[Openswan Users] NETKEY issue with RoadWarrior connection to Checkpoint R65
Ondrej Valousek
webserv at s3group.cz
Thu Dec 17 04:13:09 EST 2009
Hi All,
I am running Centos5 (kernel 2.6.18, openswan-2.6.21) as a VPN client
connecting to my Checkpoint firewall authenticating using user certificates.
My setup:
conn "Prague"
left=%defaultroute
leftcert=ondrejv-unix
leftrsasigkey=%cert
leftprotoport=tcp/http
right=193.85.188.83
# rightsubnet=192.168.60.0/24
rightcert=openswan-cert
rightrsasigkey=%cert
rightprotoport=tcp/http
I am able to establish the tunnel:
[root at ondar ipsec.d]# ipsec auto --up Prague
104 "Prague" #3: STATE_MAIN_I1: initiate
003 "Prague" #3: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
106 "Prague" #3: STATE_MAIN_I2: sent MI2, expecting MR2
003 "Prague" #3: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
108 "Prague" #3: STATE_MAIN_I3: sent MI3, expecting MR3
004 "Prague" #3: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1536}
117 "Prague" #4: STATE_QUICK_I1: initiate
003 "Prague" #4: ignoring informational payload, type
IPSEC_RESPONDER_LIFETIME msgid=f23e7198
004 "Prague" #4: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel
mode {ESP=>0x1ae242ff <0xcf504538 xfrm=3DES_0-HMAC_SHA1 NATOA=none
NATD=none DPD=none}
But now there is a magic as I can not send any packet through the
tunnel. I want to connect to a machine on the network (192.168.60.0)
behind the firewall:
1) When I keep the 'rightsubnet' option uncommented and try to connect,
firewall blocks the traffic as it does not go via ESP the tunnel
2) If I comment the option 'rightsubnet' out and try the same. Firewall
says: "encryption failure: Clear text packet should be encrypted"
Is there any help from someone please?
Is there any way to debug the NETKEY issues (I guess it is related to
NETKEY).
Many thanks,
Ondrej
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20091217/9caa215f/attachment.html
More information about the Users
mailing list