<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2900.2604" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Hi all,</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>I am trying to set up a VPN connection between
openswan and checkpoint. I use AES-256, SHA-1, and Diffie-Hellman
Group2</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>I couldn't get phase 1 come up, any help would be
greatly appreciated.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>That is my network connection</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>172.xxx.xxx.0/24===149.xxx.xxx.204
------------------203.xxx.xxx.205===10.xxx.xxx.0/24</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>here is my ipsec.conf</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2># /etc/ipsec.conf - Openswan IPsec configuration
file<BR># RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp
$</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2># This file:
/usr/local/share/doc/openswan/ipsec.conf-sample<BR>#<BR>#
Manual: ipsec.conf.5</FONT></DIV>
<DIV> </DIV><FONT face=Arial size=2>
<DIV><BR>version 2.0 # conforms to second version of
ipsec.conf specification</DIV>
<DIV> </DIV>
<DIV># basic configuration<BR>config
setup<BR> # Debug-logging
controls: "none" for (almost) none, "all" for
lots.<BR> #
klipsdebug=none<BR> #
plutodebug="control parsing"</DIV>
<DIV> </DIV>
<DIV># Add connections here</DIV>
<DIV> </DIV>
<DIV>conn TestConnection<BR>
left=149.xxx.xxx.204<BR>
leftsubnet=172.xxx.xxx.0/24<BR>
leftnexthop=149.xxx.xxx.205<BR>
right=203.xxx.xxx.205<BR>
rightsubnet=10.xxx.xxx.0/24<BR>
rightnexthop=%defaultroute<BR>
ike=aes256-sha!<BR>
esp=aes256-sha1!<BR>
authby=secret<BR>
auto=start<BR> pfs=no</DIV>
<DIV> </DIV>
<DIV># sample VPN
connection<BR>#sample# conn
sample<BR>#sample#
# Left security gateway, subnet behind it, next hop toward
right.<BR>#sample#
left=10.0.0.1<BR>#sample#
leftsubnet=172.16.0.0/24<BR>#sample#
leftnexthop=10.22.33.44<BR>#sample#
# Right security gateway, subnet behind it, next hop toward
left.<BR>#sample#
right=10.12.12.1<BR>#sample#
rightsubnet=192.168.0.0/24<BR>#sample#
rightnexthop=10.101.102.103<BR>#sample#
# To authorize this connection, but not actually start it, at
startup,<BR>#sample#
# uncomment
this.<BR>#sample#
#auto=start</DIV>
<DIV> </DIV>
<DIV>#Disable Opportunistic Encryption<BR>include
/etc/ipsec.d/examples/no_oe.conf<BR></FONT></DIV>
<DIV><FONT face=Arial size=2>And that is what I got when I issue "ipsec whack
--status"</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>000 interface ipsec0/eth1 203.xxx.xxx.205<BR>000
%myid = (none)<BR>000 debug none<BR>000<BR>000 algorithm ESP encrypt: id=3,
name=ESP_3DES, ivlen=64, keysizemin=168, keysizemax=168<BR>000 algorithm ESP
encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128, keysizemax=256<BR>000
algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128,
keysizemax=128<BR>000 algorithm ESP auth attr: id=2,
name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160<BR>000<BR>000
algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128<BR>000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC,
blocksize=8, keydeflen=192<BR>000 algorithm IKE hash: id=2, name=OAKLEY_SHA1,
hashsize=20<BR>000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16<BR>000
algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024<BR>000
algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536<BR>000
algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048<BR>000
algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072<BR>000
algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096<BR>000
algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144<BR>000
algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192,
bits=8192<BR>000<BR>000 stats db_ops.c: {curr_cnt, total_cnt, maxsz}
:context={0,0,0} trans={0,0,0}<BR>attrs={0,0,0}<BR>000<BR>000 "TestConnection":
10.xxx.xxx.0/24===203.xxx.xxx.205---203.xxx.xxx.204...149.xxx.xxx.205---149.xxx.xxx.204===172.xxx.xxx.0/24;
prospective erouted; eroute owner: #0<BR>000
"TestConnection": srcip=unset; dstip=unset<BR>000
"TestConnection": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0<BR>000 "TestConnection":
policy: PSK+ENCRYPT+TUNNEL+UP; prio: 22,24; interface: eth1;<BR>000
"TestConnection": newest ISAKMP SA: #0; newest IPsec SA: #0;<BR>000
"TestConnection": IKE algorithms wanted: 7_256-2-5, 7_256-2-2,
flags=strict<BR>000 "TestConnection": IKE algorithms found:
7_256-2_160-5, 7_256-2_160-2,<BR>000 "TestConnection": ESP
algorithms wanted: 12_256-2, flags=strict<BR>000 "TestConnection":
ESP algorithms loaded: 12_256-2, flags=strict<BR>000<BR>000 #4: "TestConnection"
STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in34s; nodpd<BR>000
#4: pending Phase 2 for "TestConnection" replacing #0<BR>000<BR></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>That is what I got in /var/log/message when I tried
to start ipsec</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Mar 12 10:17:30 vpngateway kernel:
klips_info:ipsec_init: KLIPS startup, Openswan KLIPS IPsec stack version:
2.3.0<BR>Mar 12 10:17:30 vpngateway kernel: klips_info:ipsec_alg_init: KLIPS alg
v=0.8.1-0 (EALG_MAX=255, AALG_MAX=251)<BR>Mar 12 10:17:30 vpngateway kernel:
klips_info:ipsec_alg_init: calling ipsec_alg_static_init()<BR>Mar 12 10:17:30
vpngateway kernel: ipsec_aes_init(alg_type=15 alg_id=12 name=aes): ret=0<BR>Mar
12 10:17:30 vpngateway ipsec_setup: KLIPS debug `none'<BR>Mar 12 10:17:30
vpngateway kernel:<BR>Mar 12 10:17:30 vpngateway ipsec_setup: KLIPS ipsec0 on
eth1 203.xxx.xxx.205/255.255.255.248 broadcast 203.xxx.xxx.xxx<BR>Mar 12
10:17:31 vpngateway ipsec_setup: ...Openswan IPsec started<BR>Mar 12 10:17:31
vpngateway ipsec_setup: Starting Openswan IPsec 2.3.0...<BR>Mar 12 10:17:31
vpngateway ipsec_setup: Using /lib/modules/2.4.29/kernel/ipsec.o<BR>Mar 12
10:17:31 vpngateway ipsec_setup: ipchains: Protocol not available<BR>Mar 12
10:17:32 vpngateway ipsec__plutorun: 104 "TestConnection" #1: STATE_MAIN_I1:
initiate<BR>Mar 12 10:17:32 vpngateway ipsec__plutorun: ...could not start conn
"TestConnection"</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>That is what I got in /var/log/secure when I tried
to start ipsec</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Mar 12 10:17:31 vpngateway ipsec__plutorun:
Starting Pluto subsystem...<BR>Mar 12 10:17:31 vpngateway pluto[17701]: Starting
Pluto (Openswan Version 2.3.0 X.509-1.5.4 PLUTO_USES_KEYRR)<BR>Mar 12 10:17:31
vpngateway pluto[17701]: Setting port floating to off<BR>Mar 12 10:17:31
vpngateway pluto[17701]: port floating activate 0/1<BR>Mar 12 10:17:31
vpngateway pluto[17701]: including NAT-Traversal patch (Version
0.6c) [disabled]<BR>Mar 12 10:17:31 vpngateway pluto[17701]:
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)<BR>Mar 12 10:17:31
vpngateway pluto[17701]: starting up 1 cryptographic helpers<BR>Mar 12 10:17:31
vpngateway pluto[17701]: started helper pid=17707 (fd:6)<BR>Mar 12 10:17:31
vpngateway pluto[17701]: Using KLIPS IPsec interface code<BR>Mar 12 10:17:31
vpngateway pluto[17701]: Changing to directory '/etc/ipsec.d/cacerts'<BR>Mar 12
10:17:31 vpngateway pluto[17701]: Could not change to directory
'/etc/ipsec.d/aacerts'<BR>Mar 12 10:17:31 vpngateway pluto[17701]: Changing to
directory '/etc/ipsec.d/ocspcerts'<BR>Mar 12 10:17:31 vpngateway pluto[17701]:
Changing to directory '/etc/ipsec.d/crls'<BR>Mar 12 10:17:31 vpngateway
pluto[17701]: Warning: empty directory<BR>Mar 12 10:17:32 vpngateway
pluto[17701]: added connection description "TestConnection"<BR>Mar 12 10:17:32
vpngateway pluto[17701]: listening for IKE messages<BR>Mar 12 10:17:32
vpngateway pluto[17701]: adding interface ipsec0/eth1 203.xxx.xxx.205<BR>Mar 12
10:17:32 vpngateway pluto[17701]: loading secrets from
"/etc/ipsec.secrets"<BR>Mar 12 10:17:32 vpngateway pluto[17701]:
"TestConnection" #1: initiating Main Mode<BR>Mar 12 10:17:32 vpngateway
pluto[17701]: "TestConnection" #1: ignoring informational payload, type
NO_PROPOSAL_CHOSEN<BR>Mar 12 10:17:32 vpngateway pluto[17701]: "TestConnection"
#1: received and ignored informational message<BR>Mar 12 10:30:42 vpngateway
pluto[17701]: "TestConnection" #1: max number of retransmissions (20) reached
STATE_MAIN_I1. No response (<BR>or no acceptable response) to our first
IKE message<BR></DIV>
<DIV><BR></DIV></FONT></BODY></HTML>