[Openswan Users] Openswan is requering internal ip from Checkpoint Cluster

cassio.pereira at edinfor.com.br cassio.pereira at edinfor.com.br
Mon Oct 4 11:53:04 CEST 2004 

Hi,

I´m trying to establish a vpn tunnel between CheckPoint NG R55 and Openswan
(is our customer).
The problem is that the first phase of the connection doesn´t completed.
In our Checkpoint environment we have a cluster with the following
configurations:
machine 1:
- external interface eth1: 200.x.x.1
- managment interface: eth2: 172.16.32.123

machine 2:
- external interface eth1: 200.x.x.2
- managment interface: eth2: 172.16.32.124

cluster:
- external interface (virtual) eth1: 200.x.x.3
- managment interface (virtual): eth2: 172.16.32.125

The two sides configurations are done. To openswan, we try two
configurations:

conn checkpoint-freeswan
type=tunnel
# Left side is Check Point
left=200.x.x.3
# leftnexthop=
# Right side is FreeS/WAN
right=200.y.y.1
# rightnexthop=
keyexchange=ike
auth=esp
pfs=no
auto=start
authby=secret
conn net-checkpoint-net-freeswan
type=tunnel
left=200.x.x.3
# leftnexthop=
leftsubnet=10.2.0.0/24
right=200.y.y.1
# rightnexthop=
rightsubnet=172.28.0.0/22
keyexchange=ike
auth=esp
pfs=no
auto=start
authby=secret

or

conn checkpoint-freeswan
type=tunnel
# Left side is Check Point
left=200.x.x.3
leftnexthop=200.x.x.10
leftsubnet=10.2.0.0/24
# leftnexthop=
# Right side is FreeS/WAN
right=200.y.y.1
rightnexthop=200.y.y.2
rightsubnet=172.28.0.0/22
keyexchange=ike
auth=esp
pfs=no
auto=start
authby=secret
conn net-checkpoint-net-freeswan
type=tunnel
left=200.x.x.3
leftnexthop=200.x.x.10
leftsubnet=10.2.0.0/24
right=200.y.y.1
rightnexthop=200.y.y.2
rightsubnet=172.28.0.0/22
keyexchange=ike
auth=esp
pfs=no
auto=start
authby=secret

But the logs are showing the following:

Oct  1 15:10:02 hidrogenio pluto[14651]: Starting Pluto (Openswan Version
2.1.4 X.509-1.4.8-1 PLUTO_USES_KEYRR)
Oct  1 15:10:02 hidrogenio pluto[14651]: including NAT-Traversal patch
(Version 0.6c)
Oct  1 15:10:02 hidrogenio pluto[14651]: Using Linux 2.6 IPsec interface
code
Oct  1 15:10:03 hidrogenio pluto[14651]: Changing to directory
'/etc/ipsec.d/cacerts'
Oct  1 15:10:03 hidrogenio pluto[14651]: loaded cacert file 'cacert.pem'
(1395 bytes)
Oct  1 15:10:03 hidrogenio pluto[14651]: Changing to directory
'/etc/ipsec.d/crls'
Oct  1 15:10:03 hidrogenio pluto[14651]: loaded crl file 'crl.pem' (552
bytes)
Oct  1 15:10:03 hidrogenio pluto[14651]: loaded host cert file
'/etc/ipsec.d/certs/hidrogenio.pem' (3823 bytes)
Oct  1 15:10:03 hidrogenio pluto[14651]: added connection description
"roadwarrior"
Oct  1 15:10:03 hidrogenio pluto[14651]: loaded host cert file
'/etc/ipsec.d/certs/hidrogenio.pem' (3823 bytes)
Oct  1 15:10:03 hidrogenio pluto[14651]: added connection description
"roadwarrior-net"
Oct  1 15:10:03 hidrogenio pluto[14651]: added connection description
"checkpoint-freeswan"
Oct  1 15:10:03 hidrogenio pluto[14651]: added connection description
"net-checkpoint-net-freeswan"
Oct  1 15:10:03 hidrogenio pluto[14651]: listening for IKE messages
Oct  1 15:10:03 hidrogenio pluto[14651]: adding interface eth2/eth2
10.1.1.254
Oct  1 15:10:03 hidrogenio pluto[14651]: adding interface eth2/eth2
10.1.1.254:4500
Oct  1 15:10:03 hidrogenio pluto[14651]: adding interface eth1/eth1
200.y.y.1
Oct  1 15:10:03 hidrogenio pluto[14651]: adding interface eth1/eth1
200.y.y.1:4500
Oct  1 15:10:03 hidrogenio pluto[14651]: adding interface eth0/eth0
172.28.1.2
Oct  1 15:10:03 hidrogenio pluto[14651]: adding interface eth0/eth0
172.28.1.2:4500
Oct  1 15:10:03 hidrogenio pluto[14651]: adding interface lo/lo 127.0.0.1
Oct  1 15:10:03 hidrogenio pluto[14651]: adding interface lo/lo
127.0.0.1:4500
Oct  1 15:10:03 hidrogenio pluto[14651]: adding interface lo/lo ::1
Oct  1 15:10:03 hidrogenio pluto[14651]: adding interface lo/lo ::1:4500
Oct  1 15:10:03 hidrogenio pluto[14651]: loading secrets from
"/etc/ipsec.secrets"
Oct  1 15:10:03 hidrogenio pluto[14651]: loaded private key file
'/etc/ipsec.d/private/hidrogenio.key' (1704 bytes)
Oct  1 15:10:03 hidrogenio pluto[14651]: "checkpoint-freeswan":
route-client output: /usr/lib/ipsec/_updown: doroute `ip route add
10.2.0.0/24 via 200.x.x.3 dev eth1 ' failed (RTNETLINK answers: Network is
unreachable)
Oct  1 15:10:03 hidrogenio pluto[14651]: "net-checkpoint-net-freeswan":
cannot install eroute -- it is in use for "checkpoint-freeswan" #0
Oct  1 15:10:03 hidrogenio pluto[14651]: "checkpoint-freeswan" #1:
initiating Main Mode
Oct  1 15:10:04 hidrogenio pluto[14651]: "checkpoint-freeswan" #1:
transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Oct  1 15:10:04 hidrogenio pluto[14651]: "checkpoint-freeswan" #1:
transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Oct  1 15:10:04 hidrogenio pluto[14651]: "checkpoint-freeswan" #1: Peer ID
is ID_IPV4_ADDR: '172.16.32.125'
Oct  1 15:10:04 hidrogenio pluto[14651]: "checkpoint-freeswan" #1: we
require peer to have ID '200.x.x.3', but peer declares '172.16.32.125'
Oct  1 15:10:04 hidrogenio pluto[14651]: "checkpoint-freeswan" #1: Peer ID
is ID_IPV4_ADDR: '172.16.32.125'
Oct  1 15:10:04 hidrogenio pluto[14651]: "checkpoint-freeswan" #1: we
require peer to have ID '200.x.x.3', but peer declares '172.16.32.125'
Oct  1 15:10:04 hidrogenio pluto[14651]: "checkpoint-freeswan" #1: Peer ID
is ID_IPV4_ADDR: '172.16.32.125'
Oct  1 15:10:04 hidrogenio pluto[14651]: "checkpoint-freeswan" #1: we
require peer to have ID '200.x.x.3', but peer declares '172.16.32.125'
Oct  1 15:11:14 hidrogenio pluto[14651]: "checkpoint-freeswan" #1: max
number of retransmissions (2) reached STATE_MAIN_I3. Possible
authentication failure: no acceptable response to our first encrypted
message

I don´t know why openswan are requering the internal ip of the cluster
object Checkpoint if it is waiting for external ip.

I´m using the following link to help me:
http://www.fw-1.de/aerasec/ng/vpn-freeswan/CP-FW1-NG+Linux-FreeSWAN-Gateway.html

Anyone could help me?

Regards,

Cassio David Pereira

More information about the Users mailing list