[Openswan Users] switch off strict peer ID checking

Hillel hbilman at ecommunicate.co.za
Wed Nov 25 00:10:13 EST 2009 

Hi,

We are connecting to a Check Point Firewall that has an external IP address
and temporary different virtual IP address.
Our provider says they can’t remove it until all their clients have moved to
the new external IP and we need to switch off strict peer ID checking .

We are getting from the logs:

Nov 25 06:54:33 messaging pluto[17605]: "net-openswan-net-checkpoint" #1:
Main mode peer ID is ID_IPV4_ADDR: 129.7.66.129'
Nov 25 06:54:33 messaging pluto[17605]: "net-openswan-net-checkpoint" #1: we
require peer to have ID 'aa.156.1.6', but peer declares '196.7.66.129'
Nov 25 06:54:33 messaging pluto[17605]: | complete state transition with
(null)
Nov 25 06:54:33 messaging pluto[17605]: "net-openswan-net-checkpoint" #1:
sending encrypted notification INVALID_ID_INFORMATION to aa.156.1.6:500
Nov 25 06:54:33 messaging pluto[17605]: | **emit ISAKMP Message:
Nov 25 06:54:33 messaging pluto[17605]: |    initiator cookie:
Nov 25 06:54:33 messaging pluto[17605]: |   a3 19 c2 b3  c3 63 38 bd
Nov 25 06:54:33 messaging pluto[17605]: |    responder cookie:
Nov 25 06:54:33 messaging pluto[17605]: |   b2 db 6f 97  3b 12 36 93
Nov 25 06:54:33 messaging pluto[17605]: |    next payload type:
ISAKMP_NEXT_HASH
Nov 25 06:54:33 messaging pluto[17605]: |    ISAKMP version: ISAKMP Version
1.0 (rfc2407)
Nov 25 06:54:33 messaging pluto[17605]: |    exchange type: ISAKMP_XCHG_INFO
Nov 25 06:54:33 messaging pluto[17605]: |    flags: ISAKMP_FLAG_ENCRYPTION
Nov 25 06:54:33 messaging pluto[17605]: |    message ID:  30 0b d1 14
Nov 25 06:54:33 messaging pluto[17605]: | ***emit ISAKMP Hash Payload:
Nov 25 06:54:33 messaging pluto[17605]: |    next payload type:
ISAKMP_NEXT_N
Nov 25 06:54:33 messaging pluto[17605]: | emitting 16 zero bytes of HASH(1)
into ISAKMP Hash Payload
Nov 25 06:54:33 messaging pluto[17605]: | emitting length of ISAKMP Hash
Payload: 20
Nov 25 06:54:33 messaging pluto[17605]: | ***emit ISAKMP Notification
Payload:
Nov 25 06:54:33 messaging pluto[17605]: |    next payload type:
ISAKMP_NEXT_NONE
Nov 25 06:54:33 messaging pluto[17605]: |    DOI: ISAKMP_DOI_IPSEC
Nov 25 06:54:33 messaging pluto[17605]: |    protocol ID: 1
Nov 25 06:54:33 messaging pluto[17605]: |    SPI size: 0
Nov 25 06:54:33 messaging pluto[17605]: |    Notify Message Type:
INVALID_ID_INFORMATION

If we use the temporary virtual IP address (right=196.7.66.129) we get:

Nov 25 06:53:26 messaging pluto[16971]: | concluding with best_match=0
best=(nil) (lineno=-1)
Nov 25 06:53:26 messaging pluto[16971]: "net-openswan-net-checkpoint" #1:
Can't authenticate: no preshared key found for `xx.yy.zz.3' and
`196.7.66.129'.  Attribute OAKLEY_AUTHENTICATION_METHOD
Nov 25 06:53:26 messaging pluto[16971]: "net-openswan-net-checkpoint" #1: no
acceptable Oakley Transform
Nov 25 06:53:26 messaging pluto[16971]: | complete state transition with
(null)
Nov 25 06:53:26 messaging pluto[16971]: "net-openswan-net-checkpoint" #1:
sending notification NO_PROPOSAL_CHOSEN to 196.7.66.129:500

Code:

version 2

# basic configuration
config setup
                # Debug-logging controls:  "none" for (almost) none, "all"
for lots.
                klipsdebug="none"
                #plutodebug="none"
                plutodebug="all"
                # For Red Hat Enterprise Linux and Fedora, leave
protostack=netkey
                protostack=netkey

conn net-openswan-net-checkpoint
                                type=tunnel
                                # Left side is Openswan Linux box with two
IP
                                left=xx.yy.zz.3
                                leftsubnet=xx.yy.zz.4/32
                                leftsourceip=xx.yy.zz.4
                                leftnexthop=xx.yy.zz.1
                                # Right is Check Point Firewall
                                right=aa.156.1.6
                                #right=196.7.66.129
                                rightsubnet=aa.156.64.189/32
                                rightsourceip=aa.156.64.189
                                rightnexthop=aa.156.1.3
                                auth=esp
                                auto=start
                                authby=secret
                                aggrmode=no
                                keyexchange=ike
                                #Optional specify encryption/hash methods
for phase 1 & 2
                                keyingtries=%forever
                                ikelifetime=24h
                                keylife=1h
                                ike=3des-md5-modp1024
                                esp=3des-md5
                                # Disable Perfect Forward Secrecy, if not
working proper
                                pfs=no
                                # Optional enable compression (if working)
                                compress=no


Our Providers spec for Check Point Firewall is:

The VPN configurations will be as follows,
Encryption - 3des
Hashing    - MD5
IKE SA  - 1440 MIN/24 hours
IPSEC SA   - 3600 SEC/1 hours
PFS        - No PFS
DH-Group   - Group2
Preshare-key – xxxxxxx

More information about the Users mailing list