[Openswan Users] NETKEY issue with RoadWarrior connection to Checkpoint R65

Ondrej Valousek webserv at s3group.cz
Thu Dec 17 04:13:09 EST 2009 

Hi All,

I am running Centos5 (kernel 2.6.18, openswan-2.6.21) as a VPN client 
connecting to my Checkpoint firewall authenticating using user certificates.

My setup:
conn "Prague"
         left=%defaultroute
         leftcert=ondrejv-unix
         leftrsasigkey=%cert
         leftprotoport=tcp/http

         right=193.85.188.83
#       rightsubnet=192.168.60.0/24
         rightcert=openswan-cert
         rightrsasigkey=%cert
         rightprotoport=tcp/http

I am able to establish the tunnel:

[root at ondar ipsec.d]# ipsec auto --up Prague
104 "Prague" #3: STATE_MAIN_I1: initiate
003 "Prague" #3: received Vendor ID payload 
[draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
106 "Prague" #3: STATE_MAIN_I2: sent MI2, expecting MR2
003 "Prague" #3: NAT-Traversal: Result using 
draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
108 "Prague" #3: STATE_MAIN_I3: sent MI3, expecting MR3
004 "Prague" #3: STATE_MAIN_I4: ISAKMP SA established 
{auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha 
group=modp1536}
117 "Prague" #4: STATE_QUICK_I1: initiate
003 "Prague" #4: ignoring informational payload, type 
IPSEC_RESPONDER_LIFETIME msgid=f23e7198
004 "Prague" #4: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel 
mode {ESP=>0x1ae242ff <0xcf504538 xfrm=3DES_0-HMAC_SHA1 NATOA=none 
NATD=none DPD=none}

But now there is a magic as I can not send any packet through the 
tunnel. I want to connect to a machine on the network (192.168.60.0) 
behind the firewall:

1) When I keep the 'rightsubnet' option uncommented and try to connect, 
firewall blocks the traffic as it does not go via ESP the tunnel
2) If I comment the option 'rightsubnet' out and try the same. Firewall 
says:  "encryption failure: Clear text packet should be encrypted"

Is there any help from someone please?
Is there any way to debug the NETKEY issues (I guess it is related to 
NETKEY).

Many thanks,
Ondrej


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20091217/9caa215f/attachment.html

More information about the Users mailing list