Share with:


Just a note:
when you need to establish IPsec connection to Sonicwall NSA 3500 firewall, here’s working config:
Linux side:
/etc/ipsec.conf :


include /etc/ipsec.d/*.conf


[ad#ad-banner]
Not sure if ‘agressive mode’ is A Good Idea, but it Just Works
/etc/ipsec.d/partner.conf :

conn partner
type=tunnel
left=$YOUR_PUBLIC_IP
leftid=$YOUR_PUBLIC_IP
leftsubnet=$YOUR_PRIVATE_SUBNET/WITH_MASK
right=$PARTNER’S_PUBLIC_IP
rightid=$PARTNER’S_PUBLIC_IP
rightsubnet=$PARTHENR’S_PRIVATE_SUBNET/WITH_MASK
rightnexthop=$PARTHENR’S_ROUTER_IP
keyingtries=0
pfs=yes
aggrmode=yes
auto=add
auth=esp
esp=3DES-SHA1
ike=3DES-SHA1
authby=secret

/etc/ipsec.secrets

$YOUR_PUBLIC_IP $PARTNER’S_PUBLIC_IP : PSK “verySecretPreSharedKey”

If it’s the very first time you are adding the connection, use

ipsec auto –add partner

If you are editing the existing connection, use

ipsec auto –replace partner

Now, restart IPsec and initiate connection

/etc/init.d/ipsec start
ipsec whack –name partner –initiate

Ah yes, routing:

ip route add $PARTHENR’S_PRIVATE_SUBNET/WITH_MASK via $YOUR_PUBLIC_IP src $YOUR_PRIVATE_IP

SonicWall should be set the same way:

Policy: site-to-site;
Authentication Method: IKE using Preshared Secret
IPSec Primary Gateway Name or Address: $YOUR_PUBLIC_IP
Local IKE ID: IP Address, $PARTNER’S_PUBLIC_IP
Peer IKE ID: IP Address, $YOUR_PUBLIC_IP

IKE (Phase 1) proposal:
Excahnge: Aggressive mode
Encryption: 3DES
Authentication: SHA1
Life Time (seconds) 28800

IPsec (Phase 2) Proposal:
Protocol: ESP
Encryption: 3DES
Authentication: SHA1

Again, not sure if ‘Aggressive mode’ is A Good Idea.

References:
SonicWall NSA 3500
Linux to Sonicwall and also here
Linux to SonicWall TZ190
ipsec.conf (5)
IPsec VPN routing