Monday 13 May 2013

Setting up a branch office VPN between a Watchguard XTM505 and a Debian linux box.

Lets us say you have two sites and want to build a VPN between them. The first site has a Watchguard XTM device has a public IP address of which protects a private IP address range of and your second site has just a Debian Linux box which has a dynamic IP address that protects a private IP address range of

Debian side

Install needed packages:

# apt-get install ipsec-tools racoon
            Choose "direct" for racoon setup

Edit /etc/ipsec-tools.conf

#!/usr/sbin/setkey -f

# NOTE: Do not use this file if you use racoon with racoon-tool
# utility. racoon-tool will setup SAs and SPDs automatically using
# /etc/racoon/racoon-tool.conf configuration.

## Flush the SAD and SPD
# flush;
# spdflush;

spdadd any -P in ipsec
spdadd any -P out ipsec

Edit /etc/racoon/psk.txt and add the line   Somerandomkey

Edit /etc/racoon/racoon.conf

# Simple racoon.conf
# Please look in /usr/share/doc/racoon/examples for
# examples that come with the source.
# Please read racoon.conf(5) for details, and alsoread setkey(8).
# Also read the Linux IPSEC Howto up at

path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";

remote {
        exchange_mode aggressive,main;
        dpd_delay 20;
        dpd_maxfail 5;
        my_identifier user_fqdn "";
        proposal {
                lifetime time 28800 second;
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group modp1024;

sainfo address any address any {
        lifetime time 28800 second;
        pfs_group modp1024;
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;

Watchguard side

I have simply taken screen shots for the configuration for the watchguard side:

You will need to ensure that the preshared random key is the same as you used in the /etc/racoon/psk.txt file you created above.

No comments:

Post a Comment