Friday, February 20, 2009

Ipsecuritas, Mac OS X, Sonicwall Enhanced Firmware

This was a tricky one. I always had some difficulty getting the free IPsecuritas connected; so I am sure others had problems too.

Using IPsecuritas 3.2 build 2501
MacBook Leopard

connecting to a:

TZ 190 Wireless Enhanced
SonicOS Enhanced 4.0.1.3-46e

Sonicwall side config (straight out of the tech support report)
--- SA 1 ---
Authentication Method : IKE with Preshared secret
VPN Policy Name : "WAN GroupVPN"; enabled
Policy Type : Client Policy
Pre-shared Key len : 14, value=
IKE Local Id : UNKNOWN
IKE Remote Id : ID_FQDN: (GroupVPN)
Local network :
Peer network :
IKE Exchange : Aggressive Mode
IKE Proposal : DH Group 2; Encrypt/Auth - 3DES/SHA1
IKE SA Life time : 28800 (seconds)
IPsec Proposal : DH Group 2; Encrypt/Auth - ESP: 3DES/HMAC SHA1
Ipsec SA Life time : 28800 (seconds)
Policy Options : PFS: on; Xauth: on; Netbios: on; Multicast: off
Management : HTTP: n; HTTPS: n; SSH: n
XAUTH user group : Trusted Users
Default LAN gateway : (0.0.0.0)
VPN policy : Bound to zone WAN

WAN GroupVPN Client Settings:
User Name and Password Caching:
XAUTH User Authentication is Required
Cache XAUTH User Name and Password on Client: Never
Client Connections:
Virtual Adapter Settings: DHCP Lease or Manual Configuration
Allow Connections to Split Tunnels
Set Default Route as this Gateway is Not Selected
Apply VPN Access Control List is Not Selected
Personal Firewall on Client Machine is Not Required
Client Initial Provisioning:
Use Default Key for Simple Client Provisioning is Selected
-----------------------------

Now the ipsecuritas config

General Tab:
--------------------
Remote IPSec Device: IP or host name of Sonicwall (must be reachable from Internet)
Endpoint Mode: Host (IP Address left blank)
Remote Mode: Network (Internal LAN network of the Sonicwall, such as 10.0.1.0 CIDR/Mask 24)

Phase 1:
--------------------
Lifetime: 8 hours
DH Group: 1024 (2)
Encryption: 3DES
Authentication: SHA-1
Exchange Mode: Aggressive
Proposal Check: Claim
Nonce Size: 16

Phase 2:
--------------------
Lifetime: 8 hours
PFS Group: 1024 (2)
Encryption: 3DES
Authenication: HMAC SHA-1

ID:
--------------------
Local Identifier: Address
Remote Identifier: FQDN.... just fill in the "Unique Firewall Identifier" from the Sonicwall VPN section
Authentication Method: XAuth PSK
Preshared Key:
Username: XAuth username
Store Password: checked if you would like the password to be stored
DNS: check "enable domain specific DNS servers"
Domains: fill in your domain name
Name Server Addresses: probably your domain controller ip address

Options
--------------------

Check off the following:
IPSec DOI
SIT_IDENTITY_ONLY
Initial Contact
Support Proxy
Request Certificate
Send Certificate
Unique SAs
IKE Fragmentation

NAT-T disable
do not check "enable connection check"
Action after connection timeout= Give up

--------------------


The key for me was Perfect Forward Secrecy was NOT enabled but it should have been! So ENABLE perfect forward secrecy. The reason for this was that IPSecuritas just does PFS without an option to turn it off or on, so you must turn it on, on the Sonicwall. Otherwise you will get "NO PROPOSAL WAS CHOSEN" when trying to negotiate phase 1. Always have your log file open when trying to debug these connections. Also, be wary of mapping multiple networks behind the Sonicwall, each has to build its own contract. Please contact me if you need help with your connection.

23 comments:

Tim said...

Just wanted to say thank you for this post. I work in IT and was facing a Nightmare getting IPSecuritas to work with our TZ-170. Thanks to this post I was able to get things going correctly.

And as a side note you can now change IPSecruitas' PFS settings to "none"

Thanks again!

Grimmlock said...

I have been pounding my head, trying to get this to work since I bought my Mac a couple months ago. @Tim, what you added to this is what made it work. Thank you both.

dilonnj said...

Hello,

Thanks for posting this...

I have a TZ190W at my office, and VPN Tracker works fine with it (as does the SonicWall VPN Client on Windows).

However we're going to be giving more people access to the VPN, so I was looking for a less expensive solution than VPN Tracker, to configure the Mac OSX 10.5.7 machines.

The TZ190W is running the same version firmware you mentioned.

I downloaded 3.2 of IPSecuritas and have tried to get it working on my mac, but it's still not working.

What doesn't make sense is on the VPN page of the Sonicwall, where a new VPN Policy is created, many of the options you listed as being on the SonicWall side, do not match the options appearing when I try adding a new VPN Policy or editing our existing.

Can you help?

Jeff said...

Works great! Changing PFS to "None" did the trick for me too. I didn't have to modify any of the settings on the Sonicwall (which was already configured for the Sonicwall client VPN PC-based software). Also, I set ID>RemoteIdentifier to "Address" instead of "FQDN" and that worked fine for me. Thanks to both kleetus and Tim.

Micheal said...

Hi,

Thank you muchly for this! Works with a SonicWall Pro 2040 as well. :-)

analog said...

Just one more person saying, THANK YOU! This worked for me too, with our TZ-180.

Mike said...

Thanks for posting the config. Worked like a charm on our TZ180.

Ronald said...

@Tim- how do you change the PFS on the IPSecuritas to none? much thanks in advance.

Prem said...

Very helpful. Also works for sonicwall pro. Thank you.

slinberg said...

Yes, excellent. This saved me a $60 upgrade fee to VPN Tracker 6, which I think I already paid around $100 for version 4 of.

The one thing I had to add to this was to make sure that the PFS group in the ipsecuritas settings - duh - matched how I had it configured on the sonicwall. Don't just oink PFS on on the sonicwall, in other words - set the PFS group and make sure the ipsecuritas setting matches.

With this enabled, the connection comes up pretty much instantly. AWESOME.

mm said...

Sorry, this question is more than a year after your post!

I am trying to connect my 10.5.7 mac to a Sonicwall TZ 210. The configuration on the Sonicwall (which i cannot change) is the same as yours, except:
IPSec Proposal: ESP (yours is DH Group 2)
Use default key for simple client provisioning is not selected.

I can't find any way to specify ESP in IPSecuritas for the IPSec Proposal... I've tried a combination of settings, but it just doesn't connect, please help!! :(

The sad part is that the VPN Tracker demo connects without any issues, but we're a start-up so the $100+ price tag doesn't fit in the budget.

Thanks a lot,

..meghana

kleetus said...
This comment has been removed by the author.
kleetus said...

Sorry been on vacation in Mexico. Which version of IPSecuritas is it? Been a while since I have opened the settings, but I would be happy to work with you on it. ESP should happen in phase 2 of the connection. I realize this is waaaay more difficult than it needs to be. This is what happens when a security protocol is developed by committee :). I have since switched my clients from IPsec (traditional VPN) like the Sonicwall uses to OpenVPN which use SSL. SSL is the same technology as https and ssh. It might be worth it to take a gander at that. If VPN is really what you need, then we can work this out.

mm said...

Hey thanks a lot! :) Actually our sys admin decided to move on to SSL-VPN too... still SonicWALL though, which means i have to use NetExtender! :( Do you know of any nicer clients for the Mac? Especially those that support not going over VPN for certain IPs?

Thanks :)

kleetus said...

I am afraid I have no idea about this. I have a MacBook Pro and use the very tough to configure OpenVPN client. This is probably more difficult than what you are already using. The beauty of using this is that you really get to know the technology, so you can feel more confident in fixing problems later.

mm said...

Ah i see. True, that's why i was eager to get IPSecuritas working (and, of course, because its free)...

Thanks a lot :)

OhmStyles said...

Not sure if you still check this but i need help getting a IpSecurtias 3.4 to a tz210

Nick Fasciana said...

Anyone have any luck geting IPSecuritas working with SonicWall TZ215?

Nick Fasciana said...

Anyone have any luck geting IPSecuritas working with SonicWall TZ215?

pastro50 said...

I had a tough time getting this to work. There are a couple of things that make this a problem.
#1 I don't think ipsecuritas does DHCP over VPN. You have to enable the manual configuration of the IP address in the sonicwall as the article states.
#2 NAT-T wouldn't work for me. If I had NAT-T off the tunnel comes up but no connectivity to remote resources. If NAT-T was enabled then no tunnel would come up. Some people report that some routers allow this and others don't allow NAT-T to work. I am using pfsense and it didn't. So I set up a firewall rule to allow IPSEC/NAT-T UDP outbound (port 4500). This essentially bypasses the firewall on the outbound side for port 4500. It works perfectly now. I noticed on the sonicwall that when I had a tunnel before opening the firewall I would have an address like 10.10.10.2(publicwanIP) - Once I configured the firewall, I only had the 10.10.10.2 address under users. I am using a sonicwall with under <4.0 firmware and snow leopard.

pastro50 said...

When I upgraded to Mountain Lion the problem with having to open a port on my firewall went away.

Bradley White said...

Thanks.It works good.
top10-bestvpn.com

Richard B. McCall said...

Thank you.Great post about Sonicwall.
Cool solution for VPN client.
It works fine.
10webhostingservice.com