Menu
▾
▴
[Ipsec-tools-users] Subnet via tunnel between ipsec-tools and Checkpoint Firewall 1
|
From: Hanne M. <hm...@it...> - 2005-06-03 11:59:01
|
Hello ipsec-tools-users list.
I have a Linux ipsec-tools machine talking to someone elses checkpoint
firewall 1, tunneling some connections between the networks behind.
I have a couple of host-to-host connections which works fine through the
ipsec tunnel.
Now I try to connect a subnet behind my ipsec machine to a specific
machine behind the other person's firewall 1.
This goes fine if I put my test machine's specific IP address into the
spdadd policy, but if I use the subnet address, it doesn't work.
Phase 1 completes but phase 2 fails with:
Jun 3 11:28:04 fedtmule racoon: ERROR: unknown notify message, no phase2 handle found.
Jun 3 11:28:04 fedtmule racoon: DEBUG: notification message 18:INVALID-ID-INFORMATION, doi=1 proto_id=3 spi=04472
I have googled and read man pages without much luck, and have reached
the point where I need some help.
My net
192.168.100.0/23
| |
|___|\ My firewall Firewall 1 Dest host
___ \ ___ ___ ___
| | \ | | | | | |
|___|--- |___|---------------------|___|--------|___|
___ / (ipsec-tools Linux) 192.168.400.47
| |/ 192.168.200.1 192.168.300.1
|___|
My host
192.168.100.40
In reality all the ip adresses are real and there is no NATing involved.
I have just replaced them with private IP addresses in this mail.
My policies:
#!/usr/local/sbin/setkey -f
flush;
spdflush;
spdadd 192.168.100.0/23 192.168.400.47 any -P out ipsec
esp/tunnel/192.168.200.1-192.168.300.1/require;
spdadd 192.168.400.47 192.168.100.0/23 any -P in ipsec
esp/tunnel/192.168.300.1-192.168.200.1/require;
My racoon.conf (with all commented out lines removed to make it shorter):
path include "/usr/local/etc/racoon";
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
listen
{
isakmp 192.168.200.1;
}
timer
{
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
phase1 30 sec;
phase2 15 sec;
}
# Anonymous
remote anonymous
{
exchange_mode main;
nonce_size 16;
lifetime time 1440 min; # sec,min,hour
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 2;
}
}
# Anonymous
sainfo anonymous
{
pfs_group 2;
lifetime time 3600 sec;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
log debug2;
The policy that works:
spdadd 192.168.100.40 192.168.400.47 any -P out ipsec
esp/tunnel/192.168.200.1-192.168.300.1/require;
spdadd 192.168.400.47 192.168.100.40 any -P in ipsec
esp/tunnel/192.168.300.1-192.168.200.1/require;
kernel version: 2.6.8-1.521 (fedora)
ipsec-tools version: 0.5.2
The firewall 1 administrator says he has enabled the "Support Key
Exchange for subnets" setting and he has a rule for my 192.168.100.0/23
network.
In fact my 192.168.100.0/23 net is split up in smaller /27 subnets. So
I really come from the subnet 192.168.100.32/27.
Can this be the problem? The racoon man page says something about the
sainfo address or idtype field not being a filter rule and having to
match exactly, but I have not specified network addresses in sainfo in
raccon.conf at all.
I have tried changing my policies to match only the 192.168.100.32/27
network, and that didn't help (same error), but off course, the other
end still has 192.168.100.0/23. I just wonder that my 192.168.100.40
goes right through if that is the problem?
Are there any specific settings I should set for subnets?
What does the error message mean?
In theory, shouldn't a "larger subnet mask" work for the lesser
subnets?
Best regards,
--
Hanne Munkholm IT University of Copenhagen
Email: hm...@it...
Phone: +45 72 18 51 19
Address: Rued Langgaards Vej 7, 2300 Copenhagen S
I love deadlines. I especially like the whooshing sound they make as
they go flying by. -- Douglas Adams
|