<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.26.2">
</HEAD>
<BODY>
Hi people!<BR>
<BR>
I need some help to connect my firewall with gentoo-linux and openswan to <FONT SIZE="2">Check Point NGX R62.</FONT><BR>
<BR>
<BR>
firewall ~ # ipsec version<BR>
Linux Openswan U2.6.21/K2.6.29-gentoo-r1 (netkey)<BR>
<BR>
firewall ~ # ipsec verify<BR>
Checking your system to see if IPsec got installed and started correctly:<BR>
Version check and ipsec on-path [OK]<BR>
Linux Openswan U2.6.21/K2.6.29-gentoo-r1 (netkey)<BR>
Checking for IPsec support in kernel [OK]<BR>
NETKEY detected, testing for disabled ICMP send_redirects [OK]<BR>
NETKEY detected, testing for disabled ICMP accept_redirects [OK]<BR>
Checking for RSA private key (/etc/ipsec.secrets) [OK]<BR>
Checking that pluto is running [OK]<BR>
Two or more interfaces found, checking IP forwarding [OK]<BR>
Checking NAT and MASQUERADEing<BR>
Checking for 'ip' command [OK]<BR>
Checking for 'iptables' command [OK]<BR>
Opportunistic Encryption Support [DISABLED]<BR>
<BR>
firewall ~ # ipsec look<BR>
firewall Mon Jul 6 10:29:14 BRT 2009<BR>
IPSEC TABLE<BR>
iptables: No chain/target/match by that name.<BR>
ROUTING TABLE<BR>
200.XXX.XXX.232/29 dev eth0 proto kernel scope link src 200.XXX.XXX.234<BR>
default via 200.XXX.XXX.233 dev eth0<BR>
<BR>
<BR>
My /etc/ipsec.conf:<BR>
<BR>
# /etc/ipsec.conf - Openswan IPsec configuration file<BR>
# RCSID $Id: ipsec.conf.in,v 1.15.2.6 2006-10-19 03:49:46 paul Exp $<BR>
<BR>
# This file: /usr/share/doc/openswan-2.4.14/ipsec.conf-sample<BR>
#<BR>
# Manual: ipsec.conf.5<BR>
<BR>
<BR>
version 2.0 # conforms to second version of ipsec.conf specification<BR>
<BR>
# basic configuration<BR>
config setup<BR>
interfaces="%defaultroute"<BR>
<BR>
# plutodebug / klipsdebug = "all", "none" or a combation from below:<BR>
#<BR>
# "raw crypt parsing emitting control klips pfkey natt x509 private"<BR>
# eg: plutodebug="control parsing"<BR>
#<BR>
<BR>
klipsdebug="all"<BR>
plutodebug="all"<BR>
# ONLY enable plutodebug=all or klipsdebug=all if you are a developer !!<BR>
#<BR>
# NAT-TRAVERSAL support, see README.NAT-Traversal<BR>
nat_traversal=no<BR>
# virtual_private=%v4:10.10.11.0/24,%v4:5.16.8.0/24,%v4:201.XXX.XXX.XXX/XX,%v4:200.XXX.XXX.XXX/XX<BR>
#<BR>
# enable this if you see "failed to find any available worker"<BR>
# nhelpers=0<BR>
# Add connections here<BR>
<BR>
conn inm-net<BR>
keyexchange=ike<BR>
ike=aes256-sha1-modp1024<BR>
aggrmode=no<BR>
type=tunnel<BR>
pfs=no<BR>
ikelifetime=1440s<BR>
keylife=3600s<BR>
left=200.XXX.XXX.234<BR>
leftnexthop=200.XXX.XXX.233<BR>
leftsubnet=10.10.11.0/24<BR>
leftupdown=/usr/lib/ipsec/_updown<BR>
right=201.XXX.XXX.20<BR>
rightnexthop=201.XXX.XXX.1<BR>
rightsubnet=5.16.8.0/24<BR>
auth=esp<BR>
authby=secret<BR>
esp=aes128-sha1<BR>
auto=start<BR>
conn inm-net2<BR>
keyexchange=ike<BR>
ike=aes256-sha1-modp1024<BR>
aggrmode=no<BR>
type=tunnel<BR>
pfs=no<BR>
ikelifetime=1440s<BR>
keylife=3600s<BR>
left=200.XXX.XXX.234<BR>
leftnexthop=200.XXX.XXX.233<BR>
leftsubnet=10.10.11.0/24<BR>
leftupdown=/usr/lib/ipsec/_updown<BR>
right=201.XXX.XXX.20<BR>
rightnexthop=201.XXX.XXX.1<BR>
rightsubnet=5.8.8.0/24<BR>
auth=esp<BR>
authby=secret<BR>
esp=aes128-sha1<BR>
auto=start<BR>
<BR>
#Disable Opportunistic Encryption<BR>
include /etc/ipsec.d/examples/no_oe.conf<BR>
<BR>
<BR>
My /etc/ipsec.secrets<BR>
<BR>
200.XXX.XXX.234 201.XXX.XXX.20 : PSK "<my secret are oculted>"<BR>
<BR>
Log: <BR>
Jul 6 10:30:20 firewall pluto[11204]: "inm-net" #3: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2<BR>
Jul 6 10:30:20 firewall pluto[11204]: | deleting event for #3<BR>
Jul 6 10:30:20 firewall pluto[11204]: | sending reply packet to 201.XXX.XXX.20:500 (from port 500)<BR>
Jul 6 10:30:20 firewall pluto[11204]: | sending 60 bytes for STATE_QUICK_I1 through eth0:500 to 201.XXX.XXX.20:500 (using #3)<BR>
Jul 6 10:30:20 firewall pluto[11204]: | ed 72 75 18 6a 9e fe 70 70 b3 3a 30 a2 94 be 26<BR>
Jul 6 10:30:20 firewall pluto[11204]: | 08 10 20 01 9d 07 bd 62 00 00 00 3c 3d 95 1a 89<BR>
Jul 6 10:30:20 firewall pluto[11204]: | 49 1f 6c a5 77 e6 b2 86 16 61 98 d4 16 c2 aa df<BR>
Jul 6 10:30:20 firewall pluto[11204]: | 50 4f 2b 14 40 c7 e8 c0 df 50 53 78<BR>
Jul 6 10:30:20 firewall pluto[11204]: | inserting event EVENT_SA_REPLACE, timeout in 2664 seconds for #3<BR>
Jul 6 10:30:20 firewall pluto[11204]: | event added after event EVENT_SA_REPLACE for #1<BR>
Jul 6 10:30:20 firewall pluto[11204]: "inm-net" #3: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x42b8a16c <0x5bfeed6b xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}<BR>
Jul 6 10:30:20 firewall pluto[11204]: | modecfg pull: noquirk policy:push not-client<BR>
Jul 6 10:30:20 firewall pluto[11204]: | phase 1 is done, looking for phase 2 to unpend<BR>
Jul 6 10:30:20 firewall pluto[11204]: | * processed 0 messages from cryptographic helpers<BR>
Jul 6 10:30:20 firewall pluto[11204]: | next event EVENT_PENDING_PHASE2 in 109 seconds<BR>
Jul 6 10:30:20 firewall pluto[11204]: | next event EVENT_PENDING_PHASE2 in 109 seconds<BR>
<BR>
My interface ipsec0 don't start and I don't connect to any service on the other network.<BR>
<BR>
Somebody can help me?<BR>
<BR>
<BR>
<BR>
<TABLE CELLSPACING="0" CELLPADDING="0" WIDTH="100%">
<TR>
<TD>
<BR>
<IMG SRC="file://C:%5Cuser%5Cgilcesar%5Cpessoal%5Cblackpoint.gif" WIDTH="100%" HEIGHT="1" ALIGN="bottom" BORDER="0"><BR>
<TABLE CELLSPACING="0" WIDTH="100%">
<TR>
<TD ALIGN="left">
<B><I>William Ferraz</I></B>
</TD>
<TD ALIGN="right">
<DIV ALIGN=right><IMG SRC="cid:1246886113.4950.2.camel@Malfoy" ALIGN="bottom" BORDER="0"></DIV>
</TD>
</TR>
<TR>
<TD ALIGN="left" VALIGN="top">
<U><A HREF="mailto:gil.cesar@inmetrics.com.br">williamferraz@inmetrics.com.br</A></U> <BR>
+55-11-3555-6825 <BR>
+55-11-9493-3475 <BR>
<IMG SRC="cid:1246886113.4950.3.camel@Malfoy" ALIGN="bottom" BORDER="0"><BR>
<BR>
<BR>
<BR>
</TD>
<TD ALIGN="right" VALIGN="top">
<DIV ALIGN=right><U><A HREF="http://www.inmetrics.com.br/">http://www.inmetrics.com.br</A></U> </DIV><BR>
<DIV ALIGN=right>Avenida Guido Caloi, 1000 - bloco 4 - 4 andar</DIV>
<BR>
Condomínio Panamérica Park<BR>
<DIV ALIGN=right>05802-140 – São Paulo – SP – Brasil</DIV>
</TD>
</TR>
</TABLE>
</TD>
</TR>
</TABLE>
<BR>
</BODY>
</HTML>