[Openswan Users] Connect to checkpoint vpn

Peter McGill petermcgill at goco.net
Thu Nov 1 10:20:26 EDT 2007

I haven't set a checkpoint interop myself but I do know a few general interop rules.
A couple of things your conn should look something like this.
I don't think the comments will effect your config but go ahead and take them out...

conn checkpoint # Note the conn name doesn't really matter it's just a local identifier
	keyexchange=ike # default and only choice, you can leave this line out
	aggrmode=no # default and most secure setting
	auth=esp # default and most secure setting, you can leave this line out
	ike=3des-md5 # this is acceptable by default amoung others, but set exactly to match you remote end as shown here
	esp=3des-md5 # ditto...
	pfs=no # pfs yes is more secure and default but your remote end has told you not to use it
	compress=no # yes and no are valid you may need to change this, no is most interoperable
	rekey=yes # default, you can leave this line out, unless you change it in conn %default
	keyingtries=%forever # ditto...
	left= # your local internet ip goes here, use %defaultroute if you have dynamic ip
	leftsubnet= # your local lan network goes here
	leftsourceip= # your local lan ip goes here, this is a local setting the other end doesn't care
	leftnexthop=%defaultroute # your internet default gateway goes here, don't set this if you have dynamic ip
	right= # your remote checkpoint internet ip goes here
	rightsubnet= # your remote checkpoint lan network goes here, it must be different from your local lan
	authby=secret # this selects pre shared secret key method, not the best option but it works and checkpoint wants
	auto=add # this adds but does not start the connection, use auto=start to automatically start it when ipsec starts
	# leftid= # leave this out unless you need it, must match remote side, defaults to left ip.
	# rightid= # ditto...
	# dpddelay=30 # uncomment this if you need DPD (Dead Peer Detection) to destroy dead tunnels, both sides must set
	# dpdtimeout=120 # ditto...
	# dpdaction=clear # ditto... clear destroys the tunnel, restart restarts it.
	# ikelifetime=1.0h # this is default you may need to set this if checkpoint has a different timeout, phase 1
	# keylife=8.0h # ditto... for esp, phase 2
	# ike=3des-md5-modp1024 # this is a more specific version of above line you may need it, but you'll
	#	need to set it to match the remote end, which may have a different dh group, 1024 is group 2, 1536 group 5,
	#	some other devices default to group 1, 768 openswan will not allow this because it's insecure,
	#	make sure the checkpoint isn't using group 1, 768 bits. This is a very common interop problem.

In /etc/ipsec.secrets which should be only readable by root and/or the user your ipsec daemon runs as. : PSK "secretkeyhere" # note change the ips and key to your real left, right and key values

You'll need to tell the checkpoint admin your left and leftsubnet values so he can match them on his end.
Unless your not using the subnet and he's letting you connect from any or a dynamic ip.
Without the subnet only your linux box can use the tunnel your lan pcs cannot.

Peter McGill

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of Michael Magua
> Sent: November 1, 2007 6:26 AM
> To: users at openswan.org
> Subject: [Openswan Users] Connect to checkpoint vpn
> Hi guys,
> I've been struggling for 2 days now trying to connect to my works
> Checkpoint VPN but no luck. I've tried various configs that I've
> managed to find on the net as well as going through what is mentioned
> at http://www.fw-1.de/aerasec/*.
> The details from my administrator at work are as follows:
> IP: x.x.x.x
> Encryption algorithm: 3des
> Hashing algorithm: md5
> PFS off
> Pre-shared key: secretkeyhere
> I'm using Fedora Linux if that means anything. Please could someone
> help me get this working?
> Thank you
> Michael
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155

More information about the Users mailing list