[Openswan Users] Openswan - checkpoint not working in both directions

Mike.Peters at opengi.co.uk Mike.Peters at opengi.co.uk
Fri Nov 10 05:54:35 EST 2006


Hi,

I'm trying to set up a Gateway-to-Gateway connection between Checkpoint
and Openswan. Using
http://www.fw-1.de/aerasec/ng/vpn-freeswan/CP-FW1-NG+Linux-FreeSWAN-Gate
way.html as a reference. The connection works fine from the Openswan
(172.16.2.0/24) end to the checkpoint end (192.168.0.0/24) but I cant
get from the checkpoint end to the Openswan end:

The logs show:

Nov 10 10:33:06 mfsvpn pluto[28049]: "opengi-checkpoint" #1: initiating
Main Mode
Nov 10 10:33:06 mfsvpn ipsec__plutorun: 104 "opengi-checkpoint" #1:
STATE_MAIN_I1: initiate
Nov 10 10:33:06 mfsvpn ipsec__plutorun: ...could not start conn
"opengi-checkpoint"
Nov 10 10:33:06 mfsvpn pluto[28049]: "opengi-checkpoint" #1: transition
from state STATE_MAIN_I1 to state STATE_MAIN_I2
Nov 10 10:33:06 mfsvpn pluto[28049]: "opengi-checkpoint" #1:
STATE_MAIN_I2: sent MI2, expecting MR2
Nov 10 10:33:07 mfsvpn pluto[28049]: "opengi-checkpoint" #1: I did not
send a certificate because I do not have one.
Nov 10 10:33:07 mfsvpn pluto[28049]: "opengi-checkpoint" #1: transition
from state STATE_MAIN_I2 to state STATE_MAIN_I3
Nov 10 10:33:07 mfsvpn pluto[28049]: "opengi-checkpoint" #1:
STATE_MAIN_I3: sent MI3, expecting MR3
Nov 10 10:33:07 mfsvpn pluto[28049]: "opengi-checkpoint" #1: Main mode
peer ID is ID_IPV4_ADDR: 'aaa.bbb.ccc.42'
Nov 10 10:33:07 mfsvpn pluto[28049]: "opengi-checkpoint" #1: transition
from state STATE_MAIN_I3 to state STATE_MAIN_I4
Nov 10 10:33:07 mfsvpn pluto[28049]: "opengi-checkpoint" #1:
STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1536}
Nov 10 10:33:07 mfsvpn pluto[28049]: "checkpoint-opengi" #2: initiating
Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
Nov 10 10:33:07 mfsvpn pluto[28049]: "opengi-checkpoint" #3: initiating
Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
Nov 10 10:33:07 mfsvpn pluto[28049]: "checkpoint-opengi" #2: transition
from state STATE_QUICK_I1 to state STATE_QUICK_I2
Nov 10 10:33:07 mfsvpn pluto[28049]: "checkpoint-opengi" #2:
STATE_QUICK_I2: sent QI2, IPsec SA established {ESP/NAT=>0xe0e7d1fa
<0x77332173 xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}
Nov 10 10:33:07 mfsvpn pluto[28049]: "opengi-checkpoint" #3: transition
from state STATE_QUICK_I1 to state STATE_QUICK_I2
Nov 10 10:33:07 mfsvpn pluto[28049]: "opengi-checkpoint" #3:
STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x0d061c6a
<0xb145aac9 xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}

Nov 10 10:38:21 mfsvpn pluto[28049]: "opengi-checkpoint" #1: cannot
respond to IPsec SA request because no connection is known for
0.0.0.0/0===xxx.yyy.zzz.235...aaa.bbb.ccc.42===0.0.0.0/0
Nov 10 10:38:21 mfsvpn pluto[28049]: "opengi-checkpoint" #1: sending
encrypted notification INVALID_ID_INFORMATION to aaa.bbb.ccc.42:500
Nov 10 10:38:24 mfsvpn pluto[28049]: "opengi-checkpoint" #1: Quick Mode
I1 message is unacceptable because it uses a previously used Message ID
0x35f89b0d (perhaps this is a duplicated packet)
Nov 10 10:38:24 mfsvpn pluto[28049]: "opengi-checkpoint" #1: sending
encrypted notification INVALID_MESSAGE_ID to aaa.bbb.ccc.42:500
Nov 10 10:38:26 mfsvpn pluto[28049]: "opengi-checkpoint" #1: Quick Mode
I1 message is unacceptable because it uses a previously used Message ID
0x35f89b0d (perhaps this is a duplicated packet)

ipsec verify
Checking your system to see if IPsec got installed and started
correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.4/K2.6.16.13-4-smp (netkey)
Checking for IPsec support in kernel                            [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Checking for 'curl' command for CRL fetching                    [OK]
Checking for 'setkey' command for NETKEY IPsec stack support    [OK]
Opportunistic Encryption Support
[DISABLED]

My ipsec.conf is as follows:
config setup
  # Debug-logging controls:  "none" for (almost) none, "all" for lots.
  #klipsdebug=all
  #plutodebug="control parsing"
  #plutodebug=all
  # Certificate Revocation List handling
  #overridemtu=1358
  crlcheckinterval=600
  strictcrlpolicy=no
  # Change rp_filter setting, default = 0 (switch off)
  #rp_filter=%unchanged
  # Switch on NAT-Traversal (if patch is installed)
  interfaces=%defaultroute
  nat_traversal=yes
  virtual_private=%v4:10.0.0.0/8,%v4:172.16.2.0/24,%v4:192.168.0.0/16

# default settings for connections
conn %default
  # Default: %forever (try forever)
  keyingtries=3
  compress=no
  disablearrivalcheck=no
  authby=rsasig
  # Sig keys (default: %dnsondemand)
  leftrsasigkey=%cert
  rightrsasigkey=%cert
  # Lifetimes, defaults are 1h/8hrs
  ikelifetime=20m
  keylife=1h

## Gateway-to-gateway: Check Point <-> OpenS/WAN
conn checkpoint-opengi
  type=tunnel
  forceencaps=yes
  # Left side is Checkpoint
  left=aaa.bbb.ccc.42
  leftsubnet=192.168.0.0/24
  # Right side is OpenS/WAN
  right=xxx.yyy.zzz.235
  rightsubnet=172.16.2.0/24
  keyexchange=ike
  auth=esp
  ike=3des-md5,3des-sha1
  pfs=no
  auto=start
  authby=secret

conn opengi-checkpoint
  type=tunnel
  left=aaa.bbb.ccc.42
  right=xxx.yyy.zzz.235
  keyexchange=ike
  auth=esp
  pfs=no
  auto=start
  authby=secret

Any help would be greatly appreciated.

Mike Peters
Linux System and Website Administrator
Open G I Limited
www.opengi.co.uk
This message is intended for the named recipient only and may be
privileged and/or confidential.  If you are not the intended or named
recipient or have received this email in error then you should not copy
forward or disclose it to any other persons.  If you have received this
email in error you should destroy it and contact the sender so that we
may take appropriate action.   The views and opinions expressed in this
email may not represent the views and opinions of Open International
Limited or any of its subsidiaries and are made without prejudice and
subject to contract.  The Company Reserves the right to intercept and
review all email communications.



More information about the Users mailing list