Hi guys,<br><br>I hope that the maintainers of openswan would consider including this howto<br>
in the openswan documentation website.<br><br>After 2 days of hard work figuring out how to connect a standard Ubuntu box to a<br>CP FW-1 server, I can document here the fruits of that work. It's a tutorial on getting<br>
this setup working (also depending on config of FW-1 of course!).<br><br>Regards,<br><br>G><br><br>-------------------------------------------------<br><br><br>Ubuntu Linux 2.6.15 (just set to 'latest' in aptitude), OpenSwan and Checkpoint FW-1 NG (55 I think)
<br><br>This is a guide to connect your Ubuntu linux (or any other more recent I guess)<br>to a checkpoint firewall, which may use a hybrid mode for connecting. Some <br>firewalls are setup that way and they don't use RSA public keys for authentication
<br>or shared keys for all roadwarriors.<br><br>This guide assumes Ubuntu, but it probably works on Debian as well and probably<br>some wiz's should be able to make it work on SuSE, RedHat and other flavours.<br><br>-=-=-=-=-=-=-=-=-=-=-=-=
<br><br>DISCLAIMER: I am not an ipsec or openswan wiz, nor a security export. <br>I'm just a regular Linux guy and need to connect with VPN to work. Since we have<br>some clients with a lot of influence, the config of the firewall is not really easy to
<br>change into public key auth...(bureaucracy). So there you go, I had to use xauth and <br>CP style user authentication.<br><br>Since CP only provides that RedHat 2.4 SecureClient code, I was<br>not prepared to downgrade to
2.4, nor leave another box running, wasting electricity,<br>just because some guys are too protective about their source code.<br><br>Working this out took me about 2 days in total, trying out every different option in the
<br>book and reading miles of docs on ipsec, klips, netkey, routers and other stuff, including<br>the examples in the openswan source code ('testing/pluto' or somewhere).<br><br>I hope it is useful for people with similar configurations.
<br><br>-=-=-=-=-=-=-=-=-=-=-=-=<br><br>Prerequisites for this howto:<br><br> * Linux 2.6.15 (my kernel is the plain, vanilla Ubuntu kernel. no modifications. This has the netkey module, not klips).<br> * aptitude<br>
* openswan 2.4.4 sources<br> * The OpenSCclient patch to connect to CP FW-1 in one of the links.<br> * gcc, bison, flex, gawk, vi<br> * ethereal probably<br> * A firewall vpn login (this gives you a username & password)
<br> * I recommend a direct connection to connect first to eliminate any router NAT problems. For ADSL:<br> ifconfig eth0 up<br> sudo pppoeconfig<br> pon dsl-provider<br> ( turn off = "poff" )
<br> * The public certificate of the Certificate Authority that signed the public key of the firewall server. (we'll authenticate the server through it's RSA public certicate, actually identify the key that it should have).
<br> * The public certificate of the FW-1 server to extract the RSA sig key. (see openSCclient website).<br><br>The bit about not using a router has to do with Network Address Translation. This is where the IP of your machine is in your own LAN and the communication all goes through your router which strips of the IP and puts its own in place, but later replaces the IP and routes the packet to the proper terminal behind this router. This is fine for regular inet traffic, but when you depend on source IP's and destination IP's to send packets through encrypted tunnels it doesn't work too good.
<br><br>Now, secureclient and openswan both have options called "NAT-T", which is NAT traversal. This encapsulates the packets in UDP, but I cannot confirm this at home since my router is one of those crap routers where the VPN connection doesn't work. It basically does not allow for the connection to be set up. Check out the last link here in the end to see some of the problems people have both on windows and naturally on Linux, since the problem is the router, not the software or local computer.
<br><br>Please read up a bit first on the concepts of openswan before attempting this tutorial. It helps in troubleshooting :) Here are some interesting links:<br><br>Very good troubleshooting and config guide, step by step:
<br><a href="http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch35_:_Configuring_Linux_VPNs#Using_Pre-Shared_Keys_.28PSK.29">http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch35_:_Configuring_Linux_VPNs#Using_Pre-Shared_Keys_.28PSK.29
</a><br><br><a href="http://www.securityfocus.com/infocus/1409">http://www.securityfocus.com/infocus/1409</a><br><br>explanation how IKE works:<br><a href="http://www.cisco.com/warp/public/707/csvc_log.html">http://www.cisco.com/warp/public/707/csvc_log.html
</a><br><br><a href="http://lists.openswan.org/pipermail/users/2005-April/004541.html">http://lists.openswan.org/pipermail/users/2005-April/004541.html</a><br><br><a href="http://wiki.openswan.org/index.php/Openswan/ConfFiles">
http://wiki.openswan.org/index.php/Openswan/ConfFiles</a><br><br><a href="http://www.die.net/doc/linux/man/man5/ipsec.conf.5.html">http://www.die.net/doc/linux/man/man5/ipsec.conf.5.html</a><br><br><a href="http://wiki.openswan.org/index.php/Openswan/FreeSWANTroubleShooting">
http://wiki.openswan.org/index.php/Openswan/FreeSWANTroubleShooting</a><br><br><a href="http://www.cpug.org/forums/showthread.php?t=424">http://www.cpug.org/forums/showthread.php?t=424</a><br><br>OpenSCclient, the core of the whole thing that allows openswan to work with Checkpoint,
<br>but allegedly breaks other things, which is the hesitation in making this part of <br>openswan, afaik. <br><br>You definitely need this:<br><br><a href="http://emsi.it.pl/auto/opensclient">http://emsi.it.pl/auto/opensclient
</a><br><br><br>useful commands for debugging throughout this howto:<br>------------------<br>vi /etc/ipsec.conf<br>/etc/init.d/ipsec restart<br>ipsec auto --up mycompanyvpn<br>ipsec auto --status<br>ipsec barf<br>ipsec verify
<br>tcpdump -i ethX<br>ethereal &<br>/etc/init.d/ipsec restart (yup, you may be doing this a lot)<br>tail -f /var/log/auth.log<br>vi /var/log/syslog<br>vi /var/log/kern.log<br>vi /var/log/messages<br>route -n<br>route
<br>ip route<br>------------------<br>Here we go. First we remove openswan and ipsec-tools, because we will build them with a small patch file later and install that on ubuntu.<br><br>The rest are commands to download source from ubuntu (patched files from ubuntu distrib) and some other things to get it installed. Get the necessary patch file from the attachment to this article. (see all the way below).
<br><br>------------------<br>apt-get remove openswan<br>apt-get remove ipsec-tools<br>cd /usr/src<br>apt-get source openswan<br>mv openswan-2.4.4 openswan-2.4.0<br>patch -p0 < openswan-2.4.0-SecureClient.diff<br>( changes should merge successfully )
<br>mv openswan-2.4.0 openswan-2.4.4<br>cd openswan-2.4.4<br>dpkg-buildpackage<br>( If you did not have gawk, flex, bison or gcc installed, this is where you will have to resolve those dependencies ).<br>cd ..<br>( rm /etc/ipsec.d/private/****
key.pem? )<br>( rm /etc/ipsec.d/certs/****cert.pem? )<br>dpkg -i openswan_2.4.4-3ubuntu1_i386.deb<br>------------------<br><br>The files /usr/lib/ipsec/auto and /usr/libexec/ipsec/auto are incorrect.<br>It uses a function called "default" which is a keyword. vi those files and replace:
<br><br>------------------<br>default("cpsc", "no")<br>------------------<br><br>with:<br><br>------------------<br>set_os_default("cpsc", "no")<br>------------------<br><br>( the patch is old and this was a problem at
2.4.0 still. In 2.4.4 this was already fixed )<br><br>Now, let's edit ipsec.conf<br><br>This is my /etc/ipsec.conf:<br><br>------------------<br>version 2.0<br><br>include /etc/ipsec.d/examples/no_oe.conf<br><br>config setup
<br> interfaces=%defaultroute<br> # plutodebug="raw crypt parsing emitting control klips all private none"<br> # enable this later when it all works<br> # plutodebug="none"<br>
# set this log line in ipsec.conf during connection debug. disable later when it works.<br> plutodebug="control"<br> # enable the next for nat traversal, (using router?) not done this yet.<br>
# nat_traversal=yes<br><br>conn mycompanyvpn<br> type=tunnel<br> # right = your company's gateway (firewall IP?)<br> right=<a href="http://1.2.3.4"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 1.2.3.4</a><br> # rightsubnet = your company's subnet that you want to reach behind the gateway
<br> rightsubnet=<a href="http://5.6.7.8/24"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 5.6.7.8/24</a><br> rightrsasigkey=0x1234567890ABCDEF....... (truncated)<br> rightxauthserver=yes<br> left=%defaultroute<br> leftxauthclient=yes
<br> leftid=@!<br> auth=esp<br> xauth=yes<br> # might help for NAT resolutions later on. not tried yet.<br> # forceencaps=yes<br> # The following settings for ike= and esp= may need some modifications, depending on the
<br> # firewall settings and the version. These worked for my installation.<br> # If you get "NO_PROPOSAL_CHOSEN" in the auth.log (Ubuntu), this is when you look at these settings.<br> ike=3des-md5-modp1024
<br> ikelifetime=8h<br> rekey=no<br> esp=aes,3des<br> pfs=yes<br> # adds this route to the ipsec config, but does not bring it up yet.<br> auto=add<br> cpsc=yes<br><br>------------------
<br><br>The rightrsasigkey needs to be populated with the value as per the openscclient website instructions. <br>It is the RSA public key signature from the Checkpoint FW-1 server. <br><br>This line would already take care of things, but the problem is that we need to start "trusting" that
<br>sigkey and public certificate. You need to put the CA public certificate into /etc/ipsec.d/cacerts, also<br>according to the instructions. That should theoretically take care of things and if you have your login,<br>you can now attempt to connect.
<br><br>open a new "log" terminal as root and:<br><br>tail -f /var/log/auth.log<br>Now, from the main terminal as root we will bring up our tunnel:<br><br>/etc/init.d/ipsec restart<br>ipsec verify<br>ipsec auto --up mycompanyvpn
<br>( wait for terminal to prompt for your username and password, if the negotiation gets that far!)<br>ping <a href="http://5.6.7.9"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 5.6.7.9</a> (<a href="http://5.6.7.9"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 5.6.7.9</a> = any server in your company's network that you normally connect to.
<br><br><br>if you get problems about "unknown connections", try:<br><br>ipsec auto --add mycompanyvpn<br><br><br>If this did not work, errors are printed in the logs and on the console.<br><br>see /var/log/auth.log
<br><br>correct log output:<br>104 "mycompanyvpn" #1: STATE_MAIN_I1: initiate<br>106 "mycompanyvpn" #1: STATE_MAIN_I2: sent MI2, expecting MR2<br>108 "mycompanyvpn" #1: STATE_MAIN_I3: sent MI3, expecting MR3
<br>004 "mycompanyvpn" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}<br>003 "mycompanyvpn" #1: discarding duplicate packet; already STATE_MAIN_I4
<br>003 "mycompanyvpn" #1: discarding duplicate packet; already STATE_MAIN_I4<br>041 "mycompanyvpn" #1: mycompanyvpn prompt for Username:<br>Name enter: <username here><br>004 "mycompanyvpn" #1: STATE_CPSC_I1: CP SecureClient - awaiting password request
<br>040 "mycompanyvpn" #1: mycompanyvpn prompt for Password:<br>Enter secret: XXXXXXXXXXXXXX<br>004 "mycompanyvpn" #1: STATE_CPSC_I2: CP SecureClient - awaiting authentication status<br>004 "mycompanyvpn" #1: STATE_MAIN_I4: ISAKMP SA established
<br>117 "mycompanyvpn" #2: STATE_QUICK_I1: initiate<br>003 "mycompanyvpn" #2: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME<br>004 "mycompanyvpn" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x73ef1a8e <0x5d044af4 xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}
<br><br><br>Some common troubleshooting:<br><br> * NO_PROPOSAL_CHOSEN : The server did not like the proposed encryption algorithms either in ike= or in esp=. If this happens in STATE_MAIN_I1 or MAIN_I*, it is the IKE negotiation. If it happens in STATE_QUICK_I1, it is esp=.
<br> * Cannot see other servers on the network: Does your /etc/resolv.conf contain nameservers of your company's network?<br> * received packet with more than 20 payloads; ignored; : broken NAT-T implementation or invalid router. I have not been able yet to play with routers enough to see if NAT works with openswan. Resolution: get a different router (not sure which one) or connect directly to the Internet. I have a NETGear WGR614 and it doesn't seem to like VPN's that much. This is why a direct connection first eliminates those possibilities.
<br> * hanging at authentication: check auth.log for any errors, especially "NO_PROPOSAL_CHOSEN"<br> * Established tunnel, but no traffic: The kernel needs to determine how to route traffic. It does this by the source IP and dest IP combination and the subnets. Maybe the kernel has a bug, you have ip forwarding on or off or some other filtering occurs in the kernel. Check this out. Are you using iptables? Check through some logs if any packets are being dropped in the ipsec kernel code because it can't find a route. Check out ip route information.
<br>In case you have klips and netkey loaded at same time in the kernel... ugh! I had this and the packets on return all get dropped without a trace. so... don't do it and fix your kernel config before you do anything else.
<br> * For routers: You need to check out which ports to open up on the router. I think you need 4500 and 500 for Checkpoint FW-1, but some people at forums are opening more (Checkpoint users forum). You should probably configure "port forwarding" on your router before things even remotely start to work.
<br><br>Good luck!<br clear="all"><br>-- <br>Gerard Toonstra<br>-----------------------<br><a href="http://radialmind.blogspot.com">http://radialmind.blogspot.com</a>