SonicWALL

Interoperating with Other Vendors

leftsubnet=your.subnet/mask

leftid=@home

leftxauthclient=yes

right=sonicwall.ip.address

rightsubnet=vpn.subnet/mask

rightxauthserver=yes

rightid=@sonicwall.unique.firewall.identifier

keyingtries=0

pfs=yes

aggrmode=yes

auto=add

auth=esp esp=3des-md5-96 ike=3des-md5-96 authby=secret

And the ipsec.secrets file contains:

@home @sonicwall.unique.firewall.identifier : PSK "your.shared.secret.goes.here"

BinTec

We have received a few reports on BinTec that suggest some models, for example the X8500, have some issues. One problem is failing to pick the correct IDs, especially when using X.509 Certificates. A workaround for this is to add a SubjectAltname= specifying the IP address to the X.509 Certificate. Furthermore, it seems the failure messages for this ID issue (and possibly other failures in Phase 2), which happens after the ISAKMP SA has been established, are not sent encrypted, but in plaintext. Openswan ignores all those messages because at that point in the negotiation, it expects only encrypted IKE messages. The log will look like this:

Dec 17 15:06:29 Sunrae pluto[21106]: "toronto" #214: sent MR3, ISAKMP SA established

Dec 17 15:06:29 Sunrae pluto[21106]: "toronto" #214: Informational Exchange message must be encrypted

To see what is actually happening on the BinTec, you need to set the ipsecGlobMaxSysLogLevel to debug and then log in to the BinTec console, for example through its serial port, and run the debug ipsec command. From then on, you will see IPsec error messages appear on the console.

The BinTec routers apparently also come with the time unset, meaning the time on the unit starts at January 1, 1970. This will cause all certificates to be invalid, since this time is before the certificates' validity date.

LANCOM

The LANCOM DSL router comes with a web interface that is unfortunately completely inadequate. In fact, it is nothing more than a web interface to the device's SNMP MIBs. This may be handy for the programmers who made the device, but not for anyone who actually bought the device. LANCOM however does ship with Windows software and a user guide to configure the unit. The software at least offers a usable user interface, even though still a bit confusing, since it wants the user to create 'tunnels' and 'policies' and then requires the user to tie them together. Multiple tunnels between the same endpoints should be set up using the Extranet feature.

Older versions of the LANCOM devices require the same ID on both sides, but Openswan of course cannot use the same ID for leftid= and rightid=. It is also not RFC compliant.

230

Interoperating with Other Vendors

The BEFVP41 uses 1DES and modp-768 by default, which are not compiled into Openswan by default because they are too weak. You need to change the defaults to 3DES on the VPN page and the MODP group on the advanced page to 1024.

Lucent Brick

The Lucent VPN Firewall Brick is a two-tier system consisting of a managed firewall solution, which can span multiple firewalls, centrally managed by the Lucent Security Management Server (LSMS). On the Brick side, you need to configure the following parameters in your LSMS:

Preshared Key: whateversecretkeyis

Under the Policy tab:

ISAKMP Proposal:

D-H Group: Group 2 (Group 1 is not supported per default by Openswan) Encryption Type: TRIPLE DES (1DES is not supported per default by Openswan) Auth Type: HMAC MD5

SA Lifetime (sec): 28800 (OpenSWAN Maximum is 8 hours) IPSec Proposal:

Protocol: ESP-50

Encryption Type: TRIPLE DES (1DES is not supported) Auth Type: HMAC MD5

SA Lifetime (sec) 14400

SA Lifetime (Kbytes) 10000000

Check Enable Prefect Forward Secrecy Uncheck Enable compression

232