algorithm = SHA1
- SA Life Time = 28800
On the remote clients, set the SoftRemoteLT security policy as follows: - Connection Security = Secure
- Only Connect Manually = check
- Remote Party Identity > ID Type = IP Subnet
- Remote Party Identity > Subnet = 192.168.1.0
- Remote Party Identity > Mask = 255.255.255.0
- Remote Party Identity > Protocol = All
- Remote Party Identity > Connect Using = Secure Gateway Tunnel
- Remote Party Identity > ID Type > Any = Any ID
- Remote Party Identity > ID Type > Gateway Hostname = BLEH.DYNDNS.ORG
- My Identity > Pre-Shared Key = 123456789
- My Identity > ID Type = IP Address
- Security Policy > Phase 1 Mode = Main Mode
- Authentication > Proposal 1 > Auth Method = Pre-Shared Key
- Authentication > Proposal 1 > Encrypt Alg = DES
- Authentication > Proposal 1 > Hash Alg = MD5
- Authentication > Proposal 1 > SA Life = Seconds 28800
- Authentication > Proposal 1 > Key Group = D-H 1
- Key Exchange > Proposal 1 > SA Life = Seconds 28800
- Key Exchange > Proposal 1 > ESP = check
- Key Exchange > Proposal 1 > Encrypt Alg = DES
- Key Exchange > Proposal 1 > Hash Alg = SHA-1
- Key Exchange > Proposal 1 > Encapsulation = Tunnel
Your test network needs the Internet access to resolve DDNS. Otherwise, add an entry to the internal DNS or the HOSTS file. To troubleshoot, use the manual dial and the log viewer. Tighten this basic VPN tunnel in steps. Hope this helps. |
|
1 edit |
robr
Member
2005-Dec-9 9:36 pm
thanks very much for taking the time to go through all that, the only change is WAN1 is a static IP address, but let me digest what you've posted and see if I can work through this. |
|
robr |
robr
Member
2005-Dec-9 10:10 pm
maxusa - you are a *GOD*!!!!!!!!!! THANK YOU!!!!! i didn't change a thing, since if a dynamic WAN is working, then no reason it wouldnt work if it had a static IP either, and actually since i have two WAN connections, the IP could vary if I want to use both WAN connections for VPN.
THANK YOU THANK YOU THANK YOU!!!!!!! I owe you beer if you're ever in the Boston area. |
|
robr |
robr
Member
2005-Dec-9 11:48 pm
hmm... im not quite there yet, i connect fine now but i cant ping anything on the internal network that i've just connected to. might be a router setting somewhere (i have firewall turned off btw, so it shouldn't be a firewall rule causing this). |
|