From: Mick <mic...@gm...> - 2013-06-21 14:42:36
|
On Friday 21 Jun 2013 15:02:45 you wrote: > On 06/21/2013 03:43 PM, Mick wrote: > > You don't seem to have configured 'peers_identifier address' or > > 'my_identifier' etc. here. Is this intentional? > > i tried to run racoon with both these set and with verify_identifier set > to off (and then set to on) - but it didn't help... didn't make a > difference Typically these would be configured so that the remote end can identify your client and apply the corresponding policies and vice versa. In my (limited) experience I had to always configure these, or the gateway would complain and drop the connection. However, I have no experience with Checkpoint and limited experience of main exchange_mode, so YMMV. Leave this for later and concentrate on building a tunnel connection first - see below. > >> proposal { > >> > >> encryption_algorithm 3des; > >> hash_algorithm sha1; > >> authentication_method pre_shared_key; > >> > >> dh_group 2; > >> lifetime time 24 hour; > >> > >> } > >> > >> generate_policy off; > >> > >> } > >> > >> sainfo address 10.1.1.10 any address 10.252.5.4 any { > > > > [snip ...] > > > > You need to reconfigure these after you decided if you need tunnel or > > not. > > > > Have a look here for ideas: > > > > http://www.fw-1.de/aerasec/ng/vpn-racoon/CP-VPN1-NG-Linux-racoon-roadwarr > > ior.html > > Ok, but how do I configure the tunnel or transport mode? I was using > this wiki as a guide: http://wiki.debian.org/IPsec The wiki you used shows exactly how to create a tunnel in /etc/ipsec- tools.conf. Read the 'alice' example and apply it in your case. For example: spdadd <remote_LAN>/24 <Local_IP>/24 any -P in ipsec \ esp/tunnel/<remote_public_IP>-<client's_public_IP>/require; spdadd .... (inverse connections specified here) > anyway - when i ping the checkpoint vpn gw (public IP) the tunnel seems > to work: > > Jun 21 13:49:55 10157-1-c926d9-01 racoon: DEBUG: get pfkey UPDATE message > Jun 21 13:49:55 10157-1-c926d9-01 racoon: DEBUG: pfkey UPDATE succeeded: > ESP/Transport w.x.y.z[0]->a.b.c.d[0] spi=10934318(0xa6d82e) > Jun 21 13:49:55 10157-1-c926d9-01 racoon: INFO: IPsec-SA established: > ESP/Transport w.x.y.z[0]->a.b.c.d[0] spi=10934318(0xa6d82e) > Jun 21 13:49:55 10157-1-c926d9-01 racoon: DEBUG: === > Jun 21 13:49:55 10157-1-c926d9-01 racoon: DEBUG: pk_recv: retry[0] recv() > Jun 21 13:49:55 10157-1-c926d9-01 racoon: DEBUG: get pfkey ADD message > Jun 21 13:49:55 10157-1-c926d9-01 racoon: INFO: IPsec-SA established: > ESP/Transport a.b.c.d[500]->w.x.y.z[500] spi=1949296936(0x742fe928) ^^^^^^^^^ Yes, it works, but it is a transport connection - not a tunnel connection. You have created a client (your Debian) to end-point (Checkpoint VPN-1) connection. You can now login into the Checkpoint host and e.g. administer it - but you can go no further into the LAN behind it. > only when i ping the host 10.252.5.4 (behind checkpoint vpn gw) - that I > get the error.. > > is there something missing in the ipsec-tools.conf config? Yes, you need to define a tunnel rather than a transport ipsec connection in the ipsec-tools.conf file. -- Regards, Mick |