Setup a Client to Site IPsec VPN with TZ-470 vs StrongSwan.

# Setup a Client to Site IPsec VPN with TZ-470 vs StrongSwan. ###### tags: `TZ-470 IPsec VPN` Today we will setup a client to site IPsec VPN with TZ-470 vs StrongSwan, which will be configured with PreShared key Authentication. After our tunnels are established, we will be able to reach the private clients over the VPN tunnels. ## Network Diagram ![](https://i.imgur.com/C6DcpS0.png) ## Configure TZ-470 We will setup IPsec VPN through Sonicwall GUI. We will use the following settings for **Phase 1** and **Phase 2**: ### IPsec VPN Tunnel Settings 1. Edit WAN Group VPN. **General** **SECURITY POLICY** | Option | Value | | -------- | -------- | | Authentication Method | IKE Using Preshared Secret | | Name | WAN GroupVPN | | Shared Secret | 12345678 | **Proposals** **IKE (PHASE 1) PROPOSAL** | Option | Value | | -------- | -------- | | DH Group | Group 2 | | Encryption | 3DES | | Authentication | SHA1 | | Life Time (seconds) | 28800 | **IPSEC (PHASE 2) PROPOSAL** | Option | Value | | -------- | -------- | | Protocol | ESP | | Encryption | 3DES | | Authentication | SHA1 | | Enable Perfect Forward Secrecy | Unchecked | | Life Time (seconds) | 28800 | **Advanced** **IKE (PHASE1) PROPOSAL** | Option | Value | | -------- | -------- | | Disable IPsec Anti-Replay | Checked | | Enable Multicast | Unchecked | | Accept Multiple Proposals for Clients | Unchecked | | Enable IKE Mode Configuration | Checked | | IP Pool for Clients | vpn_client_192.168.42.0/24 | | Address Expiry Time (seconds) | 3600 | | Default Gateway | 192.168.0.215 | **MANGEMENT VIA THIS SA** | Option | Value | | -------- | -------- | | HTTPS | Unchecked | | SSH | Unchecked | | SNMP | Unchecked | **CLIENT AUTHENTICATION** | Option | Value | | -------- | -------- | | Require authentication of VPN client by XAUTH | Checked | | User group for XAUTH users | Trusted Users | | Allow Unauthenticated VPN Client Access | --Select Local Network -- | **Client** **USER NAME AND PASSWORD CACHING** | Option | Value | | -------- | -------- | | Cache XAUTH User Name and Password on Client | Never | **CLIENT CONNECTIONS** | Option | Value | | -------- | -------- | | Virtual Adapter settings | None | | Allow Connection to | Split Tunnels | | Set Default Route as this Gateway | Unchecked | | Apply VPN Access Control List | Unchecked | **CLIENT INITIAL PROVISIONING** | Option | Value | | -------- | -------- | | Use Default Key for Simple Client Provisioning | Unchecked | Finally, Enable IPsec and apply changes. Now you should see the following screen: **General** ![](https://i.imgur.com/o1Cdsm3.png) **Proposals** ![](https://i.imgur.com/dFBmT4v.png) **Advanced** ![](https://i.imgur.com/AIiC0Eo.png) **Client** ![](https://i.imgur.com/1VWlKPF.png) ### Create IPsec User Account on IPsec Server **Settings** **GENERAL SETTINGS** | Option | Value | | -------- | -------- | | This represents a domain user | Unchecked | | Name | test | | Password | 12345678 | | Confirm Password | 12345678 | | User must change password | Unchecked | | One-time password method | Disabled | | E-mail Address | Enter email... | | Account Lifttime | Never Expires | | Comment | test account | **Groups** **GROUP MEMBERSHIPS** This setting by default setting. | Option | Value | | -------- | -------- | | Selected User Groups 2 items | Everyone, Trusted Users | **VPN Access** **VPN CLIENT ACCESS NETWORKS** | Option | Value | | -------- | -------- | | Selected User Groups 1 items | X0 Subnet | **User Quota** **USER QUOTA** | Option | Value | | -------- | -------- | | Session Lifetime | Non Cyclic | | Quota cycle type setting | Minutes | | Minutes (0 to disable) | 0 | | Receive Limit (0 to disable) | Unlimited | | Transmit Limit (0 to disable) | Unlimited | ### Firewall Rules TZ-470 will automatic generate IPsec VPN tunnel firwall rules. ## Configure Ubuntu StrongSwan **strongswan.conf** It should add **accept_unencrypted_mainmode_messages = yes** to strongswan.conf file, TZ-470 will send unencrypted payload ID_V1 to strongswan. ``` charon { load_modular = yes accept_unencrypted_mainmode_messages = yes plugins { include strongswan.d/charon/*.conf } } ``` **ipsec.secret** ``` # This file holds shared secrets or RSA private keys for authentication. # RSA private key for this host, authenticating it to any other host # which knows the public part 192.168.0.215 : PSK 0sMTIzNDU2Nzg= test : XAUTH 12345678 ``` **ipsec.conf** ``` # ipsec.conf - strongSwan IPsec configuration file # basic configuration version 2 config setup # strictcrlpolicy=yes uniqueids = yes strictcrlpolicy=no charondebug="ike 4, knl 4, cfg 2" conn %default ikelifetime=1440m keylife=60m rekeymargin=3m keyingtries=1 keyexchange=ikev1 authby=xauthpsk conn sonicwall keyexchange = ikev1 ikelifetime = 28800s keylife = 60m aggressive = no ike = 3des-sha1-modp1024! esp = 3des-md5! xauth = client left = %any leftsourceip = %config leftauth = psk rightauth = psk leftauth2 = xauth right = 192.168.0.215 rightsubnet = 192.168.168.0/24 xauth_identity=test auto = add ``` ### StrongSwan IPsec VPN Connection We use StrongSwan ipsec command to triger IPsec VPN connection. **Start VPN Connection** ``` # ipsec restart # ipsec up sonicwall ``` **Stop VPN Connection** ``` # ipsec down sonicwall ``` **Check IPsec VPN status** ``` # ipsec status ``` or ``` # ipsec statusall ``` **TZ-470 Connection status** ![](https://i.imgur.com/ZYV8nSE.png) ## Know issue: It only can connect success one time, The user will be lock on TZ-470, when IPsec down and up again, the TZ-470 should reboot again. ## Reference 1. [strongSwan and SonicWall:payload type ID_V1 was not encrypted](https://kevinlocke.name/bits/2017/08/26/strongswan-sonicwall-payload-type-id-v1-was-not-encrypted/)