[Openswan Users] OpenSwan x Checkpoint
William Ferraz
william.ferraz at inmetrics.com.br
Mon Jul 6 09:42:10 EDT 2009
Hi people!
I need some help to connect my firewall with gentoo-linux and openswan
to Check Point NGX R62.
firewall ~ # ipsec version
Linux Openswan U2.6.21/K2.6.29-gentoo-r1 (netkey)
firewall ~ # ipsec verify
Checking your system to see if IPsec got installed and started
correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.21/K2.6.29-gentoo-r1 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support
[DISABLED]
firewall ~ # ipsec look
firewall Mon Jul 6 10:29:14 BRT 2009
IPSEC TABLE
iptables: No chain/target/match by that name.
ROUTING TABLE
200.XXX.XXX.232/29 dev eth0 proto kernel scope link src
200.XXX.XXX.234
default via 200.XXX.XXX.233 dev eth0
My /etc/ipsec.conf:
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.6 2006-10-19 03:49:46 paul Exp $
# This file: /usr/share/doc/openswan-2.4.14/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
interfaces="%defaultroute"
# plutodebug / klipsdebug = "all", "none" or a combation from
below:
#
# "raw crypt parsing emitting control klips pfkey natt x509
private"
# eg: plutodebug="control parsing"
#
klipsdebug="all"
plutodebug="all"
# ONLY enable plutodebug=all or klipsdebug=all if you are a
developer !!
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=no
# virtual_private=%v4:10.10.11.0/24,%v4:5.16.8.0/24,%
v4:201.XXX.XXX.XXX/XX,%v4:200.XXX.XXX.XXX/XX
#
# enable this if you see "failed to find any available worker"
# nhelpers=0
# Add connections here
conn inm-net
keyexchange=ike
ike=aes256-sha1-modp1024
aggrmode=no
type=tunnel
pfs=no
ikelifetime=1440s
keylife=3600s
left=200.XXX.XXX.234
leftnexthop=200.XXX.XXX.233
leftsubnet=10.10.11.0/24
leftupdown=/usr/lib/ipsec/_updown
right=201.XXX.XXX.20
rightnexthop=201.XXX.XXX.1
rightsubnet=5.16.8.0/24
auth=esp
authby=secret
esp=aes128-sha1
auto=start
conn inm-net2
keyexchange=ike
ike=aes256-sha1-modp1024
aggrmode=no
type=tunnel
pfs=no
ikelifetime=1440s
keylife=3600s
left=200.XXX.XXX.234
leftnexthop=200.XXX.XXX.233
leftsubnet=10.10.11.0/24
leftupdown=/usr/lib/ipsec/_updown
right=201.XXX.XXX.20
rightnexthop=201.XXX.XXX.1
rightsubnet=5.8.8.0/24
auth=esp
authby=secret
esp=aes128-sha1
auto=start
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
My /etc/ipsec.secrets
200.XXX.XXX.234 201.XXX.XXX.20 : PSK "<my secret are oculted>"
Log:
Jul 6 10:30:20 firewall pluto[11204]: "inm-net" #3: transition from
state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 6 10:30:20 firewall pluto[11204]: | deleting event for #3
Jul 6 10:30:20 firewall pluto[11204]: | sending reply packet to
201.XXX.XXX.20:500 (from port 500)
Jul 6 10:30:20 firewall pluto[11204]: | sending 60 bytes for
STATE_QUICK_I1 through eth0:500 to 201.XXX.XXX.20:500 (using #3)
Jul 6 10:30:20 firewall pluto[11204]: | ed 72 75 18 6a 9e fe 70 70
b3 3a 30 a2 94 be 26
Jul 6 10:30:20 firewall pluto[11204]: | 08 10 20 01 9d 07 bd 62 00
00 00 3c 3d 95 1a 89
Jul 6 10:30:20 firewall pluto[11204]: | 49 1f 6c a5 77 e6 b2 86 16
61 98 d4 16 c2 aa df
Jul 6 10:30:20 firewall pluto[11204]: | 50 4f 2b 14 40 c7 e8 c0 df
50 53 78
Jul 6 10:30:20 firewall pluto[11204]: | inserting event
EVENT_SA_REPLACE, timeout in 2664 seconds for #3
Jul 6 10:30:20 firewall pluto[11204]: | event added after event
EVENT_SA_REPLACE for #1
Jul 6 10:30:20 firewall pluto[11204]: "inm-net" #3: STATE_QUICK_I2:
sent QI2, IPsec SA established tunnel mode {ESP=>0x42b8a16c <0x5bfeed6b
xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Jul 6 10:30:20 firewall pluto[11204]: | modecfg pull: noquirk
policy:push not-client
Jul 6 10:30:20 firewall pluto[11204]: | phase 1 is done, looking for
phase 2 to unpend
Jul 6 10:30:20 firewall pluto[11204]: | * processed 0 messages from
cryptographic helpers
Jul 6 10:30:20 firewall pluto[11204]: | next event EVENT_PENDING_PHASE2
in 109 seconds
Jul 6 10:30:20 firewall pluto[11204]: | next event EVENT_PENDING_PHASE2
in 109 seconds
My interface ipsec0 don't start and I don't connect to any service on
the other network.
Somebody can help me?
William Ferraz
williamferraz at inmetrics.com.br
+55-11-3555-6825
+55-11-9493-3475
http://www.inmetrics.com.br
Avenida Guido Caloi, 1000 - bloco 4
- 4 andar
Condom〓nio Panam〓rica Park
05802-140 S〓o Paulo SP Brasil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090706/2abf80fb/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: skype-call-me-button.png
Type: image/png
Size: 1401 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20090706/2abf80fb/attachment-0001.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logo_inmetrics.jpg
Type: image/jpeg
Size: 2202 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20090706/2abf80fb/attachment-0001.jpg
More information about the Users
mailing list