[Openswan Users] VPN-1 Edge X to Openswan success (AES)

Martin Schwartz Martin.Schwartz at ieee.org
Sun Dec 11 19:40:43 CET 2005


Hi folks, 
just wanted to let you know that the small VPN-1 Edge X boxes offered by
Checkpoint support VPNs with Openswan quite well. I just managed to get the
following configuration running:

Left: Suse Linux 9.3 Server with openswan-2.3.0-1suse9x (Example IP 1.2.3.4,
no network or NAT, name "hostname.com")
Right: Private NATed network 192.168.0.0/24 with VPN-1 Edge X (X32),
Embedded NG Version 5.0.94x (Example IP 5.6.7.8)
VPN: AES256-SHA1, DH group 5.

1. Openswan config (only added the two conns to /etc/ipsec.conf, all other
stuff left default):

conn local-net
        authby=secret
        type=tunnel
        auth=esp
        esp=aes256-sha1
        keyexchange=ike
        ike=aes256-sha-modp1536
        keylife=28800s
        ikelifetime=3600s
        left=1.2.3.4
        right=5.6.7.8
        rightsubnet=192.168.0.0/24
        pfs=yes
        auto=start

conn local-fw
        authby=secret
        type=tunnel
        auth=esp
        esp=aes256-sha1
        keyexchange=ike
        ike=aes256-sha-modp1536
        keylife=28800s
        ikelifetime=3600s
        left=1.2.3.4
        right=5.6.7.8
        rightsubnet=5.6.7.8/32
        pfs=yes
        auto=start

Note that you need at least TWO connection entries if you plan a VPN
net--host (i.e. one conn for net--host and a separate one for host--host),
and FOUR if it's a net--net VPN (which would be needed for host--net,
net--net, net--host, and host--host communication - EVEN if you don't
actually make use of this!). Don't forget to add a proper secret to
ipsec.secrets:

1.2.3.4 5.6.7.8: PSK "secret!"

2. VPN-1 cfg (best configured by just SSHing to your box as "admin", i.e.
ssh -l admin my.firewall):

clear vpn sites 
add vpn sites disabled false name hostname.com gateway 1.2.3.4 gateway2
undefined loginmode automatic configmode manual authmethod sharedsecret type
sitetosite keepalive enabled bypassnat enabled bypassfw disabled user ""
password secret! topopass "" net1 1.2.3.4 netmask1 255.255.255.255 net2
undefined netmask2 255.255.255.0 net3 undefined netmask3 255.255.255.0
usepfs true phase1ikealgs aes256/sha1 phase1exptime 28800 phase2ikealgs
aes256/sha1 phase2exptime 3600 phase1dhgroup group5 phase2dhgroup group5
dnsname wsap.net 

In addition, if you set "bypassfw disabled" as I did, you need one or two
rules to enable traffic inside your VPN (these rules can also be configured
using the web interface, and further restricted according to your needs):

add fw rules service any action allow src hostname.com dest lan ports 0
protocol any qosclass Default redirectport 0 index 1 log false disabled
false 
add fw rules service any action allow src lan dest hostname.com ports 0
protocol any qosclass Default redirectport 0 index 2 log false disabled
false 

If all works well, upon activating your VPN on the Linux box (rcipsec start)
and the Edge-X appliance (via web interface), the following entries should
appear in your VPN-1 log:
00058	 	Dec 11	07:15:15 PM	IKE Phase2: Completed successfully
with VPN peer 85.214.25.18 [My Ranges: 192.168.0.0-192.168.0.255 Peer
Ranges: 1.2.3.4-1.2.3.4 Security: AES-256/SHA1 Expire time: 1 hour(s), 0
second(s) NAT-T: turned off]
00057	 	Dec 11	07:14:40 PM	IKE Phase2: Completed successfully
with VPN peer 1.2.3.4 [My Ranges: 5.6.7.8-5.6.7.8 Peer Ranges:
1.2.3.4-1.2.3.4 Security: AES-256/SHA1 Expire time: 1 hour(s), 0 second(s)
NAT-T: turned off]
00056	 	Dec 11	07:14:39 PM	IKE Phase1: Completed successfully
with VPN peer 1.2.3.4 [Security: AES-256/SHA1 Expire Time: 7 hour(s), 59
minute(s), 58 second(s) NAT-T: turned off]

Have fun,
Martin.



More information about the Users mailing list