Here is how I configured my Linksys WRT54G routeur/AP to connect to my office’s Zywall 70
-------- --------
Home --| WRT54G |--- Internet ---| Zywall |--- Office
-------- --------
192.168.3.X W.W.W.W Z.Z.Z.Z 192.168.2.x
Linksys WRT54G
Backup your access point, go to http://openwrt.org, read carefully the wiki, and install the latest OpenWRT release. WhiteRussian RC6 worked for me.
I upgraded from an old Alchemy release, and all my settings were kept.
Install openswan
#ipkg update
#ipkg install openswan
Create /etc/ipsec.d/private/zywall
conn zywall
right=%defaultroute
rightsubnet=192.168.3.0/24
rightid=@someid
left=Z.Z.Z.Z
leftsubnet=192.168.2.0/24
leftid=@someid
authby=secret
pfs=no
ike=aes128-sha1-modp1024
esp=3des-md5-96
keylife=9600s
keyingtries=0
auto=add
dpddelay=30
Modify /etc/ipsec.conf to include your new config
# Add connections here
include /etc/ipsec.d/private/zywall
Add you preshared key in /etc/ipsec.secrets
@someid @someid: PSK "mysecret"
Zywall 70
Open « VPN Rule (IKE) » tab and add a new gateway policy
- Remote Gateway Address : W.W.W.W
- Pre-Shared Key : mysecret
- Negotiation Mode : Main
- Encryption Algorithm: AES
- Authentication Algorithm : SHA1
- SA Life Time (Seconds): 9600
- Key Group : DH2
Add a new network policy
- Active: Yes
- Local Network
- Address Type: Subnet address
- Starting IP Address: 192.168.2.0
- Subnet Mask: 255.255.255.0
- Remote Network
- Address Type: Subnet address
- Starting IP Address: 192.168.3.0
- Subnet Mask: 255.255.255.0
- Encapsulation Mode: Tunnel
- Active Protocol: ESP
- Encryption Algorithm : 3DES
- Authentication Algorithm: MD5
- SA Life Time (Seconds): 28800
- Prefect Forward Secrecy: None
- Enable Replay Detection: Yes
It should now work. Try to connect the VPN from the WRT54G:
# ipsec auto --up zywall
104 "zywall" #26: STATE_MAIN_I1: initiate
003 "zywall" #26: ignoring unknown Vendor ID payload [afcad71368a1f1c96b8696fc7757]
003 "zywall" #26: ignoring unknown Vendor ID payload [625027749d5ab97f5616c1602765cf480a3b7d0b]
106 "zywall" #26: STATE_MAIN_I2: sent MI2, expecting MR2
108 "zywall" #26: STATE_MAIN_I3: sent MI3, expecting MR3
004 "zywall" #26: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp1024}
117 "zywall" #27: STATE_QUICK_I1: initiate
004 "zywall" #27: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x595ef372 <0xb540297d xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}
Hiding the personnal network
It works, but my colleagues can now browse my home network. I want to « masquerade » the 192.168.3 subnet, so all connections seems to come from 192.168.203.1 :
--------- --------
Home -- (NAT) WRT54G |--- Internet ---| Zywall |--- Office
--------- --------
192.168.3.x 192.168.203.x W.W.W.W Z.Z.Z.Z 192.168.2.x
Edit /etc/firewall.user :
iptables -t nat -A postrouting_rule -d 192.168.2.0/255.255.255.0 -j SNAT --to 192.168.203.1
iptables -A forwarding_rule -d 192.168.2.0/24 -j ACCEPT
Run /etc/firewall.user to apply theses rules
Modify the ipsec rules to use 192.168.203.x instead of 192.168.3.x
Notes
- The local and remote ID must be the same
- 3DES/MD5 is not the most secure cypher for phase 2, but other cyphers does not seem to work
- See openwrt wiki for encryption and speed
- This should work with any zywall model and with ipsec-capable Prestige models (652, 662). Some buggy firmwares (Zywall 10) use local and/or remote id instead of « secure gateway address ».