How to get IPSec Working Between Watchguard and ClearOS

Let me start off that ClearOS is really fuzzy when it comes to IPSec VPN tunnels.  They don’t really support it, although everyone else does.  The web interface for ClearOS flat out doesn’t work for IPSec, and will break any working configs, so do yourself a favor and remove the ClearOS IPSec plugin (via ssh it’s “rpm -e app-ipsec”)

SSH into your ClearOS machine, and type in:

cd /etc/
mv ipsec.conf ipsec.conf.orig
touch ipsec.conf
nano ipsec.conf

And then insert the following config. Adjust it as needed:

version 2.0
 
#ClearOS LAN = 192.168.10.0/24
#ClearOS WAN IP = 172.16.1.1
#Watchguard LAN = 192.168.20.0/24
#Watchguard WAN IP = 10.0.0.1
 
config setup
        interfaces=%defaultroute
        protostack=netkey
        klipsdebug=none
        plutodebug=none
        virtual_private=%v4:192.168.20.0/24,%v4:192.168.10.0/24
 
conn Corporate #modify this to your tunnel name
        type=tunnel
        auto=start
        auth=esp
        pfs=yes
        authby=secret
        left=172.16.1.1 # adjust to your ClearOS WAN IP
        leftsourceip=192.168.10.1 #adjust to your ClearOS LAN IP
        leftnexthop=172.16.1.2 # adjust to your ClearOS WAN IP Gateway
        leftsubnet=192.168.10.0/24 #adjust to your ClearOS LAN Subnet
        right=10.0.0.1 # adjust to your Watchguard WAN IP
        rightsourceip=192.168.20.1 #adjust to your Watchguard LAN IP
        rightnexthop=64.131.59.249 #adjust to your Watchguard WAN IP Gateway
        rightsubnet=192.168.0.0/24 #adjust to your Watchguard LAN Subnet
        rightid=10.0.0.1 # adjust to your Watchguard WAN IP
        esp=3des-md5
        ike=3des-md5
 
# Disable OE
#-----------
 
conn block
        auto=ignore
 
conn private
        auto=ignore
 
conn private-or-clear
        auto=ignore
 
conn clear-or-private
        auto=ignore
 
conn clear
        auto=ignore
 
conn packetdefault
        auto=ignore
 
# Tunnels defined in separate files
#----------------------------------
 
#include /etc/ipsec.d/*.conf

Then you’ll need to edit the password for the tunnel. You’ll need to name it the same as your tunnel name. I’m going to assume that the tunnel name is “Corporate”. Edit /etc/ipsec.d/ipsec.Corporate.secrets

10.0.0.1 172.16.1.1 : PSK "TheTunnelPassword" # Far WAN IP, Near LAN IP

You’ll want to restart the ipsec service by issuing “service ipsec restart”

Now we’ll switch over to the Watchguard. I’m going to assume you already know how to setup an IPSec VPN tunnel (Watchguard calls it BOVPN). You’ll need to set your phase 1 and 2 PFS DH group to 5, use ESP phase1 with md5 and 3des. phase2 needs md5 and 3des. Make sure that the password matches. The tunnel should start. For troubleshooting if it doesn’t work is to either watch the logs in the Watchguard (which is a pain if you ask me), and/or you can watch the logs in the ClearOS box by running “tail -f /var/logs/secure” (watch for the “pluto” labeled logs).

This entry was posted in Networking and tagged , , , , , , , . Bookmark the permalink.

Comments are closed.