Yes. The lookup of PSKs in ipsec.secrets uses "leftid" not "left" if it can. It's confusing because if you don't set "leftid" then it will default to the same value as "left"! Your rightupdown will probably not do anything and doesn't need to be there, probably justs adds confusion to people reading the ipsec.conf file! Possibly rightid doesn't carry over to Checkpoint too... Carl
From: "Thorsten Marquardt"
To: suse-security@suse.com Subject: [suse-security] FreeSwan <-> CheckPoint Date: Tue, 4 Nov 2003 16:24:42 +0000 (MEST) Hi,
I need to build an ipsec tunnel between CheckPoint and FreeSwan. The policy of my communication partner froces me to use presharedkeys
If we try to negotiate the connection the following messages shows up in /var/log/messages
Nov 4 15:56:08 mail Pluto[2450]: packet from aaa.bbb.ccc.ddd:500: ignoring Vendor ID payload Nov 4 15:56:08 mail Pluto[2450]: "here-there" #8: responding to Main Mode Nov 4 15:56:08 mail Pluto[2450]: "here-there" #8: Can't authenticate: no preshared key. Attri Nov 4 15:56:08 mail Pluto[2450]: "here-there" #8: no acceptable Oakley Transform
with /etc/ipsec.conf like: # sample connection conn here-there # Left security gateway, subnet behind it, next hop toward right. type=tunnel authby=secret keylife=1440 ikelifetime=6h keyexchange=ike auth=esp pfs=no leftid=@.... left=www.xxx.yyy.zzz leftnexthop=www.xxx.yyy.zzx leftsubnet=192.168.1.0/24 leftupdown=/usr/lib/ipsec/_updown.cust # Right security gateway, subnet behind it, next hop toward left. right=aaa.bbb.ccc.ddd rightupdown=/usr/lib/ipsec/_updown.cust rightid=@---- rightsubnet=10.1.0.0/16 # To authorize this connection, but not actually start it, at startup, # uncomment this. auto=add keyingtries=1
and
/etc/ipsec.secrets like:
[...] # Must be same on both; generate on one and copy to the other. aaa.bbb.ccc.ddd www.xxx.yyy.zzz : PSK "Rumpelstielzchen"
# RSA private key for this host, authenticating it to any other host # which knows the public part. Put ONLY the "pubkey" part into connection # descriptions on the other host(s); it need not be kept secret. : RSA { [...] }
What may go wrong? Any hints are welcome.
Yours sincerly
Thom
--
------------------------------------------------------------------- bye bye (c) by Thom | Thorsten Marquardt | EMail: THOM@kaupp.chemie.uni-oldenburg.de | Member of the pzt project. | http://kaupp.chemie.uni-oldenburg.de/pzt -------------------------------------------------------------------
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
_________________________________________________________________ Tired of 56k? Get a FREE BT Broadband connection http://www.msn.co.uk/specials/btbroadband