OpenSwan and Zyxel Zywall

I recently bought a Zywall 2 for my home office, and tried to set up a VPN connection using OpenSwan. Quite a lot of research later it was done. To prevent others from searching, I decided to put together a short guide.

First of all you need to configure the Zywall and set up an incoming VPN connection there:

• Select “Security” -> “VPN” in the left menu
• Add a new Gateway Policy by clicking on the “Add Gateway Policy” icon (two little routers with a plus sign)
• Fill in the details as shown on the image below, however of course you should fill in your own Pre-Shared-Key (which is empty here, guess why…).

 

 

Now that we have the Gateway Policy, all we need to add is a Network Policy:

• Go back to “Security” -> “VPN” (left menu)
• Next to your added Gateway Policy you will find an icon with two small clouds and a plus sign (“Add Network Policy”), click on it.
• Change all settings as shown in the image below. Make sure you have set the correct internal networking address.

 

 

Now the Zywall is set up and ready to handle an incoming VPN connection.

All we still need to do is configure the OpenSwan at our Linux system. Basically this is done using two files: /etc/ipsec.conf and /etc/ipsec.secrets !

Here is the listing of my ipsec.conf:

conn zywall-psk
        authby=secret
        pfs=yes
        type=tunnel
        auth=esp
        aggrmode=no
        disablearrivalcheck=no
        # Local
        left=1.1.1.1
        leftid=%defaultroute
        # Remote (Distant)
        right=1.1.1.1
        rightid=1.1.1.1
        rightsubnet=192.168.1.0/24
        auto=start

In fact only four values need to be modified for you: left, right, rightid and rightsubnet.

• left: always fill in the local IP address of the interface you are trying to connect from. This always has to be changed when your IP changes.
• right: fill in the WAN IP of your router
• rightid: same as “right”, fill in the WAN IP of your router
• rightsubnet: Fill in the details of the network you have in your home-LAN.

One more thing is still missing, the Pre-Shared-Key. This has to be added in the /etc/ipsec.secrets file. Just add the following line to it:

: PSK “YOUR_PRE_SHARED_KEY_GOES_HERE”

Note: the ':’ is by intention. This way your PSK will be used for any connection, so this only works if you have one. If you have more than one connection configured, you need to specify the IP-Addresses before the ':’.

Now we are done, start your VPN connection by running /etc/init.d/ipsec start.

In your /var/log/messages you should see some messages indicating the the connection was started.