[Openswan Users] trying to use openswan with Check Point Firewall

Hillel hbilman at ecommunicate.co.za
Sun Nov 22 09:03:51 EST 2009 

Hi,

 

We are trying to setup Openswan with a Check Point Firewall.

On checkpoint aa.bb.1.6 is firewall and aa.bb.64.189 is the encryption
domain.

On Linux Openswan xx.yy.zz.3 is firewall and also eth0 and xx.yy.zz.4 is the
encryption domain and also eth0:2 on the same Ethernet card.

The company we are connecting with the ipsec VPN tunnel, says the encryption
is correct.

 

>From the logs below we are getting:  "address family inconsistency in this
connection=2 host=2/nexthop=0" ??

Any help appreciated.

 

version 2

conn net-checkpoint-net-openwan

        type=tunnel

        # Left side is Check Point

        left=aa.bb.1.6

        leftnexthop=%defaultroute

        leftsubnet=aa.bb.64.0/24

        leftsourceip=aa.bb.64.189

        # Right is Openswan Linux box with two IPS

        right=xx.yy.zz.3

        rightsubnet=xx.yy.zz.0/29

        rightsourceip=xx.yy.zz.4

        rightnexthop=xx.yy.zz.1

        auth=esp

        auto=start

        authby=secret

        aggrmode=no

        keyexchange=ike

#        Optional specify encryption/hash methods for phase 1 & 2

        keyingtries=%forever

        ikelifetime=24m

        keylife=1h

        ike=3des-md5-modp1024

        esp=3des-md5

        # Disable Perfect Forward Secrecy, if not working proper

        pfs=no

        # Optional enable compression (if working)

        compress=no

 

tail /var/log/messages

Nov 22 15:47:20 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d

Nov 22 15:47:20 ipsec_setup: ...Openswan IPsec started

Nov 22 15:47:20 ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode
set in /proc/sys/crypto/fips_enabled

Nov 22 15:47:20 last message repeated 2 times

Nov 22 15:47:20 ipsec__plutorun: 002 Non-fips mode set in
/proc/sys/crypto/fips_enabled

Nov 22 15:47:20 ipsec__plutorun: 023 address family inconsistency in this
connection=2 host=2/nexthop=0

Nov 22 15:47:20 ipsec__plutorun: 037 attempt to load incomplete connection

Nov 22 15:47:21 ipsec__plutorun: 021 no connection named
"net-checkpoint-net-openwan"

Nov 22 15:47:21 ipsec__plutorun: 000 initiating all conns with
alias='net-checkpoint-net-openwan'

Nov 22 15:47:21 ipsec__plutorun: 021 no connection named
"net-checkpoint-net-openwan"

 

tail /var/log/secure

Nov 22 15:47:20 pluto[9926]: attempt to load incomplete connection

Nov 22 15:47:21 pluto[9926]: listening for IKE messages

Nov 22 15:47:21 pluto[9926]: adding interface eth0:2/eth0:2 xx.yy.zz.4:500

Nov 22 15:47:21 pluto[9926]: adding interface eth0/eth0 xx.yy.zz:3:500

Nov 22 15:47:21 pluto[9926]: adding interface lo/lo 127.0.0.1:500

Nov 22 15:47:21pluto[9926]: adding interface lo/lo ::1:500

Nov 22 15:47:21 pluto[9926]: loading secrets from "/etc/ipsec.secrets"

Nov 22 15:47:21 pluto[9926]: initiating all conns with
alias='net-checkpoint-net-openwan'

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20091122/94333207/attachment.html

More information about the Users mailing list