[Openswan Users] OpenSwan x Checkpoint

Mon Jul 6 11:38:13 EDT 2009

On Mon, 6 Jul 2009, William Ferraz wrote:

> I need some help to connect my firewall with gentoo-linux and openswan to
> Check Point NGX R62.

> firewall ~ # ipsec look

Note ipsec look does not work when using netkey.

> # basic configuration
> config setup
>         interfaces="%defaultroute"
> 
>         # plutodebug / klipsdebug = "all", "none" or a combation from below:
>         #
>         # "raw crypt parsing emitting control klips pfkey natt x509 private"
>         # eg: plutodebug="control parsing"
>         #
> 
>          klipsdebug="all"
>          plutodebug="all"
>         # ONLY enable plutodebug=all or klipsdebug=all if you are a developer !!

I guess I should have said "openswan developer" :P

> conn inm-net
>         keyexchange=ike
>         ike=aes256-sha1-modp1024
>         aggrmode=no
>         type=tunnel
>         pfs=no
>         ikelifetime=1440s
>         keylife=3600s

Any reason why to change these lifetimes from the default?

>         left=200.XXX.XXX.234
>         leftnexthop=200.XXX.XXX.233
>         leftsubnet=10.10.11.0/24
>         leftupdown=/usr/lib/ipsec/_updown

leave out leftupdown= if you are using the default updown script.

>         right=201.XXX.XXX.20
>         rightnexthop=201.XXX.XXX.1
>         rightsubnet=5.16.8.0/24
>         auth=esp
>         authby=secret
>         esp=aes128-sha1
>         auto=start

> 200.XXX.XXX.234         201.XXX.XXX.20 : PSK "<my secret are oculted>"

> Log:
> Jul  6 10:30:20 firewall pluto[11204]: "inm-net" #3: transition from
> state STATE_QUICK_I1 to state STATE_QUICK_I2
> Jul  6 10:30:20 firewall pluto[11204]: | deleting event for #3
> Jul  6 10:30:20 firewall pluto[11204]: | sending reply packet to
> 201.XXX.XXX.20:500 (from port 500)
> Jul  6 10:30:20 firewall pluto[11204]: | sending 60 bytes for
> STATE_QUICK_I1 through eth0:500 to 201.XXX.XXX.20:500 (using #3)
> Jul  6 10:30:20 firewall pluto[11204]: |   ed 72 75 18  6a 9e fe 70  70
> b3 3a 30  a2 94 be 26
> Jul  6 10:30:20 firewall pluto[11204]: |   08 10 20 01  9d 07 bd 62  00
> 00 00 3c  3d 95 1a 89

This is why you should not enable all debug. Please show a log without
specifying plutodebug=

> Jul  6 10:30:20 firewall pluto[11204]: "inm-net" #3: STATE_QUICK_I2: sent
> QI2, IPsec SA established tunnel mode {ESP=>0x42b8a16c <0x5bfeed6b
> xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}

Seems that connection came up fine.

> My interface ipsec0 don't start and I don't connect to any service on the
> other network.

You are using netkey? Then there are no ipsecX interfaces.

Paul