[Openswan Users] Connect to checkpoint vpn

Michael Magua m.magua at gmail.com
Fri Nov 2 01:05:47 EDT 2007

Hi Peter,

Thanks for explaining things in detail however I still can't get this
working. My config looks as follows:

version 2.0
config setup
conn checkpoint
left=my ip
right=checkpoint ip

myip checkpointip: PSK "secretkey"

When I start the service I keep getting these messages:

[root at rizon ~]# /etc/init.d/ipsec: (/etc/ipsec.conf, line 7) section
header "auth=esp" has wrong number of fields (1) -- `start
abortedWARNING: initlog is deprecated and will be removed in a future

I then comment the line out and restart the service and get:

[root at rizon ~]# /etc/init.d/ipsec: (/etc/ipsec.conf, line 6) section
header "aggrmode=no" has wrong number of fields (1) -- `start
abortedWARNING: initlog is deprecated and will be removed in a future

And so on..


On 11/1/07, Peter McGill <petermcgill at goco.net> wrote:
> I haven't set a checkpoint interop myself but I do know a few general interop rules.
> A couple of things your conn should look something like this.
> I don't think the comments will effect your config but go ahead and take them out...
> /etc/ipsec.conf:
> conn checkpoint # Note the conn name doesn't really matter it's just a local identifier
>         keyexchange=ike # default and only choice, you can leave this line out
>         aggrmode=no # default and most secure setting
>         auth=esp # default and most secure setting, you can leave this line out
>         ike=3des-md5 # this is acceptable by default amoung others, but set exactly to match you remote end as shown here
>         esp=3des-md5 # ditto...
>         pfs=no # pfs yes is more secure and default but your remote end has told you not to use it
>         compress=no # yes and no are valid you may need to change this, no is most interoperable
>         rekey=yes # default, you can leave this line out, unless you change it in conn %default
>         keyingtries=%forever # ditto...
>         left= # your local internet ip goes here, use %defaultroute if you have dynamic ip
>         leftsubnet= # your local lan network goes here
>         leftsourceip= # your local lan ip goes here, this is a local setting the other end doesn't care
>         leftnexthop=%defaultroute # your internet default gateway goes here, don't set this if you have dynamic ip
>         right= # your remote checkpoint internet ip goes here
>         rightsubnet= # your remote checkpoint lan network goes here, it must be different from your local lan
>         authby=secret # this selects pre shared secret key method, not the best option but it works and checkpoint wants
>         auto=add # this adds but does not start the connection, use auto=start to automatically start it when ipsec starts
>         # leftid= # leave this out unless you need it, must match remote side, defaults to left ip.
>         # rightid= # ditto...
>         # dpddelay=30 # uncomment this if you need DPD (Dead Peer Detection) to destroy dead tunnels, both sides must set
>         # dpdtimeout=120 # ditto...
>         # dpdaction=clear # ditto... clear destroys the tunnel, restart restarts it.
>         # ikelifetime=1.0h # this is default you may need to set this if checkpoint has a different timeout, phase 1
>         # keylife=8.0h # ditto... for esp, phase 2
>         # ike=3des-md5-modp1024 # this is a more specific version of above line you may need it, but you'll
>         #       need to set it to match the remote end, which may have a different dh group, 1024 is group 2, 1536 group 5,
>         #       some other devices default to group 1, 768 openswan will not allow this because it's insecure,
>         #       make sure the checkpoint isn't using group 1, 768 bits. This is a very common interop problem.
> In /etc/ipsec.secrets which should be only readable by root and/or the user your ipsec daemon runs as.
> : PSK "secretkeyhere" # note change the ips and key to your real left, right and key values
> You'll need to tell the checkpoint admin your left and leftsubnet values so he can match them on his end.
> Unless your not using the subnet and he's letting you connect from any or a dynamic ip.
> Without the subnet only your linux box can use the tunnel your lan pcs cannot.
> Peter McGill
> > -----Original Message-----
> > From: users-bounces at openswan.org
> > [mailto:users-bounces at openswan.org] On Behalf Of Michael Magua
> > Sent: November 1, 2007 6:26 AM
> > To: users at openswan.org
> > Subject: [Openswan Users] Connect to checkpoint vpn
> >
> > Hi guys,
> >
> > I've been struggling for 2 days now trying to connect to my works
> > Checkpoint VPN but no luck. I've tried various configs that I've
> > managed to find on the net as well as going through what is mentioned
> > at http://www.fw-1.de/aerasec/*.
> >
> > The details from my administrator at work are as follows:
> >
> > IP: x.x.x.x
> > Encryption algorithm: 3des
> > Hashing algorithm: md5
> > PFS off
> > Pre-shared key: secretkeyhere
> >
> > I'm using Fedora Linux if that means anything. Please could someone
> > help me get this working?
> >
> > Thank you
> > Michael
> > _______________________________________________
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
> > Building and Integrating Virtual Private Networks with Openswan:
> > http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> > 7?n=283155

More information about the Users mailing list