Firebox to Freeswan?

[peteoshea]

I currently have a Linux server running FreeSwan and have been trying to connect a VPN tunnel to a Firebox II with watchguard 6.1. I have tried all sorts of configurations but I cannot seem to get the authentication to complete. As I don't know much about Watchguard I was hoping someone might have some experience of what to do.

Supposedly the firebox has been set up to give me access to one machine, say 192.168.1.1, and at my end there is a Dreytek box connected to the internet which forwards all IPSec traffic to a machine, 192.168.0.1, on the internal network:

192.168.1.1==(firebox)...(dreytek)[192.168.0.1]===192.168.0.0/24

Neither watchguard or FreeSwan seem to have any documentation on the subject. Any help would be greatly appreciated.

Pete

 

[Ntr0P]

There is some info out there, not a lot though. I don't know if you have gotten this to work or where you are in the process, but I can offer these two things:

For IPSec interoperability between FreeS/WAN and a Firebox to succeed you need:

A static public IP address for your Linux FreeS/WAN server. Although you might want to create an IPSec tunnel from a dynamically addressed Linux server, the Firebox requires something called Aggressive Mode negotiation to create tunnels to dynamic IP. Unfortunately, the creators of FreeS/WAN decided not to support Aggressive Mode. Since FreeS/WAN does not support Aggressive Mode, the FreeS/WAN server must use a static IP address for the IPSec tunnel to succeed.

A patch to use aggressive mode is now available for freeswan.

Also, FreeS/WAN will only use 3DES for phase1 negotiation. You need to make sure that the FB is configured to use 3DES instead of DES.

Do you have access to the FB, or are you relying on someone else to configure that end for you?

 

[peteoshea]

Thanks for the message. No I still haven't figured this out. I have put it on the back burner for now as I ran out of things to try but it would be a huge advantage when I can get it up and running.

The Dreytek does have a dynamic IP but I have been trying to set up the firebox as if it is static, and then changing it when the ADSL connection drops and a new IP is assigned. I know this is not the ideal solution but I am just trying to get something that works. Does this mean that I do not need the aggressive mode patch for the moment?

At my end the Dreytek forwards all IPSEC traffic to the FreeSwan server with a static internal IP of 192.168.0.x. When I connect via another FreeSwan box I have to set up a RightID of 192.168.0.x along with the pulic internet IP. I am not sure of what needs to be set on the firebox in this circumstance.

I have already confirmed that the firebox is using 3DES.

Unfortunately I am relying on someone else at the firebox end so I do not know anything much about it.

You mentioned that there is 'some' documentation about, I don't suppose you could point me at anything that may be useful?

Thanks
Pete