[Openswan Users] What is PLUTO_PEER_REF and how does OpenSwan define it?

Danilo Godec danilo.godec at agenda.si
Wed Nov 17 13:48:21 EST 2010

 On 17.11.2010 18:02, Paul Wouters wrote:
> On Wed, 17 Nov 2010, Danilo Godec wrote:
>> That's what I'd like to do, but I can't get KLIPS to work with
>> CheckPoint.
> Whether you use mast, klips or netkey should not matter. Its the
> userland, not
> the stack that does the interop part. Perhaps you should explain a bit
> more?
> Paul

Ok, first a bit of background...

We manage a group of servers dispersed throughout the country providing
WAN connectivity, local DNS and some other stuff. Most of these use some
sort of xDSL connection to a nation wide ISP using a private IP class.
Servers still use OpenSwan to create encrypted tunnels via a central
CheckPoint firewall / VPN 'thing'.

Current production servers are running 2.4 kernels and OpenSwan 1.0.7 -
obviously with KLIPS stack. Servers also take care of QoS, firewall, etc.

Now as this old hardware is pretty much obsolete and unserviceable, we
need to move on and use more up to date distribution using 2.6 kernels
and more recent OpenSwan. We chose OpenSuSE 11.2 and we created OpenSwan
packages for it (first we used 2.6.29, later upgraded to 2.6.31). Some
of these servers will run Xen virtualisation while others will not.

In our test environment we used another Linux router with 2.4 kernel and
OpenSwan 2.4.15 instead of CheckPoint and we were perfectly able to
establish IPSEC tunnels using KLIPS. There were a couple of other
differences to the production environment, though - firstly, we didn't
use a xDSL with a private IP class and the tested server was behind NAT
(relative to the Linux router).

Anyway, we  assumed that there is no reason why this wouldn't work with
CheckPoint so we rolled out our first 'production' server with OpenSuSE
11.2 and OpenSwan 2.6.29 (at that time), but we weren't able to
establish a VPN tunnel with CheckPoint, so we changed the setup to MAST
on the spot.

Now as to the problem with KLIPS - I now have a working configuration
for MAST. As far as I understand, the only thing I really need to change
is 'protostack'. When I do that and start 'ipsec', it 'hangs' there:

000 #1: "mercator-all":500 STATE_MAIN_I1 (sent MI1, expecting MR1);
EVENT_RETRANSMIT in 11s; nodpd; idle; import:admin initiate
000 #1: pending Phase 2 for "mercator-all" replacing #0

I guess some 'debug' options would help, but which?


More information about the Users mailing list