Tuesday, August 17, 2010

How to setup a VPN connection to a SonicWall router using Openswan and Pre-shared Keys (PSK)


Our SonicWall router makes it easy enough to establish a VPN connection using Windows. There is a client that can be downloaded from the SonicWall web site. What about other operating systems? Our developers often use Ubuntu Linux from home and required a way to VPN into the office. Once established, a VPN connection allows access to development servers, remote desktops, and other network resources inside the firewall; so you can see why it would be essential for the remote office.
The problem, as most Linux users out there already know, is that setting up a VPN connection in Ubuntu Linux is not very easy. After much trial and error, here is how we got the VPN working on Ubuntu Linux using Openswan.

Configuring the SonicWall Router

Login to your SonicWall router admin and make the following adjustments to the VPN settings.
  1. Click on the VPN link and note the Unique Firewall Identifier for your SonicWall router. You will need it later for the value sonicwall.unique.identifier.
    SonicWall VPN Settings
  2. Under VPN Policies, create or edit the ‘GroupVPN’ policy.
  3. Click on the General tab and set the following:
    SonicWall VPN General Settings
    • IPSec Keying Mode: IKE using Preshared Secret
    • Shared Secret: shared.secret.key (enter your secret key here)
    • Click on the Proposals tab and set the following:
      SonicWall VPN Proposals Settings
      • IKE (Phase 1) Proposal
        DH Group: Group 5
        Encryption: 3DES
        Authentication: SHA1
      • Ipsec (Phase 2) Proposal
        Protocol: ESP
        Encryption: 3DES
        Authentication: SHA1
      • Enable Perfect Forward Secrecy (checked)
        DH Group: Group 5

    Installing Openswan

    If you are using Ubuntu, open a terminal window and type in:
    sudo apt-get install openswan
    The install will ask you a few questions about how you want to set it up. Select the suggested default for each step. This will install Openswan and create the ipsec.conf and ipsec.secrets configuration files.

    Configuring Openswan

    Add the following connection parameters to your /etc/ipsec.conf file:
    conn sonicwall
         type=tunnel
         left=192.168.2.31 #your IP
         leftid=@home
         leftxauthclient=yes
         right=xxx.xxx.xxx.xxx #IP address of your sonicwall router
         rightsubnet=192.168.1.0/24 #gateway IP for your LAN. This will work for most
         rightxauthserver=yes
         rightid=@sonicwall.unique.identifier
         keyingtries=0
         pfs=yes
         aggrmode=yes
         auto=add
         auth=esp
         esp=3DES-SHA1
         ike=3DES-SHA1
         authby=secret
         #xauth=yes
    Update: After upgrading to Ubuntu 9.10 a few things changed in the conf file. First, I had to comment out ‘xauth=yes’ as it was throwing an error. Second, I had to use my own static IP instead of %defaultroute. If you are using DHCP, %defaultroute may still work, but I have a static IP and had to change this.
    Add the following line to your /etc/ipsec.secrets file
    @home @sonicwall.unique.identifer : PSK "shared.secret.key"

    Starting and stopping the VPN connection

    Starting ipsec and opening the VPN connection
    sudo ipsec setup ––start
    sudo ipsec auto ––add sonicwall (note: if you change the configuration files, you'll need to run 'sudo ipsec auto ––replace sonicwall' to reload the file)
    sudo ipsec whack ––name sonicwall ––initiate

    Closing the VPN connection and stopping ipsec
    sudo ipsec whack ––name sonicwall ––terminate
    sudo ipsec setup ––stop

    References

    The following links were useful for getting the VPN connection up and running on Ubuntu Linux:
    Openswan wiki page for SonicWall routers:
    http://wiki.openswan.org/index.php/Openswan/SonicWall
    SonicWall PDF instructions for using Agressive Mode and IKE with Pre-shared Keys
    http://www.sonicwall.com/downloads/SonicOS_Enhanced_to_Openswan_Using_Aggressive_Mode_IKE_with_PreShared_key.pdf