Mailinglist Archive: opensuse-security (220 mails)

< Previous Next >
Re: [suse-security] FreeSwan <-> CheckPoint
  • From: "J J" <c_peto@xxxxxxxxxxx>
  • Date: Tue, 04 Nov 2003 18:04:09 +0000
  • Message-id: <Sea2-F56Vilvg8UUxRt00045d13@xxxxxxxxxxx>
Yes.

The lookup of PSKs in ipsec.secrets uses "leftid" not "left" if it can.

It's confusing because if you don't set "leftid" then it will default to the same value as "left"!

Your rightupdown will probably not do anything and doesn't need to be there, probably justs adds confusion to people reading the ipsec.conf file! Possibly rightid doesn't carry over to Checkpoint too...


Carl


From: "Thorsten Marquardt" <thom@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
To: suse-security@xxxxxxxx
Subject: [suse-security] FreeSwan <-> CheckPoint Date: Tue, 4 Nov 2003 16:24:42 +0000 (MEST)

Hi,

I need to build an ipsec tunnel between CheckPoint and FreeSwan.
The policy of my communication partner froces me to use presharedkeys

If we try to negotiate the connection the following messages shows
up in /var/log/messages


Nov 4 15:56:08 mail Pluto[2450]: packet from aaa.bbb.ccc.ddd:500: ignoring Vendor ID payload
Nov 4 15:56:08 mail Pluto[2450]: "here-there" #8: responding to Main Mode
Nov 4 15:56:08 mail Pluto[2450]: "here-there" #8: Can't authenticate: no preshared key. Attri
Nov 4 15:56:08 mail Pluto[2450]: "here-there" #8: no acceptable Oakley Transform

with /etc/ipsec.conf like:
# sample connection
conn here-there
# Left security gateway, subnet behind it, next hop toward right.
type=tunnel
authby=secret
keylife=1440
ikelifetime=6h
keyexchange=ike
auth=esp
pfs=no
leftid=@....
left=www.xxx.yyy.zzz
leftnexthop=www.xxx.yyy.zzx
leftsubnet=192.168.1.0/24
leftupdown=/usr/lib/ipsec/_updown.cust
# Right security gateway, subnet behind it, next hop toward left.
right=aaa.bbb.ccc.ddd
rightupdown=/usr/lib/ipsec/_updown.cust
rightid=@----
rightsubnet=10.1.0.0/16
# To authorize this connection, but not actually start it, at startup,
# uncomment this.
auto=add
keyingtries=1

and

/etc/ipsec.secrets like:

[...]
# Must be same on both; generate on one and copy to the other.
aaa.bbb.ccc.ddd www.xxx.yyy.zzz : PSK "Rumpelstielzchen"



# RSA private key for this host, authenticating it to any other host
# which knows the public part. Put ONLY the "pubkey" part into connection
# descriptions on the other host(s); it need not be kept secret.
: RSA {
[...]
}

What may go wrong? Any hints are welcome.

Yours sincerly

Thom



--

-------------------------------------------------------------------
bye bye (c) by Thom | Thorsten Marquardt
| EMail: THOM@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
| Member of the pzt project.
| http://kaupp.chemie.uni-oldenburg.de/pzt
-------------------------------------------------------------------



--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here


_________________________________________________________________
Tired of 56k? Get a FREE BT Broadband connection http://www.msn.co.uk/specials/btbroadband


< Previous Next >