From: Russ T. <rus...@ya...> - 2005-11-13 14:51:05
|
Hello Thomas, I had been fighting a CheckPoint firewall for months until a friend stumbled across a VPN client (also based off racoon) for the mac called "IPSecuritas". I was finally able to get it working after trying all kinds of things and even hacking ipsec-tools code to figure it out. This same friend was able to get it working, i believe, under linux with the same config. First, a few notes: * It's *extremely* helpful if not essential to have access to the firewall config or have a firewall administrator run-down the configuration for you. * Our checkpoint firewall was configured in "aggressive" exchange mode and the firewall admin also changed the user id's of the form "myuser" to be more like email addresses "my...@my...", but basically having that "@" in them. * the timeout times for the phase1 and phase2 negotiation were changed a little. * The firewall is primarly used by "road-warriors" where the log in to it with a user name (in email format, "my...@my...") and a password. Note, this is NOT psk and NOT cert. * Shameless plug: The linux community could learn *greatly* from a tool like IPSecuritas. It generated perfectly working config files from a nice GUI :-) Ok, now, here's the racoon.conf we used: # IPSecuritas V1.0 racoon.conf path pre_shared_key "/tmp/psk.txt"; path certificate "/tmp/ipsecuritas_certs"; padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 30 sec; } remote 12.XXX.XXX.XXX { exchange_mode aggressive; doi ipsec_doi; situation identity_only; my_identifier user_fqdn "my...@my..."; peers_identifier address; verify_identifier off; lifetime time 86400 seconds; initial_contact on; passive off; proposal_check claim; support_mip6 on; generate_policy on; nonce_size 16; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group modp1024; } } sainfo address 192.168.3.101/32 any address 10.0.0.0/8 any { pfs_group modp1024; lifetime time 3600 seconds; encryption_algorithm aes 256; authentication_algorithm hmac_sha1; compression_algorithm deflate; } listen { isakmp 192.168.3.101; } log notify; Here's the setkey info: flush; spdflush; spdadd 10.0.0.0/8 192.168.3.101/32 any -P in ipsec esp/tunnel/12.XXX.XXX.XXX-192.168.3.101/require; spdadd 192.168.3.101/32 10.0.0.0/8 any -P out ipsec esp/tunnel/192.168.3.101-12.XXX.XXX.XXX/require; Finally, here's the psk.txt file: 12.XXX.XXX.XXX mypassword Hope any of that helps! russ |