[Openswan Users] RES: VPN - ClarkConnect v5.0 (OpenSwan U2.6.14/K2.6.18-128.2.16.v5) x CheckPoint Firewall

Estevao Arndt earndt at br.lockton.com
Wed Aug 26 16:56:43 EDT 2009 

I believe I´ve got it. I have put this information on ipsec.conf and let ICMP from their network.
 
rc.firewall.local
# ESP (Protocolo 50)
iptables -A INPUT -i eth0 -d $MYNET -s $THEIRNET -p 50 -j ACCEPT
iptables -A OUTPUT -o eth0 -s $MYNET -d $THEIRNET -p 50 -j ACCEPT
# Company network
iptables -A INPUT -s $THEIRNET -p icmp -j ACCEPT
 
ipsec.conf
config setup
        protostack=netkey
        klipsdebug=none
        plutodebug=none

conn %default
        keyexchange=ike
        aggrmode=no
        type=tunnel
        pfs=no
        ikelifetime=24h
        keylife=1h
        authby=secret
        auth=esp
        auto=start

 
 
Estevão Arndt

Lockton  Brasil Corretora de Seguros Ltda

Tel: 5511.3371.9137 / 55.11.3528.9137

Mobile: 5511.8415.0925

 

________________________________

De: Nick Howitt [mailto:n1ck.h0w1tt at gmail.com] 
Enviada em: segunda-feira, 24 de agosto de 2009 18:00
Para: Estevao Arndt
Cc: users at openswan.org
Assunto: Re: [Openswan Users] VPN - ClarkConnect v5.0 (OpenSwan U2.6.14/K2.6.18-128.2.16.v5) x CheckPoint Firewall


This looks like you have gone for the standard ClarkConnect unmanaged VPN setup. Is that correct? If so, it will not work if it is behind a checkpoint firewall, or is the CC box one gateway and the Checkpoint firewall the othr VPN/gateway?

If you are asked to upgrade Openswan, see this thread from the CC forums (especially the second post): http://forums.clarkconnect.com/showthreaded.php?Cat=0&Number=98437&page=0. It tells you how to edit the makefile.inc. You will also need to do the following (as CC5 now uses yum and not apt):

yum groupinstall "Development Tools"
yum install xmlto

If you end up setting up openswan by hand, you will break the GUI interface, but it will work.

Nick

On 24/08/2009 20:55, Estevao Arndt wrote: 

	Hello,
	I am trying to do a VPN between our office and the HeadOffice, but I can not get connected.
	 
	I have this message:
	[root at locktonbrasil etc]# ipsec auto --up hqnetBrasil-satnetBrasil
	104 "hqnetBrasil-satnetBrasil" #10: STATE_MAIN_I1: initiate
	010 "hqnetBrasil-satnetBrasil" #10: STATE_MAIN_I1: retransmission; will wait 20s for response
	010 "hqnetBrasil-satnetBrasil" #10: STATE_MAIN_I1: retransmission; will wait 40s for response
	031 "hqnetBrasil-satnetBrasil" #10: max number of retransmissions (2) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message
	000 "hqnetBrasil-satnetBrasil" #10: starting keying attempt 2 of at most 3, but releasing whack
	
	See attached my ipsec.conf and ipsec.Brasil.conf. Can you help me on that?
	Regards.
	Estevão Arndt.

	
________________________________


	_______________________________________________
	Users at openswan.org
	http://lists.openswan.org/mailman/listinfo/users
	Building and Integrating Virtual Private Networks with Openswan: 
	http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
	  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090826/5bbc80b7/attachment.html

More information about the Users mailing list