Re: [Ipsec-tools-devel] Check Point / Racoon Error: "Error: none message must be encrypted"

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hello Thomas, I had been fighting a CheckPoint firewall for months until 
a friend stumbled across a VPN client (also based off racoon) for the 
mac called "IPSecuritas".  I was finally able to get it working after 
trying all kinds of things and even hacking ipsec-tools code to figure 
it out.  This same friend was able to get it working, i believe, under 
linux with the same config.

First, a few notes:

* It's *extremely* helpful if not essential to have access to the 
firewall config or have a firewall administrator run-down the 
configuration for you.

* Our checkpoint firewall was configured in "aggressive" exchange mode 
and the firewall admin also changed the user id's of the form "myuser" 
to be more like email addresses "my...@my...", but basically 
having that "@" in them.

* the timeout times for the phase1 and phase2 negotiation were changed a 
little.

* The firewall is primarly used by "road-warriors" where the log in to 
it with a user name (in email format, "my...@my...") and a 
password.  Note, this is NOT psk and NOT cert.

* Shameless plug: The linux community could learn *greatly* from a tool 
like IPSecuritas.  It generated perfectly working config files from a 
nice GUI :-)

Ok, now, here's the racoon.conf we used:

# IPSecuritas V1.0 racoon.conf

path pre_shared_key "/tmp/psk.txt";
path certificate "/tmp/ipsecuritas_certs";

padding
{
     maximum_length 20;      # maximum padding length.
     randomize off;          # enable randomize length.
     strict_check off;       # enable strict check.
     exclusive_tail off;     # extract last one octet.
}

# Specification of default various timer.
timer
{
     # These value can be changed per remote node.
     counter 5;              # maximum trying count to send.
     interval 20 sec;        # maximum interval to resend.
     persend 1;              # the number of packets per a send.

     # timer for waiting to complete each phase.
     phase1 30 sec;
     phase2 30 sec;
}

remote 12.XXX.XXX.XXX {
   exchange_mode aggressive;
   doi ipsec_doi;
   situation identity_only;
   my_identifier user_fqdn "my...@my...";
   peers_identifier address;
   verify_identifier off;
   lifetime time 86400 seconds;
   initial_contact on;
   passive off;
   proposal_check claim;
   support_mip6 on;
   generate_policy on;
   nonce_size 16;
   proposal {
     encryption_algorithm 3des;
     hash_algorithm sha1;
     authentication_method pre_shared_key;
     dh_group modp1024;
   }
}

sainfo address 192.168.3.101/32 any address 10.0.0.0/8 any {
   pfs_group modp1024;
   lifetime time 3600 seconds;
   encryption_algorithm aes 256;
   authentication_algorithm hmac_sha1;
   compression_algorithm deflate;
}

listen {
   isakmp 192.168.3.101;
}

log notify;

Here's the setkey info:

flush;
spdflush;
spdadd 10.0.0.0/8 192.168.3.101/32 any -P in ipsec 
esp/tunnel/12.XXX.XXX.XXX-192.168.3.101/require;
spdadd 192.168.3.101/32 10.0.0.0/8 any -P out ipsec 
esp/tunnel/192.168.3.101-12.XXX.XXX.XXX/require;

Finally, here's the psk.txt file:

12.XXX.XXX.XXX  mypassword

Hope any of that helps!
russ