[Openswan Users] Help with Checkpoint VPN configuration

victorjabur at gmail.com victorjabur at gmail.com
Thu Jul 28 11:11:03 EDT 2011


Paul,

I correct the command *leftxauthuser to **leftxauthusername and it works.*

This is the currently log, can you tell me why the connection isn't work ?

I type the up command, but it not response:

000 using kernel interface: mast
000 interface mast0/vmnet1 192.168.201.1
000 interface mast0/vmnet1 192.168.201.1
000 interface mast0/vmnet8 192.168.38.1
000 interface mast0/vmnet8 192.168.38.1
000 interface mast0/ppp0 XXX.XXX.XXX.XXX
000 interface mast0/ppp0 XXX.XXX.XXX.XXX
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 3 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12
000 - disallowed 0 subnets:
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000          private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=64, keysizemin=128,
keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=64, keysizemin=96,
keysizemax=448
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=128,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=128,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
keysizemin=128, keysizemax=128
000
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8,
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH,
blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "company":
XXX.XXX.XXX.XXX<XXX.XXX.XXX.XXX>[+XC+S=C]...AAA.AAA.AAA.AAA<AAA.AAA.AAA.AAA>[+XS+S=C];
unrouted; eroute owner: #0
000 "company":     myip=unset; hisip=unset;
000 "company":     xauth info: myxauthuser=myuser;
000 "company":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "company":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+lKOD+rKOD;
prio: 32,32; interface: ppp0;
000 "company":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000 #2: "company":500 STATE_MAIN_I1 (sent MI1, expecting MR1);
EVENT_RETRANSMIT in 22s; nodpd; idle; import:admin initiate
000 #2: pending Phase 2 for "company" replacing #0
000


********Obs.: XXX.XXX.XXX.XXX = myIP   and  AAA.AAA.AAA.AAA is my CompanyVPN
IP   i replace the myuser too.

What's Wrong ?

2011/7/28 victorjabur at gmail.com <victorjabur at gmail.com>

> Hi Paul,
>
> Very thanks for your help:
>
> I made all changes that you suggest, now is happenning another error:
>
> *>>sudo ipsec setup --start
> openswan failed to exec the requested action - the following error occured:
> can not load config '/etc/ipsec.conf': /etc/ipsec.conf:66: syntax error,
> unexpected STRING [leftxauthuser]*
>
> This is my new ipsec.conf:
>
>
>
> config setup
>     interfaces="%defaultroute"
>     protostack=.
>     klipsdebug=none
>     plutodebug=none
>     manualstart=
>     plutoload=
>
> conn company
>     authby=secret
>     pfs=yes
>     keyexchange=ike
>     left=myIP
>     leftxauthclient=yes
> *    leftxauthuser=    *
>     right=MyCompanyIP
>     auto=start
>
>
> ------------------------------------------------------------------------------
>
> This is my new ipsec.secrets:
>
> @myuser : XAUTH "mypass"
>
>
> Obs.:*** I delete this previous line:   @groupcompany    999.999.999.999 :
> PSK "ab927263cc4654645f334"
> And not, this is not my real secret, it's updated.
>
> *My Question: The above secret line should exists or remove it ?*
>
> Thanks;
> Victor Jabur.
>
>
> 2011/7/28 Paul Wouters <paul at xelerance.com>
>
>> On Thu, 28 Jul 2011, victorjabur at gmail.com wrote:
>>
>>  I'm trying to configure the openswan on my Linux Ubuntu 11.04 x64 machine
>>> to access the VPN Windows Checkpoint.
>>>
>>> I already installed openswan and the question is how correct
>>> configuration to make it.
>>>
>>> 1) This is my /etc/ipsec.conf
>>>
>>> config setup
>>>     interfaces="ipsec0=ppp0"
>>>     klipsdebug=none
>>>     plutodebug=none
>>>     manualstart=
>>>     plutoload=
>>>
>>
>> Specify interfaces="%defaultroute" and protostack=. The ipsec0 interface
>> is only available
>> with protostack=klips not with protostack=netkey (the default kernel only
>> supports netkey)
>>
>>
>>  conn company
>>>     type=tunnel
>>>         left=%defaultroute
>>>     leftid=@groupcompany
>>>     leftxauthclient=yes
>>>     right=999.999.999.999
>>>     rightxauthserver=yes
>>>     keyexchange=ike
>>>     auth=esp
>>>     pfs=no
>>>
>>>
>>> conn company_1
>>>          left=%defaultroute
>>>          leftid=@groupcompany
>>>          leftxauthclient=yes
>>>          right=999.999.999.999                  # IP of VPN Server
>>>          rightxauthserver=yes
>>>          authby=secret
>>>          auto=add
>>>
>>>
>>  2) This is my /etc/ipsec.secrets
>>>
>>>   @groupcompany    999.999.999.999 : PSK "ab927263cc4654645f334"
>>>
>>
>> If that is your production secret, please change it as you just posted it
>> to everyone!!
>>
>>
>>  The only information that i have to connect on the VPN Server is:
>>> IP: 999.999.999.999
>>> Username: myuser
>>> Password: MyPass
>>>
>>
>> Try using leftxauthuser= and add the passwd in ipsec.secrets:
>>
>> @myuser : XAUTH "MyPass"
>>
>>
>>  There is any way to detect the problem ? Would you help me to make the
>>> correct configurations ?
>>>
>>
>> Check /var/log/secure or /var/log/auth*
>>
>> Paul
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110728/2ae910ab/attachment-0001.html 


More information about the Users mailing list