Just a note:
when you need to establish IPsec connection to Sonicwall NSA 3500 firewall, here’s working config:
Linux side:
/etc/ipsec.conf :
…
include /etc/ipsec.d/*.conf
[ad#ad-banner]
Not sure if ‘agressive mode’ is A Good Idea, but it Just Works
/etc/ipsec.d/partner.conf :
conn partner
type=tunnel
left=$YOUR_PUBLIC_IP
leftid=$YOUR_PUBLIC_IP
leftsubnet=$YOUR_PRIVATE_SUBNET/WITH_MASK
right=$PARTNER’S_PUBLIC_IP
rightid=$PARTNER’S_PUBLIC_IP
rightsubnet=$PARTHENR’S_PRIVATE_SUBNET/WITH_MASK
rightnexthop=$PARTHENR’S_ROUTER_IP
keyingtries=0
pfs=yes
aggrmode=yes
auto=add
auth=esp
esp=3DES-SHA1
ike=3DES-SHA1
authby=secret
/etc/ipsec.secrets
$YOUR_PUBLIC_IP $PARTNER’S_PUBLIC_IP : PSK “verySecretPreSharedKey”
If it’s the very first time you are adding the connection, use
ipsec auto –add partner
If you are editing the existing connection, use
ipsec auto –replace partner
Now, restart IPsec and initiate connection
/etc/init.d/ipsec start
ipsec whack –name partner –initiate
Ah yes, routing:
ip route add $PARTHENR’S_PRIVATE_SUBNET/WITH_MASK via $YOUR_PUBLIC_IP src $YOUR_PRIVATE_IP
SonicWall should be set the same way:
Policy: site-to-site;
Authentication Method: IKE using Preshared Secret
IPSec Primary Gateway Name or Address: $YOUR_PUBLIC_IP
Local IKE ID: IP Address, $PARTNER’S_PUBLIC_IP
Peer IKE ID: IP Address, $YOUR_PUBLIC_IPIKE (Phase 1) proposal:
Excahnge: Aggressive mode
Encryption: 3DES
Authentication: SHA1
Life Time (seconds) 28800IPsec (Phase 2) Proposal:
Protocol: ESP
Encryption: 3DES
Authentication: SHA1
Again, not sure if ‘Aggressive mode’ is A Good Idea.
References:
SonicWall NSA 3500
Linux to Sonicwall and also here
Linux to SonicWall TZ190
ipsec.conf (5)
IPsec VPN routing