[Openswan Users] Fwd: INVALID_ID_INFORMATION between OpenSwan and Checkpoint
dan.cave at me.com
Fri Jul 24 06:04:20 EDT 2015
Begin forwarded message:
From: Daniel Cave <dan.cave at me.com>
Date: July 24, 2015 10:36:07 AM
To: Daniel Carraro <daniel at blinkmobile.com.au>
Subject: Re: [Openswan Users] INVALID_ID_INFORMATION between OpenSwan and Checkpoint
On Jul 24, 2015, at 07:52 AM, Daniel Carraro <daniel at blinkmobile.com.au> wrote:
I'm running OpenSwan on an Amazon Linux EC2 Instance (inside a VPC) and am trying to connect to a Checkpoint 4800 Series appliance (running R75.45).
Phase 1 passes successfully, however I'm having issues with Phase 2. Specifically, INVALID_ID_INFORMATION gets sent from my EC2 instance back to the Client.
Does the config on the right had side support aes256-sha1 for phase2 in the config ?
I'll give a quick summary of the networks:
- Our VPC is 10.200.0.0/16; the OpenSwan instance is 220.127.116.11 (10.200.0.171)
- Their Network is 192.168.187.0/24; Their Public Endpoint is 18.104.22.168 (192.168.187.253)
What's odd as well, I'm able to ping/telnet servers inside their network (192.168.187.0/24), but they're unable to ping/ssh inside my network (10.200.0.0/16)
have you got iptables enabled on your linux OpenSwan host ? * we've turned iptables off on our OpenSwan box
have you allowed communication for the remote end 192.168.187.0/24 in security policy for your Linux OPenSwan host ?
We have almost the exact configuration - an Ubuntu 14.04 with Openswan connecting to a third party cisco ASA 5520 using 3des-md5 for phase 1 & 2.
Do your Phase 1 and phase 2 key lifetimes match up exactly ?
Does the right hand side support DPD ? - in fact its probably worth speaking to the admin of the Cisco at the other end to agree everything.
Hope that helps.
I've included relevant config/log files below, trying to condense when possible:
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
# Enable this if you see "failed to find any available worker"
# custom config options
#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
/etc/ipsec.d/wc-vpn.secrets (with actual PSK changed):
22.214.171.124 126.96.36.199: PSK "1234567890"
Finally, a snippet from /var/log/secure:
Jul 19 23:10:28 ip-10-200-0-171 pluto: "wc-vpn" #616: sending encrypted notification INVALID_ID_INFORMATION to 188.8.131.52:500
Jul 19 23:10:32 ip-10-200-0-171 pluto: "wc-vpn" #616: the peer proposed: 10.200.0.0/16:0/0 -> 184.108.40.206/32:0/0
Jul 19 23:10:32 ip-10-200-0-171 pluto: "wc-vpn" #616: cannot respond to IPsec SA request because no connection is known for 10.200.0.0/16===10.200.0.171<10.200.0.171>[220.127.116.11,+S=C]...18.104.22.168<22.214.171.124>[+S=C]
Any help would be greatly appreciated.
Users at lists.openswan.org
Building and Integrating Virtual Private Networks with Openswan:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users