From Shrew Soft Inc
IntroductionThis guide provides information that can be used to configure a Zywall device to support IPsec VPN client connectivity. The Shrew Soft VPN Client has been tested with Zywall products to ensure interoperability. OverviewThe configuration example described below will allow an IPsec VPN client to communicate with a single remote private network. No automatic configuration is possible at this time due to limitations in the Zywall firmware. Gateway ConfigurationThis example assumes you have knowledge of the Zywall web configuration interface. For more information, please consult your Zywall product documentation. InterfacesTwo network interfaces are configured. The WAN interface has a static public IP address of 10.1.1.23 which faces the internet. The LAN interface has a static private IP address of 10.1.2.23 which faces the internal private network. The default gateway is configured as 1.1.1.3 via the WAN interface. Configuring VPN RulesA Gateway Policy must be configured to define the IKE phase1 negotiation parameters. Navigate to the following screen using the pane on the left hand side of the browser interface. Click on the following Add Gateway Icon + symbol on the right hand side of the VPN Rules header. Define the following parameters.
When finished, click Apply. Add a Network PolicyA Network Policy must be configured to define the IPsec policy and IKE phase2 negotiation parameters. Click on the following Add Network Policy Icon + symbol on the right hand side of the Gateway Policy row. Define the following parameters.
When finished, click Apply. Configure Xauth User AccountsXauth user accounts can be created locally on the Zywall appliance. Navigate to the following screen using the pane on the left hand side of the browser interface. Define the following parameters for each remote access user.
When finished, click Apply. Client ConfigurationThe client configuration in this example is less than ideal due to limitations of the Zywall. Open the Access Manager application and create a new site configuration. Configure the settings listed below in the following tabs. General TabThe Remote Host section must be configured. This Host Name or IP Address is defined as 10.1.2.23 to match the Zywall WAN interface address. The Auto Configuration option is set to disabled as Zywall does not support automatic client configuration. Each remote access client must be assigned a unique Virtual Adapter IP address. Please see the known issues section of this document for more details. In this example we define an address of 10.2.23.2 with a netmask as 255.255.255.0 for a single client. Each subsequent client would be assigned the next address in the network. For example, the next is assigned 10.2.23.3, the next 10.2.23.4, etc ... Phase 1 TabThe Proposal section must be configured. The Exchange Type is set to aggressive and the DH Exchange is set to group 2 to match the Zywall Gateway Policy definition. Authentication TabThe client authentication settings must be configured. The Authentication Method is defined as Mutual PSK + XAuth. Local Identity TabThe Local Identity parameters are defined as Fully Qualified Domain Name with a FQDN String of "client.domain.com" to match the Zywall Gateway Policy definition. Remote Identity TabThe Remote Identity parameters are set to IP Address with the Use a discovered remote host address option checked to match the Zywall Gateway Policy definition. Credentials TabThe Credentials Pre Shared Key is defined as "mypresharedkey" to match the match the Zywall Gateway Policy definition. Policy TabThe IPsec Policy configuration must be manually configured when communicating with Zywall gateways. A single Topology Entry is defined to include the 10.1.2.0/24 network. Known IssuesBuilding a client configuration for Zywall appliances can be problematic as they have no support for address assignment via modecfg. There are two options available to work around this shortcoming.
Resourcesn:version:2 s:network-host:10.1.1.23 n:network-ike-port:500 s:client-auto-mode:disabled s:client-iface:virtual n:client-addr-auto:0 s:client-ip-addr:10.2.23.2 s:client-ip-mask:255.255.255.0 n:network-mtu-size:1000 s:network-natt-mode:enable n:network-natt-port:4500 n:network-natt-rate:15 s:network-frag-mode:enable n:network-frag-size:540 n:network-dpd-enable:1 n:network-notify-enable:1 n:client-banner-enable:0 n:client-wins-used:1 n:client-wins-auto:0 s:client-wins-addr:10.1.2.100 n:client-dns-used:1 n:client-dns-auto:0 s:client-dns-addr:10.1.2.100 s:client-dns-suffix: n:client-splitdns-used:0 n:client-splitdns-auto:0 s:auth-method:mutual-psk-xauth s:ident-client-type:fqdn s:ident-server-type:address s:ident-client-data:client. b:auth-mutual-psk:bXlwcmVzaGFyZWRrZXk= s:phase1-exchange:aggressive s:phase1-cipher:auto n:phase1-dhgroup:2 s:phase1-hash:auto n:phase1-life-secs:60 n:phase1-life-kbytes:0 s:phase2-transform:auto s:phase2-hmac:auto n:phase2-pfsgroup:0 n:phase2-life-secs:3600 n:phase2-life-kbytes:0 s:ipcomp-transform:disabled n:policy-nailed:0 n:policy-list-auto:0 s:policy-list-include:10.1.2.0 / 255.255.255.0 |
|
来自: Dead n Gone > 《VPN》