[Openswan Users] Openswan is requering internal ip from Checkpoint Cluster

Andreas Steffen andreas.steffen at strongsec.net
Mon Oct 4 17:08:07 CEST 2004


It might be that the VPN-1 license is locked onto the internal
interface. As a workaround just add the line

   leftid=172.16.32.125

to ipsec.conf

and replace 200.x.x.3 in ipsec.secrets by the ID 172.16.32.125
if you have used the IP address there.

Regards

Andreas

cassio.pereira at edinfor.com.br wrote:

> Hi,
> 
> I´m trying to establish a vpn tunnel between CheckPoint NG R55 and Openswan
> (is our customer).
> The problem is that the first phase of the connection doesn´t completed.
> In our Checkpoint environment we have a cluster with the following
> configurations:
> machine 1:
> - external interface eth1: 200.x.x.1
> - managment interface: eth2: 172.16.32.123
> 
> machine 2:
> - external interface eth1: 200.x.x.2
> - managment interface: eth2: 172.16.32.124
> 
> cluster:
> - external interface (virtual) eth1: 200.x.x.3
> - managment interface (virtual): eth2: 172.16.32.125
> 
> The two sides configurations are done. To openswan, we try two
> configurations:
> 
> conn checkpoint-freeswan
> type=tunnel
> # Left side is Check Point
> left=200.x.x.3
> # leftnexthop=
> # Right side is FreeS/WAN
> right=200.y.y.1
> # rightnexthop=
> keyexchange=ike
> auth=esp
> pfs=no
> auto=start
> authby=secret
> conn net-checkpoint-net-freeswan
> type=tunnel
> left=200.x.x.3
> # leftnexthop=
> leftsubnet=10.2.0.0/24
> right=200.y.y.1
> # rightnexthop=
> rightsubnet=172.28.0.0/22
> keyexchange=ike
> auth=esp
> pfs=no
> auto=start
> authby=secret
> 
> or
> 
> conn checkpoint-freeswan
> type=tunnel
> # Left side is Check Point
> left=200.x.x.3
> leftnexthop=200.x.x.10
> leftsubnet=10.2.0.0/24
> # leftnexthop=
> # Right side is FreeS/WAN
> right=200.y.y.1
> rightnexthop=200.y.y.2
> rightsubnet=172.28.0.0/22
> keyexchange=ike
> auth=esp
> pfs=no
> auto=start
> authby=secret
> conn net-checkpoint-net-freeswan
> type=tunnel
> left=200.x.x.3
> leftnexthop=200.x.x.10
> leftsubnet=10.2.0.0/24
> right=200.y.y.1
> rightnexthop=200.y.y.2
> rightsubnet=172.28.0.0/22
> keyexchange=ike
> auth=esp
> pfs=no
> auto=start
> authby=secret
> 
> But the logs are showing the following:
> 
> Oct  1 15:10:02 hidrogenio pluto[14651]: Starting Pluto (Openswan Version
> 2.1.4 X.509-1.4.8-1 PLUTO_USES_KEYRR)
> Oct  1 15:10:02 hidrogenio pluto[14651]: including NAT-Traversal patch
> (Version 0.6c)
> Oct  1 15:10:02 hidrogenio pluto[14651]: Using Linux 2.6 IPsec interface
> code
> Oct  1 15:10:03 hidrogenio pluto[14651]: Changing to directory
> '/etc/ipsec.d/cacerts'
> Oct  1 15:10:03 hidrogenio pluto[14651]: loaded cacert file 'cacert.pem'
> (1395 bytes)
> Oct  1 15:10:03 hidrogenio pluto[14651]: Changing to directory
> '/etc/ipsec.d/crls'
> Oct  1 15:10:03 hidrogenio pluto[14651]: loaded crl file 'crl.pem' (552
> bytes)
> Oct  1 15:10:03 hidrogenio pluto[14651]: loaded host cert file
> '/etc/ipsec.d/certs/hidrogenio.pem' (3823 bytes)
> Oct  1 15:10:03 hidrogenio pluto[14651]: added connection description
> "roadwarrior"
> Oct  1 15:10:03 hidrogenio pluto[14651]: loaded host cert file
> '/etc/ipsec.d/certs/hidrogenio.pem' (3823 bytes)
> Oct  1 15:10:03 hidrogenio pluto[14651]: added connection description
> "roadwarrior-net"
> Oct  1 15:10:03 hidrogenio pluto[14651]: added connection description
> "checkpoint-freeswan"
> Oct  1 15:10:03 hidrogenio pluto[14651]: added connection description
> "net-checkpoint-net-freeswan"
> Oct  1 15:10:03 hidrogenio pluto[14651]: listening for IKE messages
> Oct  1 15:10:03 hidrogenio pluto[14651]: adding interface eth2/eth2
> 10.1.1.254
> Oct  1 15:10:03 hidrogenio pluto[14651]: adding interface eth2/eth2
> 10.1.1.254:4500
> Oct  1 15:10:03 hidrogenio pluto[14651]: adding interface eth1/eth1
> 200.y.y.1
> Oct  1 15:10:03 hidrogenio pluto[14651]: adding interface eth1/eth1
> 200.y.y.1:4500
> Oct  1 15:10:03 hidrogenio pluto[14651]: adding interface eth0/eth0
> 172.28.1.2
> Oct  1 15:10:03 hidrogenio pluto[14651]: adding interface eth0/eth0
> 172.28.1.2:4500
> Oct  1 15:10:03 hidrogenio pluto[14651]: adding interface lo/lo 127.0.0.1
> Oct  1 15:10:03 hidrogenio pluto[14651]: adding interface lo/lo
> 127.0.0.1:4500
> Oct  1 15:10:03 hidrogenio pluto[14651]: adding interface lo/lo ::1
> Oct  1 15:10:03 hidrogenio pluto[14651]: adding interface lo/lo ::1:4500
> Oct  1 15:10:03 hidrogenio pluto[14651]: loading secrets from
> "/etc/ipsec.secrets"
> Oct  1 15:10:03 hidrogenio pluto[14651]: loaded private key file
> '/etc/ipsec.d/private/hidrogenio.key' (1704 bytes)
> Oct  1 15:10:03 hidrogenio pluto[14651]: "checkpoint-freeswan":
> route-client output: /usr/lib/ipsec/_updown: doroute `ip route add
> 10.2.0.0/24 via 200.x.x.3 dev eth1 ' failed (RTNETLINK answers: Network is
> unreachable)
> Oct  1 15:10:03 hidrogenio pluto[14651]: "net-checkpoint-net-freeswan":
> cannot install eroute -- it is in use for "checkpoint-freeswan" #0
> Oct  1 15:10:03 hidrogenio pluto[14651]: "checkpoint-freeswan" #1:
> initiating Main Mode
> Oct  1 15:10:04 hidrogenio pluto[14651]: "checkpoint-freeswan" #1:
> transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> Oct  1 15:10:04 hidrogenio pluto[14651]: "checkpoint-freeswan" #1:
> transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> Oct  1 15:10:04 hidrogenio pluto[14651]: "checkpoint-freeswan" #1: Peer ID
> is ID_IPV4_ADDR: '172.16.32.125'
> Oct  1 15:10:04 hidrogenio pluto[14651]: "checkpoint-freeswan" #1: we
> require peer to have ID '200.x.x.3', but peer declares '172.16.32.125'
> Oct  1 15:10:04 hidrogenio pluto[14651]: "checkpoint-freeswan" #1: Peer ID
> is ID_IPV4_ADDR: '172.16.32.125'
> Oct  1 15:10:04 hidrogenio pluto[14651]: "checkpoint-freeswan" #1: we
> require peer to have ID '200.x.x.3', but peer declares '172.16.32.125'
> Oct  1 15:10:04 hidrogenio pluto[14651]: "checkpoint-freeswan" #1: Peer ID
> is ID_IPV4_ADDR: '172.16.32.125'
> Oct  1 15:10:04 hidrogenio pluto[14651]: "checkpoint-freeswan" #1: we
> require peer to have ID '200.x.x.3', but peer declares '172.16.32.125'
> Oct  1 15:11:14 hidrogenio pluto[14651]: "checkpoint-freeswan" #1: max
> number of retransmissions (2) reached STATE_MAIN_I3. Possible
> authentication failure: no acceptable response to our first encrypted
> message
> 
> I don´t know why openswan are requering the internal ip of the cluster
> object Checkpoint if it is waiting for external ip.
> 
> I´m using the following link to help me:
> http://www.fw-1.de/aerasec/ng/vpn-freeswan/CP-FW1-NG+Linux-FreeSWAN-Gateway.html
> 
> Anyone could help me?
> 
> Regards,
> 
> Cassio David Pereira

=======================================================================
Andreas Steffen                   e-mail: andreas.steffen at strongsec.com
strongSec GmbH                    home:   http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64
CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
==========================================[strong internet security]===


More information about the Users mailing list