[Openswan Users] site to site VPN connection : openswan - checkpoint 4.1

Bahrain Suffian bahrain_suffian at yahoo.com
Wed Feb 23 00:38:33 CET 2005 

Dear All,
I want to establish a site to site vpn connection with
our business partner's server. On our side, we are
using openswan 2.3.0-1 and our partner's are using
Checkpoint firewall version 4.1. 
We have to configure our Openswan so that it match the
config on our partner's end.

But all our effort to establish such connection is a
failure.

This is the configuration on our partner's side:

- encryption scheme: IKE.
- encryption algorithm between firewall: 3DES
- hashing method used: MD5.
- authentication method between firewall:
  pre-shared password.
- Firewall Type: CheckPoint F/W Ver4.1
- External Line (Public Link) IP: 203.92.128.195
- Application Server IP	(behind the firewall:  
192.100.86.xx (grant access for the whole 86 segment)
- Netmask:255.255.255.0
- Preshared key: d3vilit0 	

This is our OpenSwan config:
Our server's ip is 210.15.122.7

conn partner197
        auto=route
        authby=secret
        keyexchange=ike
        auth=esp
        esp=3des-md5
        ike=3des-md5
        pfs=no
        type=tunnel
        left=210.15.122.7
        right=203.92.128.197
        rightsubnet=192.100.86.0/24
        leftid=210.15.122.7
        rightid=203.92.128.197

This is the log file
---------------------------------------------------
Feb 23 16:30:54 sms pluto[6002]: | *received whack
message
Feb 23 16:30:54 sms pluto[6002]: shutting down
Feb 23 16:30:54 sms pluto[6002]: forgetting secrets
Feb 23 16:30:54 sms pluto[6002]: "partner197":
deleting connection
Feb 23 16:30:54 sms pluto[6002]: | delete eroute
192.100.86.0/24:0 --0-> 210.19.126.7/32:0 =>
int.0 at 210.19.126.7 (raw_eroute)
Feb 23 16:30:54 sms pluto[6002]: | eroute_connection
delete eroute 210.19.126.7/32:0 --0->
192.100.86.0/24:0 => int.0 at 0.0.0.0 (raw_eroute)
Feb 23 16:30:54 sms pluto[6002]: | route owner of
"partner197" unrouted: NULL
Feb 23 16:30:54 sms pluto[6002]: | executing
unroute-host: 2>&1 PLUTO_VERSION='1.1'
PLUTO_VERB='unroute-host'
PLUTO_CONNECTION='partner197'
PLUTO_NEXT_HOP='203.92.128.197' PLUTO_INTERFACE='eth0'
PLUTO_ME='210.19.126.7' PLUTO_MY_ID='210.19.126.7'
PLUTO_MY_CLIENT='210.19.126.7/32'
PLUTO_MY_CLIENT_NET='210.19.126.7'
PLUTO_MY_CLIENT_MASK='255.255.255.255'
PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0'
PLUTO_PEER='203.92.128.197'
PLUTO_PEER_ID='203.92.128.197'
PLUTO_PEER_CLIENT='192.100.86.0/24'
PLUTO_PEER_CLIENT_NET='192.100.86.0'
PLUTO_PEER_CLIENT_MASK='255.255.255.0'
PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0'
PLUTO_PEER_CA=''
PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL'  ipsec _updown
Feb 23 16:30:54 sms pluto[6002]: "partner197":
unroute-host output: /usr/lib/ipsec/_updown: doroute
`ip route delete 192.100.86.0/24 via 203.92.128.197
dev eth0 ' failed (RTNETLINK answers: No such process)
Feb 23 16:30:54 sms pluto[6002]: |
alg_info_delref(0x8c85588)
Feb 23 16:30:54 sms pluto[6002]: |
alg_info_delref(0x8c85588) alg_info->ref_cnt=2
Feb 23 16:30:54 sms pluto[6002]: |
alg_info_delref(0x8c84de0)
Feb 23 16:30:54 sms pluto[6002]: |
alg_info_delref(0x8c84de0) alg_info->ref_cnt=2
Feb 23 16:30:54 sms pluto[6002]: shutting down
interface lo/lo ::1
Feb 23 16:30:54 sms pluto[6002]: shutting down
interface lo/lo 127.0.0.1
Feb 23 16:30:54 sms pluto[6002]: shutting down
interface lo/lo 127.0.0.1
Feb 23 16:30:54 sms pluto[6002]: shutting down
interface eth0/eth0 210.19.126.7
Feb 23 16:30:54 sms pluto[6002]: shutting down
interface eth0/eth0 210.19.126.7
Feb 23 16:30:54 sms pluto[6002]: shutting down
interface eth0:1/eth0:1 172.16.2.95
Feb 23 16:30:54 sms pluto[6002]: shutting down
interface eth0:1/eth0:1 172.16.2.95
Feb 23 16:30:54 sms pluto[6002]: shutting down
interface eth0:2/eth0:2 192.168.17.225
Feb 23 16:30:54 sms pluto[6002]: shutting down
interface eth0:2/eth0:2 192.168.17.225
Feb 23 16:30:55 sms ipsec__plutorun: Starting Pluto
subsystem...
Feb 23 16:30:55 sms pluto[6227]: Starting Pluto
(Openswan Version 2.3.0 X.509-1.5.4 PLUTO_USES_KEYRR)
Feb 23 16:30:55 sms pluto[6227]: Setting port floating
to on
Feb 23 16:30:55 sms pluto[6227]: port floating
activate 1/1
Feb 23 16:30:55 sms pluto[6227]:   including
NAT-Traversal patch (Version 0.6c)
Feb 23 16:30:55 sms pluto[6227]: | inserting event
EVENT_REINIT_SECRET, timeout in 3600 seconds
Feb 23 16:30:55 sms pluto[6227]:
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok
(ret=0)
Feb 23 16:30:55 sms pluto[6227]: starting up 1
cryptographic helpers
Feb 23 16:30:55 sms pluto[6227]: started helper
pid=6230 (fd:6)
Feb 23 16:30:55 sms pluto[6227]: Using Linux 2.6 IPsec
interface code
Feb 23 16:30:55 sms pluto[6227]: Could not change to
directory '/etc/ipsec.d/cacerts'
Feb 23 16:30:55 sms pluto[6227]: Could not change to
directory '/etc/ipsec.d/aacerts'
Feb 23 16:30:55 sms pluto[6227]: Could not change to
directory '/etc/ipsec.d/ocspcerts'
Feb 23 16:30:55 sms pluto[6227]: Could not change to
directory '/etc/ipsec.d/crls'
Feb 23 16:30:55 sms pluto[6227]: | inserting event
EVENT_LOG_DAILY, timeout in 26945 seconds
Feb 23 16:30:55 sms pluto[6227]: | next event
EVENT_REINIT_SECRET in 3600 seconds
Feb 23 16:30:55 sms pluto[6230]: ! helper 0 waiting on
fd: 7
Feb 23 16:30:56 sms pluto[6227]: |
Feb 23 16:30:56 sms pluto[6227]: | *received whack
message
Feb 23 16:30:56 sms pluto[6227]: | Added new
connection partner197 with policy PSK+ENCRYPT+TUNNEL
Feb 23 16:30:56 sms pluto[6227]: | from whack: got
--esp=3des-md5
Feb 23 16:30:56 sms pluto[6227]: | esp string values:
3_000-1, flags=-strict
Feb 23 16:30:56 sms pluto[6227]: | from whack: got
--ike=3des-md5
Feb 23 16:30:56 sms pluto[6227]: | ike string values:
5_000-1-5, 5_000-1-2, flags=-strict
Feb 23 16:30:56 sms pluto[6227]: | counting wild cards
for 210.19.126.7 is 0
Feb 23 16:30:56 sms pluto[6227]: | sendcert is 3
Feb 23 16:30:56 sms pluto[6227]: | counting wild cards
for 203.92.128.197 is 0
Feb 23 16:30:56 sms pluto[6227]: | sendcert is 3
Feb 23 16:30:56 sms pluto[6227]: | alg_info_addref()
alg_info->ref_cnt=1
Feb 23 16:30:56 sms pluto[6227]: | alg_info_addref()
alg_info->ref_cnt=1
Feb 23 16:30:56 sms pluto[6227]: | alg_info_addref()
alg_info->ref_cnt=2
Feb 23 16:30:56 sms pluto[6227]: | alg_info_addref()
alg_info->ref_cnt=2
Feb 23 16:30:56 sms pluto[6227]: added connection
description "partner197"
Feb 23 16:30:56 sms pluto[6227]: |
210.19.126.7...203.92.128.197===192.100.86.0/24
Feb 23 16:30:56 sms pluto[6227]: | ike_life: 3600s;
ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz:
100%; keyingtries: 0; policy: PSK+ENCRYPT+TUNNEL
Feb 23 16:30:56 sms pluto[6227]: | next event
EVENT_REINIT_SECRET in 3599 seconds
Feb 23 16:30:56 sms pluto[6227]: |
Feb 23 16:30:56 sms pluto[6227]: | *received whack
message
Feb 23 16:30:56 sms pluto[6227]: listening for IKE
messages
Feb 23 16:30:56 sms pluto[6227]: | found lo with
address 127.0.0.1
Feb 23 16:30:56 sms pluto[6227]: | found eth0 with
address 210.19.126.7
Feb 23 16:30:56 sms pluto[6227]: | found eth0:1 with
address 172.16.2.95
Feb 23 16:30:56 sms pluto[6227]: | found eth0:2 with
address 192.168.17.225
Feb 23 16:30:56 sms pluto[6227]: adding interface
eth0:2/eth0:2 192.168.17.225
Feb 23 16:30:56 sms pluto[6227]: adding interface
eth0:2/eth0:2 192.168.17.225:4500
Feb 23 16:30:56 sms pluto[6227]: adding interface
eth0:1/eth0:1 172.16.2.95
Feb 23 16:30:56 sms pluto[6227]: adding interface
eth0:1/eth0:1 172.16.2.95:4500
Feb 23 16:30:56 sms pluto[6227]: adding interface
eth0/eth0 210.19.126.7
Feb 23 16:30:56 sms pluto[6227]: adding interface
eth0/eth0 210.19.126.7:4500
Feb 23 16:30:56 sms pluto[6227]: adding interface
lo/lo 127.0.0.1
Feb 23 16:30:56 sms pluto[6227]: adding interface
lo/lo 127.0.0.1:4500
Feb 23 16:30:56 sms pluto[6227]: | found lo with
address 0000:0000:0000:0000:0000:0000:0000:0001
Feb 23 16:30:56 sms pluto[6227]: adding interface
lo/lo ::1
Feb 23 16:30:56 sms pluto[6227]: loading secrets from
"/etc/ipsec.secrets"
Feb 23 16:30:56 sms pluto[6227]: | loaded private key
for keyid: PPK_RSA:AQN8mdvaJ
Feb 23 16:30:56 sms pluto[6227]: | next event
EVENT_REINIT_SECRET in 3599 seconds
Feb 23 16:30:56 sms pluto[6227]: |
Feb 23 16:30:56 sms pluto[6227]: | *received whack
message
Feb 23 16:30:56 sms pluto[6227]: | route owner of
"partner197" unrouted: NULL; eroute owner: NULL
Feb 23 16:30:56 sms pluto[6227]: | could_route called
for partner197 (kind=CK_PERMANENT)
Feb 23 16:30:56 sms pluto[6227]: | route owner of
"partner197" unrouted: NULL; eroute owner: NULL
Feb 23 16:30:56 sms pluto[6227]: | add eroute
192.100.86.0/24:0 --0-> 210.19.126.7/32:0 => %trap
(raw_eroute)
Feb 23 16:30:56 sms pluto[6227]: | eroute_connection
add eroute 210.19.126.7/32:0 --0-> 192.100.86.0/24:0
=> %trap (raw_eroute)
Feb 23 16:30:56 sms pluto[6227]: | route_and_eroute:
firewall_notified: true
Feb 23 16:30:56 sms pluto[6227]: | executing
prepare-host: 2>&1 PLUTO_VERSION='1.1'
PLUTO_VERB='prepare-host'
PLUTO_CONNECTION='partner197'
PLUTO_NEXT_HOP='203.92.128.197' PLUTO_INTERFACE='eth0'
PLUTO_ME='210.19.126.7' PLUTO_MY_ID='210.19.126.7'
PLUTO_MY_CLIENT='210.19.126.7/32'
PLUTO_MY_CLIENT_NET='210.19.126.7'
PLUTO_MY_CLIENT_MASK='255.255.255.255'
PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0'
PLUTO_PEER='203.92.128.197'
PLUTO_PEER_ID='203.92.128.197'
PLUTO_PEER_CLIENT='192.100.86.0/24'
PLUTO_PEER_CLIENT_NET='192.100.86.0'
PLUTO_PEER_CLIENT_MASK='255.255.255.0'
PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0'
PLUTO_PEER_CA=''
PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL'  ipsec _updown
Feb 23 16:30:56 sms pluto[6227]: | executing
route-host: 2>&1 PLUTO_VERSION='1.1'
PLUTO_VERB='route-host' PLUTO_CONNECTION='partner197'
PLUTO_NEXT_HOP='203.92.128.197' PLUTO_INTERFACE='eth0'
PLUTO_ME='210.19.126.7' PLUTO_MY_ID='210.19.126.7'
PLUTO_MY_CLIENT='210.19.126.7/32'
PLUTO_MY_CLIENT_NET='210.19.126.7'
PLUTO_MY_CLIENT_MASK='255.255.255.255'
PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0'
PLUTO_PEER='203.92.128.197'
PLUTO_PEER_ID='203.92.128.197'
PLUTO_PEER_CLIENT='192.100.86.0/24'
PLUTO_PEER_CLIENT_NET='192.100.86.0'
PLUTO_PEER_CLIENT_MASK='255.255.255.0'
PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0'
PLUTO_PEER_CA=''
PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL'  ipsec _updown
Feb 23 16:30:56 sms pluto[6227]: "partner197":
route-host output: /usr/lib/ipsec/_updown: doroute `ip
route add 192.100.86.0/24 via 203.92.128.197 dev eth0
' failed (RTNETLINK answers: Network is unreachable)
Feb 23 16:30:56 sms pluto[6227]: | next event
EVENT_REINIT_SECRET in 3599 seconds


---------------------------------------------------

This is the whack status

000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 210.19.126.7
000 interface eth0/eth0 210.19.126.7
000 interface eth0:1/eth0:1 172.16.2.95
000 interface eth0:1/eth0:1 172.16.2.95
000 interface eth0:2/eth0:2 192.168.17.225
000 interface eth0:2/eth0:2 192.168.17.225
000 %myid = (none)
000 debug control
000
000 algorithm ESP encrypt: id=2, name=ESP_DES,
ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES,
ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH,
ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL,
ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES,
ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT,
ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH,
ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1,
name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128,
keysizemax=128
000 algorithm ESP auth attr: id=2,
name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160,
keysizemax=160
000 algorithm ESP auth attr: id=5,
name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256,
keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null),
keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC,
blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC,
blocksize=8, keydeflen=192
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1,
hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5,
hashsize=16
000 algorithm IKE dh group: id=2,
name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5,
name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14,
name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15,
name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16,
name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17,
name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18,
name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz}
:context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "partner197":
210.15.122.7...203.92.128.197===192.100.86.0/24;
prospective erouted; eroute owner: #0
000 "partner197":     srcip=unset; dstip=unset
000 "partner197":   ike_life: 3600s; ipsec_life:
28800s; rekey_margin: 540s; rekey_fuzz: 100%;
keyingtries: 0
000 "partner197":   policy: PSK+ENCRYPT+TUNNEL; prio:
32,24; interface: eth0;
000 "partner197":   newest ISAKMP SA: #0; newest IPsec
SA: #0;
000 "partner197":   IKE algorithms wanted: 5_000-1-5,
5_000-1-2, flags=-strict
000 "partner197":   IKE algorithms found: 
5_192-1_128-5, 5_192-1_128-2,
000 "partner197":   ESP algorithms wanted: 3_000-1,
flags=-strict
000 "partner197":   ESP algorithms loaded: 3_000-1,
flags=-strict

would anybody care to help?

Thanks in advance.

Best Regards.
 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

More information about the Users mailing list