I managed to make work a PSK link between OpenSwan 2.4.7 and updated ZyWall 5 and 35.
OpenSwan side
Here's an example of a PSK OpenSwan configuration:
ipsec.conf
conn zywall-psk
authby=secret
pfs=yes
type=tunnel
auth=esp
aggrmode=no
disablearrivalcheck=no
# Local
left=1.1.1.10
leftid=1.1.1.10
leftsubnet=1.1.1.0/24
leftnexthop=1.1.1.1
# Distant
right=2.2.2.20
rightid=2.2.2.20
rightsubnet=2.2.2.0/24
auto=start
* pfs can safely set to yes here, so don't hesitate and activate it.
* aggrmode and disablearrivalcheck are optional here as they I have specified the default option.
* Do not specify leftprotoport=17/%any or leftprotoport=17/1701 as it will result in warnings and errors !
ipsec.secrets
The syntax of this file is important:
OPENSWAN_IP ZYWALL_IP : PSK "secrets"
ZyWall side
And here's the options changed on the ZyWall side:
IPSec
* The “Peer ID” fields has to be filled: Type=IP and Content = OpenSwan IP and Local ZyWall IP * Enable Replay Detection= Yes * Key Management= IKE
IKE
Phase 1
* Negotiation Mode= Main
* Pre-Shared Key= yourpresharedkey
* Encryption Algorithm= 3DES
* Authentication Algorithm= MD5
* SA Life Time (Seconds)= 3600
* Key Group= DH2
Phase 2
* Active Protocol= ESP
* Encryption Algorithm= 3DES
* Authentication Algorithm= MD5
* SA Life Time (Seconds)= 9600
* Encapsulation= Tunnel
* Perfect Forward Secrecy (PFS)= DH2
Thanks to Roberto Fichera and the information he provided on the OpenSwan list, I managed to make this PSK work.
I did not yet test a X509 tunnel.
