IPsec VPN between Racoon and Stormshield router

Intro

Here a Racoon Gateway configuration example to connect to a Netasq / Stormshield router with a Preshared key.

Network diagram

Netasq / Stormshield configuration

Racoon Server configuration

/etc/racoon/racoon.conf

log debug;
path pre_shared_key "/etc/racoon/psk.txt";

remote 178.178.ZZ.ZZ {
	exchange_mode main,aggressive;
	my_identifier address 193.93.XX.XX;

	proposal {
		lifetime time 3600 secs ;
		encryption_algorithm aes 128 ;
		#encryption_algorithm 3des, rijndael;
		hash_algorithm sha1;
		authentication_method pre_shared_key;
		dh_group modp1024;
	}
	generate_policy off;
}

sainfo anonymous {
	pfs_group 2;
	lifetime time 3600 secs ;
	#encryption_algorithm aes 128 ;
	encryption_algorithm aes 128, 3des, blowfish 448 ;
	authentication_algorithm hmac_sha1 ;
	compression_algorithm deflate ;
}
					

Netfilter Rules

iptables -t nat -A POSTROUTING -d 10.20.1.0/16 -m policy --dir out --pol ipsec -j ACCEPT

iptables -A INPUT -p esp -j ACCEPT
iptables -A INPUT -s 10.20.1.0/16 -j ACCEPT
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A OUTPUT -p esp -j ACCEPT
iptables -A OUTPUT -p udp --sport 500 -j ACCEPT
iptables -A OUTPUT -d 10.20.1.0/16 -j ACCEPT

##ROUTE to Netasq network
ip route add 10.20.1.0/16 via 10.10.1.254 src 10.10.1.254

##Enable IP Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
					

/etc/ipsec-tools.conf

flush;
spdflush;
spdadd 10.10.1.0/24 10.20.1.0/16 any -P out ipsec
esp/tunnel/193.93.XX.XX-178.178.ZZ.ZZ/require;
spdadd 10.20.1.0/16 10.10.1.0/24 any -P in ipsec
esp/tunnel/178.178.ZZ.ZZ-193.93.XX.XX/require;
					

/etc/racoon/psk.txt

178.178.ZZ.ZZ TEST
					
Licence Creative Commons
This website http://shebangthedolphins.net is licensed to the public under a licence Creative Commons Attribution licence.
Contact :