Professional Documents
Culture Documents
Configuration Instructions
for
Zyxel ZyWALL
Lobotomo Software
June 17, 2009
Legal Disclaimer
Contents
Lobotomo Software (subsequently called "Author") reserves the right not to be responsible for the
topicality, correctness, completeness or quality of the information provided. Liability claims regarding
damage caused by the use of any information provided, including any kind of information which is
incomplete or incorrect, will therefore be rejected. All oers are not-binding and without obligation.
Parts of the document or the complete publication including all oers and information might be
extended, changed or partly or completely deleted by the author without separate announcement.
Referrals
The author is not responsible for any contents referred to or any links to pages of the World Wide Web
in this document. If any damage occurs by the use of information presented there, only the author of
the respective documents or pages might be liable, not the one who has referred or linked to these
documents or pages.
Copyright
The author intended not to use any copyrighted material for the publication or, if not possible, to
indicate the copyright of the respective object. The copyright for any material created by the author is
reserved. Any duplication or use of such diagrams, sounds or texts in other electronic or printed
publications is not permitted without the author's agreement.
Legal force of this disclaimer
This disclaimer is to be regarded as part of this document. If sections or individual formulations of this
text are not legal or correct, the content or validity of the other parts remain uninfluenced by this fact.
Table of contents
Introduction
..........................................................................................................1
Zyxel ZyWALL Setup
..........................................................................................1
Login
..............................................................................................................................1
Add VPN Rule
..............................................................................................................2
Create Gateway Policy
.................................................................................................2
Create Network Policy
................................................................................................3
Diagnosis
...............................................................................................................6
Reachability Test
..........................................................................................................6
Sample Safe@Oce Log Output
................................................................................7
Sample IPSecuritas Log Output
................................................................................9
Zyxel ZyWALL
Introduction
This document describes the steps necessary to establish a protected VPN connection between a Mac
client and a Zyxel ZyWALL firewall. All information in this document is based on the following
assumed network.
Dial-Up or
Broadband
Remote LAN
192.168.2.0/24
Internet
Zyxel ZyWALL
Roadwarrior
Login
Open a web browser and connect to your Zyxel firewall. Enter the administrators
password.
In the main menu on the left side, click on SECURITY to disclose the sub-entries
and then click on VPN.
Zyxel ZyWALL
Zyxel ZyWALL
Click on Apply to save the settings and finish the ZyWALL configuration. You may now proceed with
the configuration of the connection in IPSecuritas now.
Zyxel ZyWALL
IPSecuritas Setup
This section describes the necessary steps to setup IPSecuritas to connect to the ZyWALL firewall.
Start Wizard
Unless it is already running, you should start IPSecuritas now. Change to Connections menu and
select Edit Connections (or press -E). Start the Wizard by clicking on the following symbol:
Zyxel ZyWALL
Zyxel ZyWALL
Diagnosis
Reachability Test
To test reachability of the remote host, open an Terminal Window (Utilities -> Terminal) and enter
the command ping, followed by the ZyWALL local IP address. If the tunnel works correctly, a
similar output is displayed:
[MacBook:~] root# ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=0 ttl=64 time=13.186 ms
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=19.290 ms
Zyxel ZyWALL
Zyxel ZyWALL
Zyxel ZyWALL
Debug
Info
APP
APP
Info
Debug
APP
APP
IPSec started
State change from AUTHENTICATING to RUNNING after event AUTHENTICATED
Debug
Debug
APP
APP
Info
Info
IKE
IKE
Foreground mode.
@(#)ipsec-tools CVS (http://ipsec-tools.sourceforge.net)
Info
Info
IKE
IKE
racoon.conf"
May 18, 22:50:20
Info
IKE
Debug
Debug
IKE
IKE
lifetime = 480
lifebyte = 0
Debug
Debug
IKE
IKE
encklen=0
p:1 t:1
Debug
Debug
IKE
IKE
DES-CBC(1)
MD5(1)
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
compression algorithm can not be checked because sadb message doesn't support it.
parse successed.
Debug
IKE
Info
Info
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Info
Debug
APP
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
in post_acquire
configuration found for 192.168.215.225.
Info
Debug
IKE
IKE
Info
Info
IKE
IKE
Debug
Debug
IKE
IKE
new cookie:
8f1739363f9f3466
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
IKE
Zyxel ZyWALL
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
===
148 bytes message received from 192.168.215.225[500] to 192.168.215.2[500]
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
seen nptype=1(sa)
seen nptype=13(vid)
Debug
Debug
IKE
IKE
seen nptype=13(vid)
seen nptype=13(vid)
Debug
Info
IKE
IKE
succeed.
received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Info
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
begin.
seen nptype=2(prop)
Debug
Debug
IKE
IKE
succeed.
proposal #1 len=44
Debug
Debug
IKE
IKE
begin.
seen nptype=3(trns)
Debug
Debug
IKE
IKE
succeed.
transform #1 len=36
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
hmac(modp768)
type=Life Type, flag=0x8000, lorv=seconds
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
10
Zyxel ZyWALL
Debug
Debug
IKE
IKE
Compared: DB:Peer
(lifetime = 480:480)
Debug
Debug
IKE
IKE
(lifebyte = 0:0)
enctype = DES-CBC:DES-CBC
Debug
Debug
IKE
IKE
(encklen = 0:0)
hashtype = MD5:MD5
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Info
Debug
IKE
IKE
Info
Debug
IKE
IKE
Info
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
sockname 192.168.215.2[500]
send packet from 192.168.215.2[500]
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
seen nptype=4(ke)
seen nptype=10(nonce)
Debug
Debug
IKE
IKE
seen nptype=130(nat-d)
seen nptype=130(nat-d)
Debug
Info
IKE
IKE
succeed.
Hashing 192.168.215.2[500] with algo #1
Debug
Info
IKE
IKE
hash(md5)
NAT-D payload #0 verified
Info
Debug
IKE
IKE
Info
Info
IKE
IKE
Debug
Debug
IKE
IKE
===
compute DH's shared.
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
11
Zyxel ZyWALL
Debug
Debug
IKE
IKE
hmac(hmac_md5)
SKEYID computed:
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
SKEYID_d computed:
619d16df 54dae618 53f771f4 6b14a046
Debug
Debug
IKE
IKE
hmac(hmac_md5)
SKEYID_a computed:
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
SKEYID_e computed:
a6b9d6c5 6ccc0fc9 fd7df9f8 0fb935c6
Debug
Debug
IKE
IKE
encryption(des)
hash(md5)
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
hash(md5)
encryption(des)
Debug
Debug
IKE
IKE
IV computed:
9acd877f f38cab04
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
02000000 6e616469 67
hmac(hmac_md5)
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
begin encryption.
encryption(des)
Debug
Debug
IKE
IKE
pad length = 7
0800000d 02000000 6e616469 67000000 14039671 4dab91cc 8deac069 2a0a1065
Debug
Debug
IKE
IKE
4c000000 00000007
encryption(des)
Debug
Debug
IKE
IKE
with key:
a6b9d6c5 6ccc0fc9
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
encrypted.
68 bytes from 192.168.215.2[500] to 192.168.215.225[500]
Debug
Debug
IKE
IKE
sockname 192.168.215.2[500]
send packet from 192.168.215.2[500]
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
5923e12a
resend phase1 packet 8f1739363f9f3466:113cf0ddd0fd274e
Debug
Debug
IKE
IKE
===
60 bytes message received from 192.168.215.225[500] to 192.168.215.2[500]
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
begin decryption.
encryption(des)
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
encryption(des)
with key:
Debug
Debug
IKE
IKE
a6b9d6c5 6ccc0fc9
decrypted payload by IV:
Debug
Debug
IKE
IKE
e832ca1f 5923e12a
decrypted payload, but not trimed.
Debug
Debug
IKE
IKE
12
Zyxel ZyWALL
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
begin.
seen nptype=5(id)
Debug
Debug
IKE
IKE
seen nptype=8(hash)
succeed.
Debug
Debug
IKE
IKE
HASH received:
14c867e9 69ed8aa7 63e84fb7 ca85ffa9
Debug
Debug
IKE
IKE
HASH with:
88a30f55 e2f485bc 404b0e65 ded18562 64a124da cd1d7dd1 139096ef 6ae0a1f0
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
hmac(hmac_md5)
HASH (init) computed:
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
===
compute IV for phase2
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
hash(md5)
encryption(des)
Debug
Debug
IKE
IKE
phase2 IV computed:
ce208a53 892a50fc
Debug
Debug
IKE
IKE
HASH with:
8e6d91e0 0000001c 00000001 01106002 8f173936 3f9f3466 113cf0dd d0fd274e
Debug
Debug
IKE
IKE
hmac(hmac_md5)
HASH computed:
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
encryption(des)
pad length = 8
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
encryption(des)
with key:
Debug
Debug
IKE
IKE
a6b9d6c5 6ccc0fc9
encrypted payload by IV:
Debug
Debug
IKE
IKE
ce208a53 892a50fc
save IV for next:
Debug
Debug
IKE
IKE
7bc939e7 2964cfa6
encrypted.
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
===
msg 16 not interesting
Debug
Debug
IKE
IKE
===
begin QUICK mode.
Info
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
hash(md5)
encryption(des)
13
Zyxel ZyWALL
Debug
Debug
IKE
IKE
phase2 IV computed:
36338123 a4bdf618
Debug
Debug
IKE
IKE
call pfkey_send_getspi
pfkey GETSPI sent: ESP/Tunnel 192.168.215.225[0]->192.168.215.2[0]
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
spi=127758314(0x79d6fea)
May 18, 22:50:22 Debug
IKE
hmac(modp768)
Debug
Debug
IKE
IKE
hmac(modp768)
hmac(modp768)
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
IDci:
01000000 0a010202
Debug
Debug
IKE
IKE
IDcr:
04000000 0a010200 ffffff00
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
HASH computed:
18738b63 32308174 769b1b3f 0a45bf1e
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
encryption(des)
pad length = 4
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
with key:
a6b9d6c5 6ccc0fc9
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
encrypted.
252 bytes from 192.168.215.2[500] to 192.168.215.225[500]
Debug
Debug
IKE
IKE
sockname 192.168.215.2[500]
send packet from 192.168.215.2[500]
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
14
Zyxel ZyWALL
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
===
260 bytes message received from 192.168.215.225[500] to 192.168.215.2[500]
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
24e2b80b
begin decryption.
Debug
Debug
IKE
IKE
encryption(des)
IV was saved for next processing:
Debug
Debug
IKE
IKE
055187c6 24e2b80b
encryption(des)
Debug
Debug
IKE
IKE
with key:
a6b9d6c5 6ccc0fc9
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
ffffff00 00000000
padding len=0
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
00000000
begin.
Debug
Debug
IKE
IKE
seen nptype=8(hash)
seen nptype=1(sa)
Debug
Debug
IKE
IKE
seen nptype=10(nonce)
seen nptype=4(ke)
Debug
Debug
IKE
IKE
seen nptype=5(id)
seen nptype=5(id)
Debug
Debug
IKE
IKE
succeed.
HASH allocated:hbuf->l=248 actual:tlen=224
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
HASH with:
daec08f0 f3b8c86f aaf09bcc 4234f534 6dfe42d8 0a000038 00000001 00000001
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
ffffff00
hmac(hmac_md5)
Debug
Debug
IKE
IKE
HASH computed:
14dcd277 ea3ed36a 0e202f63 5f753b1a
Debug
Debug
IKE
IKE
total SA len=48
00000001 00000001 00000028 01030401 079d6fea 0000001c 01030000 80010001
15
Zyxel ZyWALL
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
seen nptype=2(prop)
succeed.
Debug
Debug
IKE
IKE
proposal #1 len=40
begin.
Debug
Debug
IKE
IKE
seen nptype=3(trns)
succeed.
Debug
Debug
IKE
IKE
transform #1 len=28
type=SA Life Type, flag=0x8000, lorv=seconds
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
pair 1:
0x30a5c0: next=0x0 tnext=0x0
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
begin.
seen nptype=2(prop)
Debug
Debug
IKE
IKE
succeed.
proposal #1 len=44
Debug
Debug
IKE
IKE
begin.
seen nptype=3(trns)
Debug
Debug
IKE
IKE
succeed.
transform #1 len=32
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
pair 1:
0x30a590: next=0x0 tnext=0x0
Debug
Warning
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
my single bundle:
(proto_id=ESP spisize=4 spi=079d6fea spi_p=00000000 encmode=Tunnel reqid=0:0)
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
===
HASH(3) generate
Debug
Debug
IKE
IKE
HASH with:
00daec08 f0f3b8c8 6faaf09b cc4234f5 346dfe42 d8d23002 3fa99a2a 256863b7
Debug
Debug
IKE
IKE
62b6fcf4 cc563521 71
hmac(hmac_md5)
Debug
Debug
IKE
IKE
HASH computed:
90ab69fa 7faf489a 63290568 9e0194b4
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
encryption(des)
pad length = 4
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
with key:
a6b9d6c5 6ccc0fc9
Debug
Debug
IKE
IKE
16
Zyxel ZyWALL
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
encrypted.
52 bytes from 192.168.215.2[500] to 192.168.215.225[500]
Debug
Debug
IKE
IKE
sockname 192.168.215.2[500]
send packet from 192.168.215.2[500]
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
hmac(hmac_md5)
encryption(3des)
Debug
Debug
IKE
IKE
hmac(hmac_sha1)
encklen=192 authklen=160
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
hmac(hmac_md5)
hmac(hmac_md5)
Debug
Debug
IKE
IKE
hmac(hmac_md5)
6636e434 ea23d162 ccdeb8ea deacd347 48f17954 28203a54 03fa7dd2 20e5bc84
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
62b6fcf4 cc563521 71
hmac(hmac_md5)
Debug
Debug
IKE
IKE
encryption(3des)
hmac(hmac_sha1)
Debug
Debug
IKE
IKE
encklen=192 authklen=160
generating 512 bits of key (dupkeymat=4)
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
hmac(hmac_md5)
hmac(hmac_md5)
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
KEYMAT computed.
call pk_sendupdate
Debug
Debug
IKE
IKE
encryption(3des)
hmac(hmac_sha1)
Debug
Debug
IKE
APP
call pfkey_send_update_nat
Received SADB message type UPDATE, 192.168.215.225 [0] -> 192.168.215.2 [0]
Debug
Debug
APP
IKE
SA change detected
pfkey update sent.
Debug
Debug
IKE
IKE
encryption(3des)
hmac(hmac_sha1)
Debug
Debug
IKE
APP
call pfkey_send_add_nat
Received SADB message type ADD, 192.168.215.2 [0] -> 192.168.215.225 [0]
Debug
Debug
APP
APP
SA change detected
Connection Zyxel P1 is up
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
spi=127758314(0x79d6fea)
May 18, 22:50:22 Info
IKE
spi=127758314(0x79d6fea)
May 18, 22:50:22 Debug
IKE
===
17
Zyxel ZyWALL
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
===
Debug
IKE
18