[Openswan Users] Connect to checkpoint vpn

Peter McGill petermcgill at goco.net
Fri Nov 2 09:39:39 EDT 2007 

Yes you must indent all lines with a tab except version include, config and conn.
Show a route -n before, between and after ipsec start and stop.
Openswan should not remove any routes except those which it adds.
Those being routes for the tunnels.
Ping from your linux to the checkpoint ip to test conn when ipsec running, if ping works your good.
Note you haven't added any subnets to your conn, all you can encrypt/tunnel is traffic
Between you linux and the remote checkpoint, nothing else on your lan or the remote lan can use the tunnel.

Peter McGill
 

> -----Original Message-----
> From: Michael Magua [mailto:m.magua at gmail.com] 
> Sent: November 2, 2007 2:42 AM
> To: petermcgill at goco.net
> Cc: users at openswan.org
> Subject: Re: [Openswan Users] Connect to checkpoint vpn
> 
> Hi again,
> 
> I found the problem. By doing:
> 
> version 2.0
> config setup
> conn checkpoing
> [tab] ....
> [tab] ...
> 
> Things are working (least I think) however I lose my default route
> when this happens. I wrote a simple script:
> 
> #!/bin/bash
> 
> /etc/init.d/ipsec start
> sleep 60
> /etc/init.d/ipsec stop
> 
> --end--
> 
> When the service starts I'm locked out my home machine. Is my default
> route being replaced? How can I stop this from happening?
> 
> Thanks
> Michael
> 
> On 11/2/07, Michael Magua <m.magua at gmail.com> wrote:
> > Hi Peter,
> >
> > Thanks for explaining things in detail however I still 
> can't get this
> > working. My config looks as follows:
> >
> > #/etc/ipsec.conf
> > version 2.0
> > config setup
> > conn checkpoint
> > keyexchange=ike
> > aggrmode=no
> > auth=esp
> > ike=3des-md5
> > esp=3des-md5
> > pfs=no
> > compress=no
> > left=my ip
> > right=checkpoint ip
> > authby=secret
> > auto=start
> >
> > #/etc/ipsec.secrets
> > myip checkpointip: PSK "secretkey"
> >
> > When I start the service I keep getting these messages:
> >
> > [root at rizon ~]# /etc/init.d/ipsec: (/etc/ipsec.conf, line 7) section
> > header "auth=esp" has wrong number of fields (1) -- `start
> > abortedWARNING: initlog is deprecated and will be removed 
> in a future
> > release
> >                                                            [FAILED]
> >
> > I then comment the line out and restart the service and get:
> >
> > [root at rizon ~]# /etc/init.d/ipsec: (/etc/ipsec.conf, line 6) section
> > header "aggrmode=no" has wrong number of fields (1) -- `start
> > abortedWARNING: initlog is deprecated and will be removed 
> in a future
> > release
> >                                                            [FAILED]
> >
> > And so on..
> >
> > Cheers
> > Michael
> >
> > On 11/1/07, Peter McGill <petermcgill at goco.net> wrote:
> > > I haven't set a checkpoint interop myself but I do know a 
> few general interop rules.
> > > A couple of things your conn should look something like this.
> > > I don't think the comments will effect your config but go 
> ahead and take them out...
> > >
> > > /etc/ipsec.conf:
> > > conn checkpoint # Note the conn name doesn't really 
> matter it's just a local identifier
> > >         keyexchange=ike # default and only choice, you 
> can leave this line out
> > >         aggrmode=no # default and most secure setting
> > >         auth=esp # default and most secure setting, you 
> can leave this line out
> > >         ike=3des-md5 # this is acceptable by default 
> amoung others, but set exactly to match you remote end as shown here
> > >         esp=3des-md5 # ditto...
> > >         pfs=no # pfs yes is more secure and default but 
> your remote end has told you not to use it
> > >         compress=no # yes and no are valid you may need 
> to change this, no is most interoperable
> > >         rekey=yes # default, you can leave this line out, 
> unless you change it in conn %default
> > >         keyingtries=%forever # ditto...
> > >         left=66.23.21.39 # your local internet ip goes 
> here, use %defaultroute if you have dynamic ip
> > >         leftsubnet=192.168.1.0/24 # your local lan 
> network goes here
> > >         leftsourceip=192.168.1.1 # your local lan ip goes 
> here, this is a local setting the other end doesn't care
> > >         leftnexthop=%defaultroute # your internet default 
> gateway goes here, don't set this if you have dynamic ip
> > >         right=188.232.99.199 # your remote checkpoint 
> internet ip goes here
> > >         rightsubnet=10.0.0.0/8 # your remote checkpoint 
> lan network goes here, it must be different from your local lan
> > >         authby=secret # this selects pre shared secret 
> key method, not the best option but it works and checkpoint wants
> > >         auto=add # this adds but does not start the 
> connection, use auto=start to automatically start it when ipsec starts
> > >         # leftid= # leave this out unless you need it, 
> must match remote side, defaults to left ip.
> > >         # rightid= # ditto...
> > >         # dpddelay=30 # uncomment this if you need DPD 
> (Dead Peer Detection) to destroy dead tunnels, both sides must set
> > >         # dpdtimeout=120 # ditto...
> > >         # dpdaction=clear # ditto... clear destroys the 
> tunnel, restart restarts it.
> > >         # ikelifetime=1.0h # this is default you may need 
> to set this if checkpoint has a different timeout, phase 1
> > >         # keylife=8.0h # ditto... for esp, phase 2
> > >         # ike=3des-md5-modp1024 # this is a more specific 
> version of above line you may need it, but you'll
> > >         #       need to set it to match the remote end, 
> which may have a different dh group, 1024 is group 2, 1536 group 5,
> > >         #       some other devices default to group 1, 
> 768 openswan will not allow this because it's insecure,
> > >         #       make sure the checkpoint isn't using 
> group 1, 768 bits. This is a very common interop problem.
> > >
> > > In /etc/ipsec.secrets which should be only readable by 
> root and/or the user your ipsec daemon runs as.
> > > 66.23.21.39 188.232.99.199 : PSK "secretkeyhere" # note 
> change the ips and key to your real left, right and key values
> > >
> > > You'll need to tell the checkpoint admin your left and 
> leftsubnet values so he can match them on his end.
> > > Unless your not using the subnet and he's letting you 
> connect from any or a dynamic ip.
> > > Without the subnet only your linux box can use the tunnel 
> your lan pcs cannot.
> > >
> > > Peter McGill
> > >
> > >
> > > > -----Original Message-----
> > > > From: users-bounces at openswan.org
> > > > [mailto:users-bounces at openswan.org] On Behalf Of Michael Magua
> > > > Sent: November 1, 2007 6:26 AM
> > > > To: users at openswan.org
> > > > Subject: [Openswan Users] Connect to checkpoint vpn
> > > >
> > > > Hi guys,
> > > >
> > > > I've been struggling for 2 days now trying to connect 
> to my works
> > > > Checkpoint VPN but no luck. I've tried various configs that I've
> > > > managed to find on the net as well as going through 
> what is mentioned
> > > > at http://www.fw-1.de/aerasec/*.
> > > >
> > > > The details from my administrator at work are as follows:
> > > >
> > > > IP: x.x.x.x
> > > > Encryption algorithm: 3des
> > > > Hashing algorithm: md5
> > > > PFS off
> > > > Pre-shared key: secretkeyhere
> > > >
> > > > I'm using Fedora Linux if that means anything. Please 
> could someone
> > > > help me get this working?
> > > >
> > > > Thank you
> > > > Michael
> > > > _______________________________________________
> > > > Users at openswan.org
> > > > http://lists.openswan.org/mailman/listinfo/users
> > > > Building and Integrating Virtual Private Networks with Openswan:
> > > > http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> > > > 7?n=283155
> > >
> > >
> >

More information about the Users mailing list