Wednesday, November 23, 2005

IPSEC connection between Mac OS X and SonicWALL TZ 170


I got a snazzy SonicWALL TZ 170 firewall from work. It works much better than my previous Linksys firewall/router (which regularly overheated during the summer months). The SonicWALL also supports IPsec VPN. Since I'm travelling for the Thanksgiving holiday, I decided to get the VPN working with my iBook.




Although VPN Tracker has a slick interface with good defaults for numerous firewalls, $90 is too steep for me. I tried VaporSec, but I got the error message Can't get file of folder "::private:tmp" of startup disk. (-1728) and was unable to resolve it.




To get the VPN working without any extra programs, the first step was to change the VPN settings on the SonicWALL, so I:




  • Chose the VPN tab from the left menu

  • Edited the configuration for GroupVPN

  • Under the General tab


    • Chose IKE using Preshared Secret

    • Entered a shared secret


  • Under the Proposals tab for Phase 1


    • Chose DH Group 2

    • Chose AES-128 as the encryption algorithm

    • Chose SHA1 as the authentication method

    • Set the Life Time to 600 seconds.


  • Under the Proposals tab for Phase 2


    • Chose ESP as the protocol

    • Chose AES-128 as the encryption method

    • Chose SHA1 for the authentication method

    • Enable Perfect Forward Secrecy

    • Chose Group 1 for the DH Group

    • Set the Life Time to 28800 seconds


  • On the Advanced tab


    • Disabled XAUTH authentication

    • Left everything else with the defaults


  • Left all the defaults on the Client tab

  • Clicked OK and Enable the GroupVPN




Mac OS X comes with support for IPsec using the KAME tools racoon and setkey. The man pages for "racoon.conf" and "racoon" along with this sample configuration file helped me come up with the following configuration files:




Configuration for home.conf (for racoon).




path pre_shared_key "/etc/racoon/psk.txt";

remote anonymous {
lifetime time 24 hour;
exchange_mode main, aggressive, base;

proposal {
encryption_algorithm aes 128;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}

sainfo anonymous {
lifetime time 12 hour;
pfs_group 1;
encryption_algorithm aes 128;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}



The file "/etc/racoon/psk.txt" contains a single line like this




69.144.112.123 this is my secret



For home.spd (configuration for setkey). In this configuration, 192.168.2.5 is the IP address of the laptop, 192.168.40.0/24 is my home network and 69.144.112.123 represents the external IP address of my SonicWALL TZ 170.




spdadd 192.168.2.0/24 192.168.40.0/24 any -P out ipsec esp/tunnel/192.168.2.5-69.144.112.123/require;
spdadd 192.168.40.0/24 192.168.2.0/24 any -P in ipsec esp/tunnel/69.144.112.123-192.168.2.5/require;



This next part is the portion that I didn't find documented anywhere. Once I have the configuration files written, how do I make it "go" The following worked for me (when acting as root).




setkey -f home.spd
racoon -F -f home.conf



And then, in another Terminal.app window ping 192.168.40.5. By specifying -F racoon will stay in the foreground which lets me easily stop the VPN when I'm done. The ping actually makes the VPN connection. You don't really need it since any other attempt to access the remote network causes the same effect.

No comments: