<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7654.12">
<TITLE>RE: [Openswan Users] Problems with Checkipoint</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<P><FONT SIZE=2>What is the specific problem you are having?<BR>
<BR>
>From the logfile, the tunnel is getting established.<BR>
<BR>
Nov 3 16:52:58 fwrj pluto[16284]: "site1" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2<BR>
Nov 3 16:52:58 fwrj pluto[16284]: "site1" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xd25bf62c <0<BR>
<BR>
Regards,<BR>
Randy<BR>
<BR>
-----Original Message-----<BR>
From: Ronaldo Santos (terra) [<A HREF="mailto:rosuport@terra.com.br">mailto:rosuport@terra.com.br</A>]<BR>
Sent: Wed 11/3/2010 1:01 PM<BR>
To: Randy Wyatt; users@openswan.org<BR>
Subject: Re: [Openswan Users] Problems with Checkipoint<BR>
<BR>
RE: [Openswan Users] Problems with CheckipointLog:<BR>
Nov 3 16:52:56 fwrj ipsec__plutorun: Starting Pluto subsystem...<BR>
Nov 3 16:52:56 fwrj pluto[16284]: Starting Pluto (Openswan Version 2.6.28; Vendor ID OEQ{O\177nez{CQ) pid:16284<BR>
Nov 3 16:52:56 fwrj pluto[16284]: SAref support [disabled]: Protocol not available<BR>
Nov 3 16:52:56 fwrj pluto[16284]: SAbind support [disabled]: Protocol not available<BR>
Nov 3 16:52:56 fwrj pluto[16284]: Setting NAT-Traversal port-4500 floating to on<BR>
Nov 3 16:52:56 fwrj pluto[16284]: port floating activation criteria nat_t=1/port_float=1<BR>
Nov 3 16:52:56 fwrj pluto[16284]: NAT-Traversal support [enabled]<BR>
Nov 3 16:52:56 fwrj pluto[16284]: using /dev/urandom as source of random entropy<BR>
Nov 3 16:52:56 fwrj pluto[16284]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)<BR>
Nov 3 16:52:56 fwrj pluto[16284]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)<BR>
Nov 3 16:52:56 fwrj pluto[16284]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)<BR>
Nov 3 16:52:56 fwrj pluto[16284]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)<BR>
Nov 3 16:52:56 fwrj pluto[16284]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)<BR>
Nov 3 16:52:56 fwrj pluto[16284]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)<BR>
Nov 3 16:52:56 fwrj pluto[16284]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)<BR>
Nov 3 16:52:56 fwrj pluto[16284]: starting up 1 cryptographic helpers<BR>
Nov 3 16:52:56 fwrj pluto[16289]: using /dev/urandom as source of random entropy<BR>
Nov 3 16:52:56 fwrj pluto[16284]: started helper pid=16289 (fd:7)<BR>
Nov 3 16:52:56 fwrj pluto[16284]: Kernel interface auto-pick<BR>
Nov 3 16:52:56 fwrj pluto[16284]: No Kernel NETKEY interface detected<BR>
Nov 3 16:52:56 fwrj pluto[16284]: Using KLIPSng (mast) IPsec interface code on 2.6.27.7-smp<BR>
Nov 3 16:52:56 fwrj pluto[16284]: Changed path to directory '/etc/ipsec.d/cacerts'<BR>
Nov 3 16:52:56 fwrj pluto[16284]: Changed path to directory '/etc/ipsec.d/aacerts'<BR>
Nov 3 16:52:56 fwrj pluto[16284]: Changed path to directory '/etc/ipsec.d/ocspcerts'<BR>
Nov 3 16:52:56 fwrj pluto[16284]: Changing to directory '/etc/ipsec.d/crls'<BR>
Nov 3 16:52:56 fwrj pluto[16284]: Warning: empty directory<BR>
Nov 3 16:52:56 fwrj pluto[16284]: added connection description "site1"<BR>
Nov 3 16:52:56 fwrj pluto[16284]: listening for IKE messages<BR>
Nov 3 16:52:56 fwrj pluto[16284]: found mast0 device already present<BR>
Nov 3 16:52:56 fwrj pluto[16284]: device mast0 already in use<BR>
Nov 3 16:52:56 fwrj pluto[16284]: | useful mast device 0<BR>
Nov 3 16:52:56 fwrj pluto[16284]: NAT-Traversal: Trying new style NAT-T<BR>
Nov 3 16:52:56 fwrj pluto[16284]: adding interface mast0/tun0 192.168.254.100:500 (fd=12)<BR>
Nov 3 16:52:56 fwrj pluto[16284]: adding interface mast0/tun0 192.168.254.100:4500 (fd=13)<BR>
Nov 3 16:52:56 fwrj pluto[16284]: adding interface mast0/tun1 10.8.0.1:500 (fd=14)<BR>
Nov 3 16:52:56 fwrj pluto[16284]: adding interface mast0/tun1 10.8.0.1:4500 (fd=15)<BR>
Nov 3 16:52:56 fwrj pluto[16284]: adding interface mast0/eth0 192.168.0.187:500 (fd=16)<BR>
Nov 3 16:52:56 fwrj pluto[16284]: adding interface mast0/eth0 192.168.0.187:4500 (fd=17)<BR>
Nov 3 16:52:56 fwrj pluto[16284]: adding interface mast0/eth1 xxx.xxx.xxx.xxx:500 (fd=18)<BR>
Nov 3 16:52:56 fwrj pluto[16284]: adding interface mast0/eth1 xxx.xxx.xxx.xxx:4500 (fd=19)<BR>
Nov 3 16:52:56 fwrj pluto[16284]: | useful mast device 0<BR>
Nov 3 16:52:56 fwrj pluto[16284]: | useful mast device 0<BR>
Nov 3 16:52:56 fwrj pluto[16284]: loading secrets from "/etc/ipsec.secrets"<BR>
Nov 3 16:52:56 fwrj pluto[16284]: | mast_shunt_eroute called<BR>
Nov 3 16:52:56 fwrj pluto[16284]: "site1" #1: initiating Main Mode<BR>
Nov 3 16:52:58 fwrj pluto[16284]: "site1" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2<BR>
Nov 3 16:52:58 fwrj pluto[16284]: "site1" #1: STATE_MAIN_I2: sent MI2, expecting MR2<BR>
Nov 3 16:52:58 fwrj pluto[16284]: "site1" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3<BR>
Nov 3 16:52:58 fwrj pluto[16284]: "site1" #1: STATE_MAIN_I3: sent MI3, expecting MR3<BR>
Nov 3 16:52:58 fwrj pluto[16284]: "site1" #1: Main mode peer ID is ID_IPV4_ADDR: '200.185.113.68'<BR>
Nov 3 16:52:58 fwrj pluto[16284]: "site1" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4<BR>
Nov 3 16:52:58 fwrj pluto[16284]: "site1" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_<BR>
3des_cbc_192 prf=oakley_sha group=modp1024}<BR>
Nov 3 16:52:58 fwrj pluto[16284]: "site1" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW {using isakmp#1 msgid:d<BR>
9b63858 proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}<BR>
Nov 3 16:52:58 fwrj pluto[16284]: "site1" #2: spddel-client output: /usr/local/lib/ipsec/_updown.mast: doroute `iptables -t<BR>
mangle -D NEW_IPSEC_CONN --src 10.138.66.0/255.255.255.0 --dst 10.97.64.0/255.255.255.0 -j MARK --set-mark 0x83090000' failed<BR>
(iptables: No chain/target/match by that name)<BR>
Nov 3 16:52:58 fwrj pluto[16284]: "site1" #2: spddel-client command exited with status 1<BR>
Nov 3 16:52:58 fwrj pluto[16284]: "site1" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2<BR>
Nov 3 16:52:58 fwrj pluto[16284]: "site1" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xd25bf62c <0<BR>
<BR>
<BR>
<BR>
Thank<BR>
----- Original Message -----<BR>
From: Randy Wyatt<BR>
To: Ronaldo Santos (terra) ; users@openswan.org<BR>
Sent: Wednesday, November 03, 2010 5:39 PM<BR>
Subject: RE: [Openswan Users] Problems with Checkipoint<BR>
<BR>
<BR>
<BR>
<BR>
You need to post logfiles in order to receive help.<BR>
<BR>
On my systems, all messages are logged into /var/log/secure.<BR>
<BR>
Regards,<BR>
Randy<BR>
<BR>
-----Original Message-----<BR>
From: users-bounces@openswan.org on behalf of Ronaldo Santos (terra)<BR>
Sent: Wed 11/3/2010 11:50 AM<BR>
To: users@openswan.org<BR>
Subject: [Openswan Users] Problems with Checkipoint<BR>
<BR>
Good Aftrnoon,<BR>
<BR>
I'm having a problem to configure Openswan with Checkpoint FW-1 (Nokia IO290).<BR>
I think it is missing some parameters in my ipsec.conf.<BR>
Can someone help me?<BR>
<BR>
The subnet the openswan: 10.138.66.0/24<BR>
<BR>
ipsec.conf<BR>
<BR>
config setup<BR>
interfaces=%defaultroute<BR>
klipsdebug=all<BR>
plutodebug=all<BR>
uniqueids=yes<BR>
nat_traversal=yes<BR>
conn site1<BR>
keylife=1h<BR>
ikelifetime=24h<BR>
aggrmode=no<BR>
type=tunnel<BR>
left=yyy.yyy.yyy.yyy<BR>
leftsubnet=10.138.66.0/24<BR>
right=xxx.xxx.xxx.xxx<BR>
rightsubnet=10.97.64.0/24<BR>
keyexchange=ike<BR>
auth=esp<BR>
auto=start<BR>
authby=secret<BR>
ike=3des-sha1;modp1024<BR>
esp=3des-md5<BR>
pfs=no<BR>
<BR>
<BR>
<BR>
The subnet the checkpoint: 10.97.64.0/24<BR>
<BR>
<BR>
Praxair<BR>
<BR>
VPN gateway device<BR>
Nokia IP290<BR>
<BR>
VPN gateway Software<BR>
Checkpoint FW-1<BR>
<BR>
IP Address tunnel endpoint<BR>
xxx.xxx.xxx.xxx<BR>
<BR>
<BR>
Encryption Domain<BR>
tbd<BR>
<BR>
<BR>
<BR>
Phase 1<BR>
<BR>
<BR>
<BR>
Encryption schemes IKE<BR>
<BR>
<BR>
Key exchange Method<BR>
3DES<BR>
<BR>
<BR>
Data integrity<BR>
SHA1<BR>
<BR>
<BR>
Pre-Shared-Key<BR>
tbd<BR>
<BR>
<BR>
Diffie-Hellman Group<BR>
Group 2<BR>
<BR>
<BR>
IKE session key is changed.<BR>
86400 seconds<BR>
<BR>
<BR>
Support Aggressive Mode<BR>
NO<BR>
<BR>
<BR>
Support Keys exchange for Subnets<BR>
YES<BR>
<BR>
<BR>
<BR>
<BR>
Phase 2<BR>
<BR>
<BR>
<BR>
Encryption schemes IKE<BR>
<BR>
<BR>
DATA Integrity + Encr.<BR>
ESP<BR>
<BR>
<BR>
Encryption Algorithm<BR>
3DES<BR>
<BR>
<BR>
Data Integrity<BR>
MD5<BR>
<BR>
<BR>
Compression Method<BR>
No compression<BR>
<BR>
<BR>
Use Perfect Forward Secrecy<BR>
NO<BR>
<BR>
<BR>
IPSec session key is changed<BR>
3600 seconds<BR>
seconds<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
Ronaldo.<BR>
<BR>
<BR>
<BR>
</FONT>
</P>
</BODY>
</HTML>