[Openswan Users] Problems with Checkipoint

Randy Wyatt rwyatt at nvtl.com
Wed Nov 3 16:03:07 EDT 2010


What is the specific problem you are having?

>From the logfile, the tunnel is getting established.

Nov  3 16:52:58 fwrj pluto[16284]: "site1" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Nov  3 16:52:58 fwrj pluto[16284]: "site1" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xd25bf62c <0

Regards,
Randy

-----Original Message-----
From: Ronaldo Santos (terra) [mailto:rosuport at terra.com.br]
Sent: Wed 11/3/2010 1:01 PM
To: Randy Wyatt; users at openswan.org
Subject: Re: [Openswan Users] Problems with Checkipoint
 
RE: [Openswan Users] Problems with CheckipointLog:
Nov  3 16:52:56 fwrj ipsec__plutorun: Starting Pluto subsystem...
Nov  3 16:52:56 fwrj pluto[16284]: Starting Pluto (Openswan Version 2.6.28; Vendor ID OEQ{O\177nez{CQ) pid:16284
Nov  3 16:52:56 fwrj pluto[16284]: SAref support [disabled]: Protocol not available
Nov  3 16:52:56 fwrj pluto[16284]: SAbind support [disabled]: Protocol not available
Nov  3 16:52:56 fwrj pluto[16284]: Setting NAT-Traversal port-4500 floating to on
Nov  3 16:52:56 fwrj pluto[16284]:    port floating activation criteria nat_t=1/port_float=1
Nov  3 16:52:56 fwrj pluto[16284]:    NAT-Traversal support  [enabled]
Nov  3 16:52:56 fwrj pluto[16284]: using /dev/urandom as source of random entropy
Nov  3 16:52:56 fwrj pluto[16284]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Nov  3 16:52:56 fwrj pluto[16284]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Nov  3 16:52:56 fwrj pluto[16284]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Nov  3 16:52:56 fwrj pluto[16284]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Nov  3 16:52:56 fwrj pluto[16284]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Nov  3 16:52:56 fwrj pluto[16284]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Nov  3 16:52:56 fwrj pluto[16284]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Nov  3 16:52:56 fwrj pluto[16284]: starting up 1 cryptographic helpers
Nov  3 16:52:56 fwrj pluto[16289]: using /dev/urandom as source of random entropy
Nov  3 16:52:56 fwrj pluto[16284]: started helper pid=16289 (fd:7)
Nov  3 16:52:56 fwrj pluto[16284]: Kernel interface auto-pick
Nov  3 16:52:56 fwrj pluto[16284]: No Kernel NETKEY interface detected
Nov  3 16:52:56 fwrj pluto[16284]: Using KLIPSng (mast) IPsec interface code on 2.6.27.7-smp
Nov  3 16:52:56 fwrj pluto[16284]: Changed path to directory '/etc/ipsec.d/cacerts'
Nov  3 16:52:56 fwrj pluto[16284]: Changed path to directory '/etc/ipsec.d/aacerts'
Nov  3 16:52:56 fwrj pluto[16284]: Changed path to directory '/etc/ipsec.d/ocspcerts'
Nov  3 16:52:56 fwrj pluto[16284]: Changing to directory '/etc/ipsec.d/crls'
Nov  3 16:52:56 fwrj pluto[16284]:   Warning: empty directory
Nov  3 16:52:56 fwrj pluto[16284]: added connection description "site1"
Nov  3 16:52:56 fwrj pluto[16284]: listening for IKE messages
Nov  3 16:52:56 fwrj pluto[16284]: found mast0 device already present
Nov  3 16:52:56 fwrj pluto[16284]: device mast0 already in use
Nov  3 16:52:56 fwrj pluto[16284]: | useful mast device 0
Nov  3 16:52:56 fwrj pluto[16284]: NAT-Traversal: Trying new style NAT-T
Nov  3 16:52:56 fwrj pluto[16284]: adding interface mast0/tun0 192.168.254.100:500 (fd=12)
Nov  3 16:52:56 fwrj pluto[16284]: adding interface mast0/tun0 192.168.254.100:4500 (fd=13)
Nov  3 16:52:56 fwrj pluto[16284]: adding interface mast0/tun1 10.8.0.1:500 (fd=14)
Nov  3 16:52:56 fwrj pluto[16284]: adding interface mast0/tun1 10.8.0.1:4500 (fd=15)
Nov  3 16:52:56 fwrj pluto[16284]: adding interface mast0/eth0 192.168.0.187:500 (fd=16)
Nov  3 16:52:56 fwrj pluto[16284]: adding interface mast0/eth0 192.168.0.187:4500 (fd=17)
Nov  3 16:52:56 fwrj pluto[16284]: adding interface mast0/eth1 xxx.xxx.xxx.xxx:500 (fd=18)
Nov  3 16:52:56 fwrj pluto[16284]: adding interface mast0/eth1 xxx.xxx.xxx.xxx:4500 (fd=19)
Nov  3 16:52:56 fwrj pluto[16284]: | useful mast device 0
Nov  3 16:52:56 fwrj pluto[16284]: | useful mast device 0
Nov  3 16:52:56 fwrj pluto[16284]: loading secrets from "/etc/ipsec.secrets"
Nov  3 16:52:56 fwrj pluto[16284]: | mast_shunt_eroute called
Nov  3 16:52:56 fwrj pluto[16284]: "site1" #1: initiating Main Mode
Nov  3 16:52:58 fwrj pluto[16284]: "site1" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Nov  3 16:52:58 fwrj pluto[16284]: "site1" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Nov  3 16:52:58 fwrj pluto[16284]: "site1" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Nov  3 16:52:58 fwrj pluto[16284]: "site1" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Nov  3 16:52:58 fwrj pluto[16284]: "site1" #1: Main mode peer ID is ID_IPV4_ADDR: '200.185.113.68'
Nov  3 16:52:58 fwrj pluto[16284]: "site1" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Nov  3 16:52:58 fwrj pluto[16284]: "site1" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_
3des_cbc_192 prf=oakley_sha group=modp1024}
Nov  3 16:52:58 fwrj pluto[16284]: "site1" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW {using isakmp#1 msgid:d
9b63858 proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}
Nov  3 16:52:58 fwrj pluto[16284]: "site1" #2: spddel-client output: /usr/local/lib/ipsec/_updown.mast: doroute `iptables -t
mangle -D NEW_IPSEC_CONN --src 10.138.66.0/255.255.255.0 --dst 10.97.64.0/255.255.255.0 -j MARK --set-mark 0x83090000' failed
 (iptables: No chain/target/match by that name)
Nov  3 16:52:58 fwrj pluto[16284]: "site1" #2: spddel-client command exited with status 1
Nov  3 16:52:58 fwrj pluto[16284]: "site1" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Nov  3 16:52:58 fwrj pluto[16284]: "site1" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xd25bf62c <0



Thank
  ----- Original Message ----- 
  From: Randy Wyatt 
  To: Ronaldo Santos (terra) ; users at openswan.org 
  Sent: Wednesday, November 03, 2010 5:39 PM
  Subject: RE: [Openswan Users] Problems with Checkipoint




  You need to post logfiles in order to receive help.

  On my systems, all messages are logged into /var/log/secure.

  Regards,
  Randy

  -----Original Message-----
  From: users-bounces at openswan.org on behalf of Ronaldo Santos (terra)
  Sent: Wed 11/3/2010 11:50 AM
  To: users at openswan.org
  Subject: [Openswan Users] Problems with Checkipoint

  Good Aftrnoon,

  I'm having a problem to configure Openswan with Checkpoint FW-1 (Nokia IO290).
  I think it is missing some parameters in my ipsec.conf.
  Can someone help me?

  The subnet the openswan: 10.138.66.0/24

  ipsec.conf

  config setup
          interfaces=%defaultroute
          klipsdebug=all
          plutodebug=all
          uniqueids=yes
          nat_traversal=yes
  conn site1
          keylife=1h
          ikelifetime=24h
          aggrmode=no
          type=tunnel
          left=yyy.yyy.yyy.yyy
          leftsubnet=10.138.66.0/24
          right=xxx.xxx.xxx.xxx
          rightsubnet=10.97.64.0/24
          keyexchange=ike
          auth=esp
          auto=start
          authby=secret
          ike=3des-sha1;modp1024
          esp=3des-md5
          pfs=no



  The subnet  the checkpoint: 10.97.64.0/24

        
       Praxair
       
        VPN gateway device
       Nokia IP290
       
        VPN gateway Software
       Checkpoint FW-1
       
        IP Address tunnel endpoint
       xxx.xxx.xxx.xxx
       
      
        Encryption Domain
       tbd
       
        
      
        Phase 1
       
       
      
        Encryption schemes IKE
       
      
        Key exchange Method
       3DES
       
      
        Data integrity
       SHA1
       
      
        Pre-Shared-Key
       tbd
       
      
        Diffie-Hellman Group
       Group 2
       
      
        IKE session key is changed.
       86400 seconds
       
      
        Support Aggressive Mode
       NO
       
      
        Support Keys exchange for Subnets
       YES
       
      
        
      
        Phase 2
       
       
      
        Encryption schemes IKE
       
      
        DATA Integrity + Encr.
       ESP
       
      
        Encryption Algorithm
       3DES
       
      
        Data Integrity
       MD5
       
      
        Compression Method
       No compression
       
      
        Use Perfect Forward Secrecy
       NO
       
      
        IPSec session key is changed
       3600 seconds
       seconds
      
        
      
        
       
      



  Ronaldo.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20101103/5502860e/attachment.html 


More information about the Users mailing list