[Openswan Users] Fwd: INVALID_ID_INFORMATION between OpenSwan and Checkpoint

Fri Jul 24 06:04:20 EDT 2015

Begin forwarded message:

From: Daniel Cave <dan.cave at me.com>
Date: July 24, 2015 10:36:07 AM
To: Daniel Carraro <daniel at blinkmobile.com.au>
Subject: Re: [Openswan Users] INVALID_ID_INFORMATION between OpenSwan and Checkpoint

Daniel.,
 See in-line

On Jul 24, 2015, at 07:52 AM, Daniel Carraro <daniel at blinkmobile.com.au> wrote:

Hi All,

I'm running OpenSwan on an Amazon Linux EC2 Instance (inside a VPC) and am trying to connect to a Checkpoint 4800 Series appliance (running R75.45).

Phase 1 passes successfully, however I'm having issues with Phase 2. Specifically, INVALID_ID_INFORMATION gets sent from my EC2 instance back to the Client.

Does the config on the right had side support aes256-sha1 for phase2  in the config ?

I'll give a quick summary of the networks:
- Our VPC is 10.200.0.0/16; the OpenSwan instance is 54.66.155.156 (10.200.0.171)
- Their Network is 192.168.187.0/24; Their Public Endpoint is 203.39.70.3 (192.168.187.253)

What's odd as well, I'm able to ping/telnet servers inside their network (192.168.187.0/24), but they're unable to ping/ssh inside my network (10.200.0.0/16)

have you got iptables enabled on your linux OpenSwan host ? * we've turned iptables off on our OpenSwan box
have you allowed communication for the remote end 192.168.187.0/24 in  security policy for your Linux OPenSwan host ?

We have almost the exact configuration  - an Ubuntu 14.04 with Openswan connecting to a third party cisco ASA 5520  using 3des-md5 for phase 1 & 2.

Do your Phase 1 and phase 2 key lifetimes match up exactly ?

Does the right hand side support DPD ? - in fact its probably worth speaking to the admin of the Cisco at the other end to agree everything.

Hope that helps.

D.c.

I've included relevant config/log files below, trying to condense when possible:

/etc/ipsec.conf:
version 2.0     # conforms to second version of ipsec.conf specification
# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
         klipsdebug=none
         plutodebug="control parsing"
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        protostack=netkey
        nat_traversal=yes
        virtual_private=
        oe=off
        # Enable this if you see "failed to find any available worker"
        # nhelpers=0
        # custom config options
        force_keepalive=yes
        keep_alive=10
#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
include /etc/ipsec.d/*.conf

/etc/ipsec.d/wc-vpn.conf:
conn wc-vpn
        type=tunnel
        auth=esp
        authby=secret

        left=10.200.0.171
        leftid=54.66.155.156
        leftnexthop=%defaultroute
        leftsubnet=10.200.0.0/16
        leftprotoport=0/0

        right=203.39.70.3
        rightid=203.39.70.3/32
        rightsubnet=192.168.187.0/24
        rightnexthop=192.168.187.253
        rightprotoport=0/0

        keyexchange=ike
        ike=aes256-sha1;modp1024!
        ikelifetime=28800s

        phase2alg=aes256-sha1
        keylife=3600s

        dpddelay=3
        dpdtimeout=10
        dpdaction=clear

        pfs=no
        auto=start
        forceencaps=yes
        compress=no

/etc/ipsec.d/wc-vpn.secrets (with actual PSK changed):
54.66.155.156 203.39.70.3: PSK "1234567890"

Finally, a snippet from /var/log/secure:
Jul 19 23:10:28 ip-10-200-0-171 pluto[22644]: "wc-vpn" #616: sending encrypted notification INVALID_ID_INFORMATION to 203.39.70.3:500
Jul 19 23:10:32 ip-10-200-0-171 pluto[22644]: "wc-vpn" #616: the peer proposed: 10.200.0.0/16:0/0 -> 203.39.70.3/32:0/0
Jul 19 23:10:32 ip-10-200-0-171 pluto[22644]: "wc-vpn" #616: cannot respond to IPsec SA request because no connection is known for 10.200.0.0/16===10.200.0.171<10.200.0.171>[54.66.155.156,+S=C]...203.39.70.3<203.39.70.3>[+S=C]

Any help would be greatly appreciated.

Thanks,
Daniel
_______________________________________________
Users at lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20150724/aea3aada/attachment-0001.html>