[Openswan Users] NETKEY issue with RoadWarrior connection to Checkpoint R65
Ondrej Valousek
webserv at s3group.cz
Thu Dec 17 07:28:17 EST 2009
And the answer is:
.....
I did not configure the policy properly on the firewall. Now it works
fine (always glad when I can answer myself :-)
Funny thing is, that the *protoport option is completely ignored
(everything that belongs to the 192.168.60.x subnet is being tunneled to
the other side).
Ondrej
On 17.12.2009 10:13, Ondrej Valousek wrote:
> Hi All,
>
> I am running Centos5 (kernel 2.6.18, openswan-2.6.21) as a VPN client
> connecting to my Checkpoint firewall authenticating using user
> certificates.
>
> My setup:
> conn "Prague"
> left=%defaultroute
> leftcert=ondrejv-unix
> leftrsasigkey=%cert
> leftprotoport=tcp/http
>
> right=193.85.188.83
> # rightsubnet=192.168.60.0/24
> rightcert=openswan-cert
> rightrsasigkey=%cert
> rightprotoport=tcp/http
>
> I am able to establish the tunnel:
>
> [root at ondar ipsec.d]# ipsec auto --up Prague
> 104 "Prague" #3: STATE_MAIN_I1: initiate
> 003 "Prague" #3: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
> 106 "Prague" #3: STATE_MAIN_I2: sent MI2, expecting MR2
> 003 "Prague" #3: NAT-Traversal: Result using
> draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
> 108 "Prague" #3: STATE_MAIN_I3: sent MI3, expecting MR3
> 004 "Prague" #3: STATE_MAIN_I4: ISAKMP SA established
> {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha
> group=modp1536}
> 117 "Prague" #4: STATE_QUICK_I1: initiate
> 003 "Prague" #4: ignoring informational payload, type
> IPSEC_RESPONDER_LIFETIME msgid=f23e7198
> 004 "Prague" #4: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel
> mode {ESP=>0x1ae242ff <0xcf504538 xfrm=3DES_0-HMAC_SHA1 NATOA=none
> NATD=none DPD=none}
>
> But now there is a magic as I can not send any packet through the
> tunnel. I want to connect to a machine on the network (192.168.60.0)
> behind the firewall:
>
> 1) When I keep the 'rightsubnet' option uncommented and try to
> connect, firewall blocks the traffic as it does not go via ESP the tunnel
> 2) If I comment the option 'rightsubnet' out and try the same.
> Firewall says: "encryption failure: Clear text packet should be
> encrypted"
>
> Is there any help from someone please?
> Is there any way to debug the NETKEY issues (I guess it is related to
> NETKEY).
>
> Many thanks,
> Ondrej
>
>
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20091217/8efefca8/attachment.html
More information about the Users
mailing list