OpenWRT to Zywall VPN

Here is how I configured my Linksys WRT54G routeur/AP to connect to my office’s Zywall 70

              --------                  --------
      Home --| WRT54G |--- Internet ---| Zywall |--- Office
              --------                  --------                
192.168.3.X         W.W.W.W          Z.Z.Z.Z          192.168.2.x

Linksys WRT54G

Backup your access point, go to http://openwrt.org, read carefully the wiki, and install the latest OpenWRT release. WhiteRussian RC6 worked for me.

I upgraded from an old Alchemy release, and all my settings were kept.

Install openswan

#ipkg update
#ipkg install openswan

Create /etc/ipsec.d/private/zywall

conn zywall
       right=%defaultroute
       rightsubnet=192.168.3.0/24
       rightid=@someid
       left=Z.Z.Z.Z
       leftsubnet=192.168.2.0/24
       leftid=@someid
       authby=secret
       pfs=no
       ike=aes128-sha1-modp1024
       esp=3des-md5-96
       keylife=9600s
       keyingtries=0
       auto=add
       dpddelay=30

Modify /etc/ipsec.conf to include your new config

# Add connections here
include /etc/ipsec.d/private/zywall

Add you preshared key in /etc/ipsec.secrets

@someid @someid: PSK "mysecret"

Zywall 70

Open « VPN Rule (IKE) » tab and add a new gateway policy

  • Remote Gateway Address : W.W.W.W
  • Pre-Shared Key : mysecret
  • Negotiation Mode : Main
  • Encryption Algorithm: AES
  • Authentication Algorithm : SHA1
  • SA Life Time (Seconds): 9600
  • Key Group : DH2

Add a new network policy

  • Active: Yes
  • Local Network
    • Address Type: Subnet address
    • Starting IP Address: 192.168.2.0
    • Subnet Mask: 255.255.255.0
  • Remote Network
    • Address Type: Subnet address
    • Starting IP Address: 192.168.3.0
    • Subnet Mask: 255.255.255.0
  • Encapsulation Mode: Tunnel
  • Active Protocol: ESP
  • Encryption Algorithm : 3DES
  • Authentication Algorithm: MD5
  • SA Life Time (Seconds): 28800
  • Prefect Forward Secrecy: None
  • Enable Replay Detection: Yes

It should now work. Try to connect the VPN from the WRT54G:

# ipsec auto --up zywall
104 "zywall" #26: STATE_MAIN_I1: initiate
003 "zywall" #26: ignoring unknown Vendor ID payload [afcad71368a1f1c96b8696fc7757]
003 "zywall" #26: ignoring unknown Vendor ID payload [625027749d5ab97f5616c1602765cf480a3b7d0b]
106 "zywall" #26: STATE_MAIN_I2: sent MI2, expecting MR2
108 "zywall" #26: STATE_MAIN_I3: sent MI3, expecting MR3
004 "zywall" #26: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp1024}
117 "zywall" #27: STATE_QUICK_I1: initiate
004 "zywall" #27: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x595ef372 <0xb540297d xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}

Hiding the personnal network

It works, but my colleagues can now browse my home network. I want to « masquerade » the 192.168.3 subnet, so all connections seems to come from 192.168.203.1 :

                  ---------                  --------
      Home -- (NAT) WRT54G |--- Internet ---| Zywall |--- Office
                  ---------                  --------                
192.168.3.x  192.168.203.x  W.W.W.W   Z.Z.Z.Z          192.168.2.x

Edit /etc/firewall.user :

iptables -t nat -A postrouting_rule -d 192.168.2.0/255.255.255.0 -j SNAT --to 192.168.203.1
iptables -A forwarding_rule -d 192.168.2.0/24 -j ACCEPT

Run /etc/firewall.user to apply theses rules
Modify the ipsec rules to use 192.168.203.x instead of 192.168.3.x

Notes

  • The local and remote ID must be the same
  • 3DES/MD5 is not the most secure cypher for phase 2, but other cyphers does not seem to work
  • See openwrt wiki for encryption and speed
  • This should work with any zywall model and with ipsec-capable Prestige models (652, 662). Some buggy firmwares (Zywall 10) use local and/or remote id instead of « secure gateway address ».