You don't have to change ipsec.conf Instead change ipsec.secrets Where you have a line that says... aaa.bbb.ccc.ddd www.xxx.yyy.zzz : PSK "Rumpelstielzchen" I am assuming that aaa.bbb.ccc.ddd is the external (internet) IP address of the Checkpoint box and www.xxx.yyy.zzz is the external (internet) IP address of your Freeswan gateway? I can't see what you have in your ipsec.conf for the leftid value because you have written leftid=@.... ...that's fine - no point in telling mailing list private details! Just use whatever you have there in your ipsec.secrets file instead of the external (internet) IP address of your Freeswan gateway. Make sure to include the @ symbol as well!! So your ipsec.secrets file will look something like... # Must be same on both; generate on one and copy to the other. aaa.bbb.ccc.ddd @.... : PSK "Rumpelstielzchen" And that should be all that you need! Because you have not changed ipsec.conf you will not need to restart ipsec but you will need to use this command... ipsec auto --rereadsecrets ...so that the pluto daemon will re read the secrets file. Then try to bring up the connection again and tell us what happens! Good luck, Carl
From: "Thorsten Marquardt" <thom@kaupp.chemie.uni-oldenburg.de> To: c_peto@hotmail.com (J J) Subject: Re: [suse-security] FreeSwan <-> CheckPoint Date: Tue, 4 Nov 2003 19:36:48 +0000 (MEST)
Hi,
Yes.
The lookup of PSKs in ipsec.secrets uses "leftid" not "left" if it can.
It's confusing because if you don't set "leftid" then it will default to
the
same value as "left"!
I'm not sure that I understand you right. So would you advice me to delete leftid from ipsec.conf or build an ipsec.secrets like:
[...] # Must be same on both; generate on one and copy to the other. @the.left.id @the.right.id : PSK "Rumpelstielzchen"
thank you so far.
Thom
--
------------------------------------------------------------------- bye bye (c) by Thom | Thorsten Marquardt | EMail: THOM@kaupp.chemie.uni-oldenburg.de | Member of the pzt project. | http://kaupp.chemie.uni-oldenburg.de/pzt -------------------------------------------------------------------
_________________________________________________________________ On the move? Get Hotmail on your mobile phone http://www.msn.co.uk/msnmobile
Dear Carl,
You don't have to change ipsec.conf
Instead change ipsec.secrets
Where you have a line that says...
aaa.bbb.ccc.ddd www.xxx.yyy.zzz : PSK "Rumpelstielzchen"
I am assuming that aaa.bbb.ccc.ddd is the external (internet) IP address of the Checkpoint box and www.xxx.yyy.zzz is the external (internet) IP address of your Freeswan gateway?
yes you're right.
I can't see what you have in your ipsec.conf for the leftid value because you have written
leftid=@....
...that's fine - no point in telling mailing list private details! Just use whatever you have there in your ipsec.secrets file instead of the external (internet) IP address of your Freeswan gateway. Make sure to include the @ symbol as well!!
So your ipsec.secrets file will look something like...
# Must be same on both; generate on one and copy to the other. aaa.bbb.ccc.ddd @.... : PSK "Rumpelstielzchen"
I did so. but we have to wait. My counterpart is out of office till tomorrow :-(
Then try to bring up the connection again and tell us what happens!
I'll do so. Thanks Thom -- ------------------------------------------------------------------- bye bye (c) by Thom | Thorsten Marquardt | EMail: THOM@kaupp.chemie.uni-oldenburg.de | Member of the pzt project. | http://kaupp.chemie.uni-oldenburg.de/pzt -------------------------------------------------------------------
Hi, Carl wrote:
You don't have to change ipsec.conf
Instead change ipsec.secrets
Where you have a line that says...
aaa.bbb.ccc.ddd www.xxx.yyy.zzz : PSK "Rumpelstielzchen"
[...]
I can't see what you have in your ipsec.conf for the leftid value because you have written
leftid=@....
...that's fine - no point in telling mailing list private details! Just use whatever you have there in your ipsec.secrets file instead of the external (internet) IP address of your Freeswan gateway. Make sure to include the @ symbol as well!!
So your ipsec.secrets file will look something like...
# Must be same on both; generate on one and copy to the other. aaa.bbb.ccc.ddd @.... : PSK "Rumpelstielzchen"
And that should be all that you need!
no that did not help. But maybe my problem is caused by some other FreeSwan tunnels which use key authetication. I will disable this tunnel and try agagain later. Thanks so far. Thom -- ------------------------------------------------------------------- bye bye (c) by Thom | Thorsten Marquardt | EMail: THOM@kaupp.chemie.uni-oldenburg.de | Member of the pzt project. | http://kaupp.chemie.uni-oldenburg.de/pzt -------------------------------------------------------------------
participants (2)
-
J J -
Thorsten Marquardt