[Openswan Users] Connect to checkpoint vpn
Michael Magua
m.magua at gmail.com
Fri Nov 2 02:42:07 EDT 2007
Hi again,
I found the problem. By doing:
version 2.0
config setup
conn checkpoing
[tab] ....
[tab] ...
Things are working (least I think) however I lose my default route
when this happens. I wrote a simple script:
#!/bin/bash
/etc/init.d/ipsec start
sleep 60
/etc/init.d/ipsec stop
--end--
When the service starts I'm locked out my home machine. Is my default
route being replaced? How can I stop this from happening?
Thanks
Michael
On 11/2/07, Michael Magua <m.magua at gmail.com> wrote:
> Hi Peter,
>
> Thanks for explaining things in detail however I still can't get this
> working. My config looks as follows:
>
> #/etc/ipsec.conf
> version 2.0
> config setup
> conn checkpoint
> keyexchange=ike
> aggrmode=no
> auth=esp
> ike=3des-md5
> esp=3des-md5
> pfs=no
> compress=no
> left=my ip
> right=checkpoint ip
> authby=secret
> auto=start
>
> #/etc/ipsec.secrets
> myip checkpointip: PSK "secretkey"
>
> When I start the service I keep getting these messages:
>
> [root at rizon ~]# /etc/init.d/ipsec: (/etc/ipsec.conf, line 7) section
> header "auth=esp" has wrong number of fields (1) -- `start
> abortedWARNING: initlog is deprecated and will be removed in a future
> release
> [FAILED]
>
> I then comment the line out and restart the service and get:
>
> [root at rizon ~]# /etc/init.d/ipsec: (/etc/ipsec.conf, line 6) section
> header "aggrmode=no" has wrong number of fields (1) -- `start
> abortedWARNING: initlog is deprecated and will be removed in a future
> release
> [FAILED]
>
> And so on..
>
> Cheers
> Michael
>
> On 11/1/07, Peter McGill <petermcgill at goco.net> wrote:
> > I haven't set a checkpoint interop myself but I do know a few general interop rules.
> > A couple of things your conn should look something like this.
> > I don't think the comments will effect your config but go ahead and take them out...
> >
> > /etc/ipsec.conf:
> > conn checkpoint # Note the conn name doesn't really matter it's just a local identifier
> > keyexchange=ike # default and only choice, you can leave this line out
> > aggrmode=no # default and most secure setting
> > auth=esp # default and most secure setting, you can leave this line out
> > ike=3des-md5 # this is acceptable by default amoung others, but set exactly to match you remote end as shown here
> > esp=3des-md5 # ditto...
> > pfs=no # pfs yes is more secure and default but your remote end has told you not to use it
> > compress=no # yes and no are valid you may need to change this, no is most interoperable
> > rekey=yes # default, you can leave this line out, unless you change it in conn %default
> > keyingtries=%forever # ditto...
> > left=66.23.21.39 # your local internet ip goes here, use %defaultroute if you have dynamic ip
> > leftsubnet=192.168.1.0/24 # your local lan network goes here
> > leftsourceip=192.168.1.1 # your local lan ip goes here, this is a local setting the other end doesn't care
> > leftnexthop=%defaultroute # your internet default gateway goes here, don't set this if you have dynamic ip
> > right=188.232.99.199 # your remote checkpoint internet ip goes here
> > rightsubnet=10.0.0.0/8 # your remote checkpoint lan network goes here, it must be different from your local lan
> > authby=secret # this selects pre shared secret key method, not the best option but it works and checkpoint wants
> > auto=add # this adds but does not start the connection, use auto=start to automatically start it when ipsec starts
> > # leftid= # leave this out unless you need it, must match remote side, defaults to left ip.
> > # rightid= # ditto...
> > # dpddelay=30 # uncomment this if you need DPD (Dead Peer Detection) to destroy dead tunnels, both sides must set
> > # dpdtimeout=120 # ditto...
> > # dpdaction=clear # ditto... clear destroys the tunnel, restart restarts it.
> > # ikelifetime=1.0h # this is default you may need to set this if checkpoint has a different timeout, phase 1
> > # keylife=8.0h # ditto... for esp, phase 2
> > # ike=3des-md5-modp1024 # this is a more specific version of above line you may need it, but you'll
> > # need to set it to match the remote end, which may have a different dh group, 1024 is group 2, 1536 group 5,
> > # some other devices default to group 1, 768 openswan will not allow this because it's insecure,
> > # make sure the checkpoint isn't using group 1, 768 bits. This is a very common interop problem.
> >
> > In /etc/ipsec.secrets which should be only readable by root and/or the user your ipsec daemon runs as.
> > 66.23.21.39 188.232.99.199 : PSK "secretkeyhere" # note change the ips and key to your real left, right and key values
> >
> > You'll need to tell the checkpoint admin your left and leftsubnet values so he can match them on his end.
> > Unless your not using the subnet and he's letting you connect from any or a dynamic ip.
> > Without the subnet only your linux box can use the tunnel your lan pcs cannot.
> >
> > Peter McGill
> >
> >
> > > -----Original Message-----
> > > From: users-bounces at openswan.org
> > > [mailto:users-bounces at openswan.org] On Behalf Of Michael Magua
> > > Sent: November 1, 2007 6:26 AM
> > > To: users at openswan.org
> > > Subject: [Openswan Users] Connect to checkpoint vpn
> > >
> > > Hi guys,
> > >
> > > I've been struggling for 2 days now trying to connect to my works
> > > Checkpoint VPN but no luck. I've tried various configs that I've
> > > managed to find on the net as well as going through what is mentioned
> > > at http://www.fw-1.de/aerasec/*.
> > >
> > > The details from my administrator at work are as follows:
> > >
> > > IP: x.x.x.x
> > > Encryption algorithm: 3des
> > > Hashing algorithm: md5
> > > PFS off
> > > Pre-shared key: secretkeyhere
> > >
> > > I'm using Fedora Linux if that means anything. Please could someone
> > > help me get this working?
> > >
> > > Thank you
> > > Michael
> > > _______________________________________________
> > > Users at openswan.org
> > > http://lists.openswan.org/mailman/listinfo/users
> > > Building and Integrating Virtual Private Networks with Openswan:
> > > http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> > > 7?n=283155
> >
> >
>
More information about the Users
mailing list