Monday, 13 May 2013

Setting up a branch office VPN between a Watchguard XTM505 and a Debian linux box.

Lets us say you have two sites and want to build a VPN between them. The first site has a Watchguard XTM device has a public IP address of 99.99.99.99 which protects a private IP address range of 10.0.1.0/24 and your second site has just a Debian Linux box which has a dynamic IP address that protects a private IP address range of 10.0.2.0/24


Debian side

Install needed packages:


# apt-get install ipsec-tools racoon
            Choose "direct" for racoon setup

Edit /etc/ipsec-tools.conf

#!/usr/sbin/setkey -f

# NOTE: Do not use this file if you use racoon with racoon-tool
# utility. racoon-tool will setup SAs and SPDs automatically using
# /etc/racoon/racoon-tool.conf configuration.
#

## Flush the SAD and SPD
#
# flush;
# spdflush;

spdadd 10.0.1.0/24 10.0.2.0/24 any -P in ipsec
           esp/tunnel/99.99.99.99-10.0.2.254/require;
spdadd 10.0.2.0/24 10.0.1.0/24 any -P out ipsec
           esp/tunnel/10.0.2.254-99.99.99.99/require;

Edit /etc/racoon/psk.txt and add the line

99.99.99.99   Somerandomkey

Edit /etc/racoon/racoon.conf

# Simple racoon.conf
#
#
# Please look in /usr/share/doc/racoon/examples for
# examples that come with the source.
#
# Please read racoon.conf(5) for details, and alsoread setkey(8).
#
#
# Also read the Linux IPSEC Howto up at
# http://www.ipsec-howto.org/t1.html
#

path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";

remote 99.99.99.99 {
        exchange_mode aggressive,main;
        dpd_delay 20;
        dpd_maxfail 5;
        my_identifier user_fqdn "something@company.com";
        proposal {
                lifetime time 28800 second;
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group modp1024;
        }
}

sainfo address 10.0.2.0/24 any address 10.0.1.0/24 any {
        lifetime time 28800 second;
        pfs_group modp1024;
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}

Watchguard side

I have simply taken screen shots for the configuration for the watchguard side:


You will need to ensure that the preshared random key is the same as you used in the /etc/racoon/psk.txt file you created above.






No comments:

Post a comment