[Openswan Users] INVALID_ID_INFORMATION between OpenSwan and Checkpoint
dan.cave at me.com
Fri Jul 24 05:41:44 EDT 2015
As a follow up - i noticed that the LHS & RHS 'parameters are different to what we're using the following
The ike lifetime is 84600s, Keylife for phase2 is 28800s
_ this i know works for us _
leftid & rightid = %defaultroute <<<<<
left = public IP, right = public ip. <<< I think this is related to your 'iNVALID_ID_INFORMATION ' errors
leftsourceip = 10.xIP, rightsourceIP = 192.168.x
left/rightsubnets = obv. the same.
No dpd (cos our third party turned it off and no PFS_)
On Jul 24, 2015, at 07:52 AM, Daniel Carraro <daniel at blinkmobile.com.au> wrote:
I'm running OpenSwan on an Amazon Linux EC2 Instance (inside a VPC) and am trying to connect to a Checkpoint 4800 Series appliance (running R75.45).
Phase 1 passes successfully, however I'm having issues with Phase 2. Specifically, INVALID_ID_INFORMATION gets sent from my EC2 instance back to the Client.
I'll give a quick summary of the networks:
- Our VPC is 10.200.0.0/16; the OpenSwan instance is 184.108.40.206 (10.200.0.171)
- Their Network is 192.168.187.0/24; Their Public Endpoint is 220.127.116.11 (192.168.187.253)
What's odd as well, I'm able to ping/telnet servers inside their network (192.168.187.0/24), but they're unable to ping/ssh inside my network (10.200.0.0/16)
I've included relevant config/log files below, trying to condense when possible:
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
# Enable this if you see "failed to find any available worker"
# custom config options
#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
/etc/ipsec.d/wc-vpn.secrets (with actual PSK changed):
18.104.22.168 22.214.171.124: PSK "1234567890"
Finally, a snippet from /var/log/secure:
Jul 19 23:10:28 ip-10-200-0-171 pluto: "wc-vpn" #616: sending encrypted notification INVALID_ID_INFORMATION to 126.96.36.199:500
Jul 19 23:10:32 ip-10-200-0-171 pluto: "wc-vpn" #616: the peer proposed: 10.200.0.0/16:0/0 -> 188.8.131.52/32:0/0
Jul 19 23:10:32 ip-10-200-0-171 pluto: "wc-vpn" #616: cannot respond to IPsec SA request because no connection is known for 10.200.0.0/16===10.200.0.171<10.200.0.171>[184.108.40.206,+S=C]...220.127.116.11<18.104.22.168>[+S=C]
Any help would be greatly appreciated.
Users at lists.openswan.org
Building and Integrating Virtual Private Networks with Openswan:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users