Re: [Ipsec-tools-users] Can't connect to Checkpoint VPN

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On Friday 21 Jun 2013 15:02:45 you wrote:
> On 06/21/2013 03:43 PM, Mick wrote:

> > You don't seem to have configured 'peers_identifier address' or
> > 'my_identifier' etc. here.  Is this intentional?
> 
> i tried to run racoon with both these set and with verify_identifier set
> to off (and then set to on) - but it didn't help... didn't make a
> difference

Typically these would be configured so that the remote end can identify your 
client and apply the corresponding policies and vice versa.  In my (limited) 
experience I had to always configure these, or the gateway would complain and 
drop the connection.

However, I have no experience with Checkpoint and limited experience of main 
exchange_mode, so YMMV.  Leave this for later and concentrate on building a 
tunnel connection first - see below.

> >>           proposal {
> >>           
> >>                   encryption_algorithm 3des;
> >>                   hash_algorithm sha1;
> >>                   authentication_method pre_shared_key;
> >> 		
> >> 		dh_group 2;
> >> 		lifetime time 24 hour;
> >> 		
> >>           }
> >> 	
> >> 	generate_policy off;
> >> 
> >> }
> >> 
> >> sainfo address 10.1.1.10 any address 10.252.5.4 any {
> > 
> > [snip ...]
> > 
> > You need to reconfigure these after you decided if you need tunnel or
> > not.
> > 
> > Have a look here for ideas:
> > 
> > http://www.fw-1.de/aerasec/ng/vpn-racoon/CP-VPN1-NG-Linux-racoon-roadwarr
> > ior.html
> 
> Ok, but how do I configure the tunnel or transport mode? I was using
> this wiki as a guide: http://wiki.debian.org/IPsec

The wiki you used shows exactly how to create a tunnel in /etc/ipsec-
tools.conf.  Read the 'alice' example and apply it in your case.

For example:

spdadd <remote_LAN>/24 <Local_IP>/24 any -P in ipsec \ 
esp/tunnel/<remote_public_IP>-<client's_public_IP>/require;

spdadd .... (inverse connections specified here)

> anyway - when i ping the checkpoint vpn gw (public IP) the tunnel seems
> to work:
> 
> Jun 21 13:49:55 10157-1-c926d9-01 racoon: DEBUG: get pfkey UPDATE message
> Jun 21 13:49:55 10157-1-c926d9-01 racoon: DEBUG: pfkey UPDATE succeeded:
> ESP/Transport w.x.y.z[0]->a.b.c.d[0] spi=10934318(0xa6d82e)
> Jun 21 13:49:55 10157-1-c926d9-01 racoon: INFO: IPsec-SA established:
> ESP/Transport w.x.y.z[0]->a.b.c.d[0] spi=10934318(0xa6d82e)
> Jun 21 13:49:55 10157-1-c926d9-01 racoon: DEBUG: ===
> Jun 21 13:49:55 10157-1-c926d9-01 racoon: DEBUG: pk_recv: retry[0] recv()
> Jun 21 13:49:55 10157-1-c926d9-01 racoon: DEBUG: get pfkey ADD message
> Jun 21 13:49:55 10157-1-c926d9-01 racoon: INFO: IPsec-SA established:
> ESP/Transport a.b.c.d[500]->w.x.y.z[500] spi=1949296936(0x742fe928)
      ^^^^^^^^^

Yes, it works, but it is a transport connection - not a tunnel connection.  
You have created a client (your Debian) to end-point (Checkpoint VPN-1) 
connection.  You can now login into the Checkpoint host and e.g. administer it 
- but you can go no further into the LAN behind it.

> only when i ping the host 10.252.5.4 (behind checkpoint vpn gw) - that I
> get the error..
> 
> is there something missing in the ipsec-tools.conf config?

Yes, you need to define a tunnel rather than a transport ipsec connection in 
the ipsec-tools.conf file.

-- 
Regards,
Mick