[Openswan Users] Help with Checkpoint VPN configuration

victorjabur at gmail.com victorjabur at gmail.com
Thu Jul 28 11:21:51 EDT 2011 

Follow more warnings:

000 WARNING: Either virtual_private= is not specified, or there is a syntax
000          error in that line. 'left/rightsubnet=vhost:%priv' will not
work!
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000          private address space in internal use, it should be excluded!


Thanks.
Victor Jabur


2011/7/28 victorjabur at gmail.com <victorjabur at gmail.com>

> Paul,
>
> I correct the command *leftxauthuser to **leftxauthusername and it works.*
>
> This is the currently log, can you tell me why the connection isn't work ?
>
> I type the up command, but it not response:
>
> 000 using kernel interface: mast
> 000 interface mast0/vmnet1 192.168.201.1
> 000 interface mast0/vmnet1 192.168.201.1
> 000 interface mast0/vmnet8 192.168.38.1
> 000 interface mast0/vmnet8 192.168.38.1
> 000 interface mast0/ppp0 XXX.XXX.XXX.XXX
> 000 interface mast0/ppp0 XXX.XXX.XXX.XXX
> 000 %myid = (none)
> 000 debug none
> 000
> 000 virtual_private (%priv):
> 000 - allowed 3 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12
> 000 - disallowed 0 subnets:
> 000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
> 000          private address space in internal use, it should be excluded!
> 000
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=192,
> keysizemax=192
> 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=64, keysizemin=128,
> keysizemax=128
> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=64,
> keysizemin=96, keysizemax=448
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128,
> keysizemax=256
> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=128,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=128,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
> keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
> keysizemin=160, keysizemax=160
> 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
> keysizemin=128, keysizemax=128
> 000
> 000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8,
> keydeflen=128
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
> keydeflen=192
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
> keydeflen=128
> 000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16,
> keydeflen=128
> 000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16,
> keydeflen=128
> 000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH,
> blocksize=16, keydeflen=128
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
> 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
> 000
> 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
> trans={0,0,0} attrs={0,0,0}
> 000
> 000 "company":
> XXX.XXX.XXX.XXX<XXX.XXX.XXX.XXX>[+XC+S=C]...AAA.AAA.AAA.AAA<AAA.AAA.AAA.AAA>[+XS+S=C];
> unrouted; eroute owner: #0
> 000 "company":     myip=unset; hisip=unset;
> 000 "company":     xauth info: myxauthuser=myuser;
> 000 "company":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
> rekey_fuzz: 100%; keyingtries: 0
> 000 "company":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+lKOD+rKOD;
> prio: 32,32; interface: ppp0;
> 000 "company":   newest ISAKMP SA: #0; newest IPsec SA: #0;
> 000
> 000 #2: "company":500 STATE_MAIN_I1 (sent MI1, expecting MR1);
> EVENT_RETRANSMIT in 22s; nodpd; idle; import:admin initiate
> 000 #2: pending Phase 2 for "company" replacing #0
> 000
>
>
> ********Obs.: XXX.XXX.XXX.XXX = myIP   and  AAA.AAA.AAA.AAA is my
> CompanyVPN IP   i replace the myuser too.
>
> What's Wrong ?
>
> 2011/7/28 victorjabur at gmail.com <victorjabur at gmail.com>
>
> Hi Paul,
>>
>> Very thanks for your help:
>>
>> I made all changes that you suggest, now is happenning another error:
>>
>> *>>sudo ipsec setup --start
>> openswan failed to exec the requested action - the following error
>> occured:
>> can not load config '/etc/ipsec.conf': /etc/ipsec.conf:66: syntax error,
>> unexpected STRING [leftxauthuser]*
>>
>> This is my new ipsec.conf:
>>
>>
>>
>> config setup
>>     interfaces="%defaultroute"
>>     protostack=.
>>     klipsdebug=none
>>     plutodebug=none
>>     manualstart=
>>     plutoload=
>>
>> conn company
>>     authby=secret
>>     pfs=yes
>>     keyexchange=ike
>>     left=myIP
>>     leftxauthclient=yes
>> *    leftxauthuser=    *
>>     right=MyCompanyIP
>>     auto=start
>>
>>
>> ------------------------------------------------------------------------------
>>
>> This is my new ipsec.secrets:
>>
>> @myuser : XAUTH "mypass"
>>
>>
>> Obs.:*** I delete this previous line:   @groupcompany    999.999.999.999 :
>> PSK "ab927263cc4654645f334"
>> And not, this is not my real secret, it's updated.
>>
>> *My Question: The above secret line should exists or remove it ?*
>>
>> Thanks;
>> Victor Jabur.
>>
>>
>> 2011/7/28 Paul Wouters <paul at xelerance.com>
>>
>>> On Thu, 28 Jul 2011, victorjabur at gmail.com wrote:
>>>
>>>  I'm trying to configure the openswan on my Linux Ubuntu 11.04 x64
>>>> machine to access the VPN Windows Checkpoint.
>>>>
>>>> I already installed openswan and the question is how correct
>>>> configuration to make it.
>>>>
>>>> 1) This is my /etc/ipsec.conf
>>>>
>>>> config setup
>>>>     interfaces="ipsec0=ppp0"
>>>>     klipsdebug=none
>>>>     plutodebug=none
>>>>     manualstart=
>>>>     plutoload=
>>>>
>>>
>>> Specify interfaces="%defaultroute" and protostack=. The ipsec0 interface
>>> is only available
>>> with protostack=klips not with protostack=netkey (the default kernel only
>>> supports netkey)
>>>
>>>
>>>  conn company
>>>>     type=tunnel
>>>>         left=%defaultroute
>>>>     leftid=@groupcompany
>>>>     leftxauthclient=yes
>>>>     right=999.999.999.999
>>>>     rightxauthserver=yes
>>>>     keyexchange=ike
>>>>     auth=esp
>>>>     pfs=no
>>>>
>>>>
>>>> conn company_1
>>>>          left=%defaultroute
>>>>          leftid=@groupcompany
>>>>          leftxauthclient=yes
>>>>          right=999.999.999.999                  # IP of VPN Server
>>>>          rightxauthserver=yes
>>>>          authby=secret
>>>>          auto=add
>>>>
>>>>
>>>  2) This is my /etc/ipsec.secrets
>>>>
>>>>   @groupcompany    999.999.999.999 : PSK "ab927263cc4654645f334"
>>>>
>>>
>>> If that is your production secret, please change it as you just posted it
>>> to everyone!!
>>>
>>>
>>>  The only information that i have to connect on the VPN Server is:
>>>> IP: 999.999.999.999
>>>> Username: myuser
>>>> Password: MyPass
>>>>
>>>
>>> Try using leftxauthuser= and add the passwd in ipsec.secrets:
>>>
>>> @myuser : XAUTH "MyPass"
>>>
>>>
>>>  There is any way to detect the problem ? Would you help me to make the
>>>> correct configurations ?
>>>>
>>>
>>> Check /var/log/secure or /var/log/auth*
>>>
>>> Paul
>>>
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110728/a5e55f96/attachment.html

More information about the Users mailing list