[Openswan Users] Problems with Checkpoint.
Ronaldo Santos (terra)
rosuport at terra.com.br
Thu Nov 4 08:14:24 EDT 2010
RE: [Openswan Users] Problems with CheckipointRandy,
We have the same impression that the connection is established, but we cannot traffic data through the tunnel.
Do you have any idea what´s happening?
Regards,
Ronaldo
----- Original Message -----
From: Randy Wyatt
To: Ronaldo Santos (terra) ; users at openswan.org
Sent: Wednesday, November 03, 2010 6:03 PM
Subject: RE: [Openswan Users] Problems with Checkipoint
What is the specific problem you are having?
From the logfile, the tunnel is getting established.
Nov 3 16:52:58 fwrj pluto[16284]: "site1" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Nov 3 16:52:58 fwrj pluto[16284]: "site1" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xd25bf62c <0
Regards,
Randy
-----Original Message-----
From: Ronaldo Santos (terra) [mailto:rosuport at terra.com.br]
Sent: Wed 11/3/2010 1:01 PM
To: Randy Wyatt; users at openswan.org
Subject: Re: [Openswan Users] Problems with Checkipoint
RE: [Openswan Users] Problems with CheckipointLog:
Nov 3 16:52:56 fwrj ipsec__plutorun: Starting Pluto subsystem...
Nov 3 16:52:56 fwrj pluto[16284]: Starting Pluto (Openswan Version 2.6.28; Vendor ID OEQ{O\177nez{CQ) pid:16284
Nov 3 16:52:56 fwrj pluto[16284]: SAref support [disabled]: Protocol not available
Nov 3 16:52:56 fwrj pluto[16284]: SAbind support [disabled]: Protocol not available
Nov 3 16:52:56 fwrj pluto[16284]: Setting NAT-Traversal port-4500 floating to on
Nov 3 16:52:56 fwrj pluto[16284]: port floating activation criteria nat_t=1/port_float=1
Nov 3 16:52:56 fwrj pluto[16284]: NAT-Traversal support [enabled]
Nov 3 16:52:56 fwrj pluto[16284]: using /dev/urandom as source of random entropy
Nov 3 16:52:56 fwrj pluto[16284]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Nov 3 16:52:56 fwrj pluto[16284]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Nov 3 16:52:56 fwrj pluto[16284]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Nov 3 16:52:56 fwrj pluto[16284]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Nov 3 16:52:56 fwrj pluto[16284]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Nov 3 16:52:56 fwrj pluto[16284]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Nov 3 16:52:56 fwrj pluto[16284]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Nov 3 16:52:56 fwrj pluto[16284]: starting up 1 cryptographic helpers
Nov 3 16:52:56 fwrj pluto[16289]: using /dev/urandom as source of random entropy
Nov 3 16:52:56 fwrj pluto[16284]: started helper pid=16289 (fd:7)
Nov 3 16:52:56 fwrj pluto[16284]: Kernel interface auto-pick
Nov 3 16:52:56 fwrj pluto[16284]: No Kernel NETKEY interface detected
Nov 3 16:52:56 fwrj pluto[16284]: Using KLIPSng (mast) IPsec interface code on 2.6.27.7-smp
Nov 3 16:52:56 fwrj pluto[16284]: Changed path to directory '/etc/ipsec.d/cacerts'
Nov 3 16:52:56 fwrj pluto[16284]: Changed path to directory '/etc/ipsec.d/aacerts'
Nov 3 16:52:56 fwrj pluto[16284]: Changed path to directory '/etc/ipsec.d/ocspcerts'
Nov 3 16:52:56 fwrj pluto[16284]: Changing to directory '/etc/ipsec.d/crls'
Nov 3 16:52:56 fwrj pluto[16284]: Warning: empty directory
Nov 3 16:52:56 fwrj pluto[16284]: added connection description "site1"
Nov 3 16:52:56 fwrj pluto[16284]: listening for IKE messages
Nov 3 16:52:56 fwrj pluto[16284]: found mast0 device already present
Nov 3 16:52:56 fwrj pluto[16284]: device mast0 already in use
Nov 3 16:52:56 fwrj pluto[16284]: | useful mast device 0
Nov 3 16:52:56 fwrj pluto[16284]: NAT-Traversal: Trying new style NAT-T
Nov 3 16:52:56 fwrj pluto[16284]: adding interface mast0/tun0 192.168.254.100:500 (fd=12)
Nov 3 16:52:56 fwrj pluto[16284]: adding interface mast0/tun0 192.168.254.100:4500 (fd=13)
Nov 3 16:52:56 fwrj pluto[16284]: adding interface mast0/tun1 10.8.0.1:500 (fd=14)
Nov 3 16:52:56 fwrj pluto[16284]: adding interface mast0/tun1 10.8.0.1:4500 (fd=15)
Nov 3 16:52:56 fwrj pluto[16284]: adding interface mast0/eth0 192.168.0.187:500 (fd=16)
Nov 3 16:52:56 fwrj pluto[16284]: adding interface mast0/eth0 192.168.0.187:4500 (fd=17)
Nov 3 16:52:56 fwrj pluto[16284]: adding interface mast0/eth1 xxx.xxx.xxx.xxx:500 (fd=18)
Nov 3 16:52:56 fwrj pluto[16284]: adding interface mast0/eth1 xxx.xxx.xxx.xxx:4500 (fd=19)
Nov 3 16:52:56 fwrj pluto[16284]: | useful mast device 0
Nov 3 16:52:56 fwrj pluto[16284]: | useful mast device 0
Nov 3 16:52:56 fwrj pluto[16284]: loading secrets from "/etc/ipsec.secrets"
Nov 3 16:52:56 fwrj pluto[16284]: | mast_shunt_eroute called
Nov 3 16:52:56 fwrj pluto[16284]: "site1" #1: initiating Main Mode
Nov 3 16:52:58 fwrj pluto[16284]: "site1" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Nov 3 16:52:58 fwrj pluto[16284]: "site1" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Nov 3 16:52:58 fwrj pluto[16284]: "site1" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Nov 3 16:52:58 fwrj pluto[16284]: "site1" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Nov 3 16:52:58 fwrj pluto[16284]: "site1" #1: Main mode peer ID is ID_IPV4_ADDR: '200.185.113.68'
Nov 3 16:52:58 fwrj pluto[16284]: "site1" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Nov 3 16:52:58 fwrj pluto[16284]: "site1" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_
3des_cbc_192 prf=oakley_sha group=modp1024}
Nov 3 16:52:58 fwrj pluto[16284]: "site1" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW {using isakmp#1 msgid:d
9b63858 proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}
Nov 3 16:52:58 fwrj pluto[16284]: "site1" #2: spddel-client output: /usr/local/lib/ipsec/_updown.mast: doroute `iptables -t
mangle -D NEW_IPSEC_CONN --src 10.138.66.0/255.255.255.0 --dst 10.97.64.0/255.255.255.0 -j MARK --set-mark 0x83090000' failed
(iptables: No chain/target/match by that name)
Nov 3 16:52:58 fwrj pluto[16284]: "site1" #2: spddel-client command exited with status 1
Nov 3 16:52:58 fwrj pluto[16284]: "site1" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Nov 3 16:52:58 fwrj pluto[16284]: "site1" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xd25bf62c <0
Thank
----- Original Message -----
From: Randy Wyatt
To: Ronaldo Santos (terra) ; users at openswan.org
Sent: Wednesday, November 03, 2010 5:39 PM
Subject: RE: [Openswan Users] Problems with Checkipoint
You need to post logfiles in order to receive help.
On my systems, all messages are logged into /var/log/secure.
Regards,
Randy
-----Original Message-----
From: users-bounces at openswan.org on behalf of Ronaldo Santos (terra)
Sent: Wed 11/3/2010 11:50 AM
To: users at openswan.org
Subject: [Openswan Users] Problems with Checkipoint
Good Aftrnoon,
I'm having a problem to configure Openswan with Checkpoint FW-1 (Nokia IO290).
I think it is missing some parameters in my ipsec.conf.
Can someone help me?
The subnet the openswan: 10.138.66.0/24
ipsec.conf
config setup
interfaces=%defaultroute
klipsdebug=all
plutodebug=all
uniqueids=yes
nat_traversal=yes
conn site1
keylife=1h
ikelifetime=24h
aggrmode=no
type=tunnel
left=yyy.yyy.yyy.yyy
leftsubnet=10.138.66.0/24
right=xxx.xxx.xxx.xxx
rightsubnet=10.97.64.0/24
keyexchange=ike
auth=esp
auto=start
authby=secret
ike=3des-sha1;modp1024
esp=3des-md5
pfs=no
The subnet the checkpoint: 10.97.64.0/24
Praxair
VPN gateway device
Nokia IP290
VPN gateway Software
Checkpoint FW-1
IP Address tunnel endpoint
xxx.xxx.xxx.xxx
Encryption Domain
tbd
Phase 1
Encryption schemes IKE
Key exchange Method
3DES
Data integrity
SHA1
Pre-Shared-Key
tbd
Diffie-Hellman Group
Group 2
IKE session key is changed.
86400 seconds
Support Aggressive Mode
NO
Support Keys exchange for Subnets
YES
Phase 2
Encryption schemes IKE
DATA Integrity + Encr.
ESP
Encryption Algorithm
3DES
Data Integrity
MD5
Compression Method
No compression
Use Perfect Forward Secrecy
NO
IPSec session key is changed
3600 seconds
seconds
Ronaldo.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20101104/749e5827/attachment-0001.html
More information about the Users
mailing list