[Openswan Users] NETKEY issue with RoadWarrior connection to Checkpoint R65

Ondrej Valousek webserv at s3group.cz
Thu Dec 17 07:28:17 EST 2009 

And the answer is:
.....
I did not configure the policy properly on the firewall. Now it works 
fine (always glad when I can answer myself :-)
Funny thing is, that the *protoport option is completely ignored 
(everything that belongs to the 192.168.60.x subnet is being tunneled to 
the other side).

Ondrej

On 17.12.2009 10:13, Ondrej Valousek wrote:
> Hi All,
>
> I am running Centos5 (kernel 2.6.18, openswan-2.6.21) as a VPN client 
> connecting to my Checkpoint firewall authenticating using user 
> certificates.
>
> My setup:
> conn "Prague"
>         left=%defaultroute
>         leftcert=ondrejv-unix
>         leftrsasigkey=%cert
>         leftprotoport=tcp/http
>
>         right=193.85.188.83
> #       rightsubnet=192.168.60.0/24
>         rightcert=openswan-cert
>         rightrsasigkey=%cert
>         rightprotoport=tcp/http
>
> I am able to establish the tunnel:
>
> [root at ondar ipsec.d]# ipsec auto --up Prague
> 104 "Prague" #3: STATE_MAIN_I1: initiate
> 003 "Prague" #3: received Vendor ID payload 
> [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
> 106 "Prague" #3: STATE_MAIN_I2: sent MI2, expecting MR2
> 003 "Prague" #3: NAT-Traversal: Result using 
> draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
> 108 "Prague" #3: STATE_MAIN_I3: sent MI3, expecting MR3
> 004 "Prague" #3: STATE_MAIN_I4: ISAKMP SA established 
> {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha 
> group=modp1536}
> 117 "Prague" #4: STATE_QUICK_I1: initiate
> 003 "Prague" #4: ignoring informational payload, type 
> IPSEC_RESPONDER_LIFETIME msgid=f23e7198
> 004 "Prague" #4: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel 
> mode {ESP=>0x1ae242ff <0xcf504538 xfrm=3DES_0-HMAC_SHA1 NATOA=none 
> NATD=none DPD=none}
>
> But now there is a magic as I can not send any packet through the 
> tunnel. I want to connect to a machine on the network (192.168.60.0) 
> behind the firewall:
>
> 1) When I keep the 'rightsubnet' option uncommented and try to 
> connect, firewall blocks the traffic as it does not go via ESP the tunnel
> 2) If I comment the option 'rightsubnet' out and try the same. 
> Firewall says:  "encryption failure: Clear text packet should be 
> encrypted"
>
> Is there any help from someone please?
> Is there any way to debug the NETKEY issues (I guess it is related to 
> NETKEY).
>
> Many thanks,
> Ondrej
>
>
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>    

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20091217/8efefca8/attachment.html

More information about the Users mailing list