[Openswan Users] Openswan is requering internal ip from
Checkpoint Cluster
cassio.pereira at edinfor.com.br
cassio.pereira at edinfor.com.br
Mon Oct 4 14:59:24 CEST 2004
Andreas,
thanks by yours informations. You were correct.
The first phase (IKE) is ok, but when one side tries to create a tunnel
ipsec, the following information show up:
## Log Openswan ##
Oct 4 11:45:56 hidrogenio pluto[2989]: "checkpoint-freeswan" #1: ignoring
informational payload, type NO_PROPOSAL_CHOSEN
Oct 4 11:45:56 hidrogenio pluto[2989]: "checkpoint-freeswan" #1: ignoring
informational payload, type NO_PROPOSAL_CHOSEN
Oct 4 11:47:06 hidrogenio pluto[2989]: "checkpoint-freeswan" #3: max
number of retransmissions (2) reached STATE_QUICK_I1. No acceptable
response to our first Quick Mode message: perhaps peer likes no proposal
Oct 4 11:47:06 hidrogenio pluto[2989]: "net-checkpoint-net-freeswan" #2:
max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable
response to our first Quick Mode message: perhaps peer likes no proposal
## Log information Checkpoint ##
IKE: Quick Mode Sent Notification: no proposal chosen
I´m using 3DES + MD5. I already check if our license on Checkpoint supports
3DES. It is ok.
Could you help me?
Tanks,
Regards,
Cassio David Pereira
Andreas Steffen
<andreas.steffen at str To: cassio.pereira at edinfor.com.br
ongsec.net> cc: users at openswan.org
Subject: Re: [Openswan Users] Openswan is requering internal ip from Checkpoint
04/10/2004 11:08 Cluster
It might be that the VPN-1 license is locked onto the internal
interface. As a workaround just add the line
leftid=172.16.32.125
to ipsec.conf
and replace 200.x.x.3 in ipsec.secrets by the ID 172.16.32.125
if you have used the IP address there.
Regards
Andreas
cassio.pereira at edinfor.com.br wrote:
> Hi,
>
> I´m trying to establish a vpn tunnel between CheckPoint NG R55 and
Openswan
> (is our customer).
> The problem is that the first phase of the connection doesn´t completed.
> In our Checkpoint environment we have a cluster with the following
> configurations:
> machine 1:
> - external interface eth1: 200.x.x.1
> - managment interface: eth2: 172.16.32.123
>
> machine 2:
> - external interface eth1: 200.x.x.2
> - managment interface: eth2: 172.16.32.124
>
> cluster:
> - external interface (virtual) eth1: 200.x.x.3
> - managment interface (virtual): eth2: 172.16.32.125
>
> The two sides configurations are done. To openswan, we try two
> configurations:
>
> conn checkpoint-freeswan
> type=tunnel
> # Left side is Check Point
> left=200.x.x.3
> # leftnexthop=
> # Right side is FreeS/WAN
> right=200.y.y.1
> # rightnexthop=
> keyexchange=ike
> auth=esp
> pfs=no
> auto=start
> authby=secret
> conn net-checkpoint-net-freeswan
> type=tunnel
> left=200.x.x.3
> # leftnexthop=
> leftsubnet=10.2.0.0/24
> right=200.y.y.1
> # rightnexthop=
> rightsubnet=172.28.0.0/22
> keyexchange=ike
> auth=esp
> pfs=no
> auto=start
> authby=secret
>
> or
>
> conn checkpoint-freeswan
> type=tunnel
> # Left side is Check Point
> left=200.x.x.3
> leftnexthop=200.x.x.10
> leftsubnet=10.2.0.0/24
> # leftnexthop=
> # Right side is FreeS/WAN
> right=200.y.y.1
> rightnexthop=200.y.y.2
> rightsubnet=172.28.0.0/22
> keyexchange=ike
> auth=esp
> pfs=no
> auto=start
> authby=secret
> conn net-checkpoint-net-freeswan
> type=tunnel
> left=200.x.x.3
> leftnexthop=200.x.x.10
> leftsubnet=10.2.0.0/24
> right=200.y.y.1
> rightnexthop=200.y.y.2
> rightsubnet=172.28.0.0/22
> keyexchange=ike
> auth=esp
> pfs=no
> auto=start
> authby=secret
>
> But the logs are showing the following:
>
> Oct 1 15:10:02 hidrogenio pluto[14651]: Starting Pluto (Openswan Version
> 2.1.4 X.509-1.4.8-1 PLUTO_USES_KEYRR)
> Oct 1 15:10:02 hidrogenio pluto[14651]: including NAT-Traversal patch
> (Version 0.6c)
> Oct 1 15:10:02 hidrogenio pluto[14651]: Using Linux 2.6 IPsec interface
> code
> Oct 1 15:10:03 hidrogenio pluto[14651]: Changing to directory
> '/etc/ipsec.d/cacerts'
> Oct 1 15:10:03 hidrogenio pluto[14651]: loaded cacert file 'cacert.pem'
> (1395 bytes)
> Oct 1 15:10:03 hidrogenio pluto[14651]: Changing to directory
> '/etc/ipsec.d/crls'
> Oct 1 15:10:03 hidrogenio pluto[14651]: loaded crl file 'crl.pem' (552
> bytes)
> Oct 1 15:10:03 hidrogenio pluto[14651]: loaded host cert file
> '/etc/ipsec.d/certs/hidrogenio.pem' (3823 bytes)
> Oct 1 15:10:03 hidrogenio pluto[14651]: added connection description
> "roadwarrior"
> Oct 1 15:10:03 hidrogenio pluto[14651]: loaded host cert file
> '/etc/ipsec.d/certs/hidrogenio.pem' (3823 bytes)
> Oct 1 15:10:03 hidrogenio pluto[14651]: added connection description
> "roadwarrior-net"
> Oct 1 15:10:03 hidrogenio pluto[14651]: added connection description
> "checkpoint-freeswan"
> Oct 1 15:10:03 hidrogenio pluto[14651]: added connection description
> "net-checkpoint-net-freeswan"
> Oct 1 15:10:03 hidrogenio pluto[14651]: listening for IKE messages
> Oct 1 15:10:03 hidrogenio pluto[14651]: adding interface eth2/eth2
> 10.1.1.254
> Oct 1 15:10:03 hidrogenio pluto[14651]: adding interface eth2/eth2
> 10.1.1.254:4500
> Oct 1 15:10:03 hidrogenio pluto[14651]: adding interface eth1/eth1
> 200.y.y.1
> Oct 1 15:10:03 hidrogenio pluto[14651]: adding interface eth1/eth1
> 200.y.y.1:4500
> Oct 1 15:10:03 hidrogenio pluto[14651]: adding interface eth0/eth0
> 172.28.1.2
> Oct 1 15:10:03 hidrogenio pluto[14651]: adding interface eth0/eth0
> 172.28.1.2:4500
> Oct 1 15:10:03 hidrogenio pluto[14651]: adding interface lo/lo 127.0.0.1
> Oct 1 15:10:03 hidrogenio pluto[14651]: adding interface lo/lo
> 127.0.0.1:4500
> Oct 1 15:10:03 hidrogenio pluto[14651]: adding interface lo/lo ::1
> Oct 1 15:10:03 hidrogenio pluto[14651]: adding interface lo/lo ::1:4500
> Oct 1 15:10:03 hidrogenio pluto[14651]: loading secrets from
> "/etc/ipsec.secrets"
> Oct 1 15:10:03 hidrogenio pluto[14651]: loaded private key file
> '/etc/ipsec.d/private/hidrogenio.key' (1704 bytes)
> Oct 1 15:10:03 hidrogenio pluto[14651]: "checkpoint-freeswan":
> route-client output: /usr/lib/ipsec/_updown: doroute `ip route add
> 10.2.0.0/24 via 200.x.x.3 dev eth1 ' failed (RTNETLINK answers: Network
is
> unreachable)
> Oct 1 15:10:03 hidrogenio pluto[14651]: "net-checkpoint-net-freeswan":
> cannot install eroute -- it is in use for "checkpoint-freeswan" #0
> Oct 1 15:10:03 hidrogenio pluto[14651]: "checkpoint-freeswan" #1:
> initiating Main Mode
> Oct 1 15:10:04 hidrogenio pluto[14651]: "checkpoint-freeswan" #1:
> transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> Oct 1 15:10:04 hidrogenio pluto[14651]: "checkpoint-freeswan" #1:
> transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> Oct 1 15:10:04 hidrogenio pluto[14651]: "checkpoint-freeswan" #1: Peer
ID
> is ID_IPV4_ADDR: '172.16.32.125'
> Oct 1 15:10:04 hidrogenio pluto[14651]: "checkpoint-freeswan" #1: we
> require peer to have ID '200.x.x.3', but peer declares '172.16.32.125'
> Oct 1 15:10:04 hidrogenio pluto[14651]: "checkpoint-freeswan" #1: Peer
ID
> is ID_IPV4_ADDR: '172.16.32.125'
> Oct 1 15:10:04 hidrogenio pluto[14651]: "checkpoint-freeswan" #1: we
> require peer to have ID '200.x.x.3', but peer declares '172.16.32.125'
> Oct 1 15:10:04 hidrogenio pluto[14651]: "checkpoint-freeswan" #1: Peer
ID
> is ID_IPV4_ADDR: '172.16.32.125'
> Oct 1 15:10:04 hidrogenio pluto[14651]: "checkpoint-freeswan" #1: we
> require peer to have ID '200.x.x.3', but peer declares '172.16.32.125'
> Oct 1 15:11:14 hidrogenio pluto[14651]: "checkpoint-freeswan" #1: max
> number of retransmissions (2) reached STATE_MAIN_I3. Possible
> authentication failure: no acceptable response to our first encrypted
> message
>
> I don´t know why openswan are requering the internal ip of the cluster
> object Checkpoint if it is waiting for external ip.
>
> I´m using the following link to help me:
>
http://www.fw-1.de/aerasec/ng/vpn-freeswan/CP-FW1-NG+Linux-FreeSWAN-Gateway.html
>
> Anyone could help me?
>
> Regards,
>
> Cassio David Pereira
=======================================================================
Andreas Steffen e-mail: andreas.steffen at strongsec.com
strongSec GmbH home: http://www.strongsec.com
Alter Zürichweg 20 phone: +41 1 730 80 64
CH-8952 Schlieren (Switzerland) fax: +41 1 730 80 65
==========================================[strong internet security]===
More information about the Users
mailing list