Mailinglist Archive: opensuse-security (220 mails)

< Previous Next >
FreeSwan <-> CheckPoint
  • From: "Thorsten Marquardt" <thom@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
  • Date: Tue, 4 Nov 2003 16:24:42 +0000 (MEST)
  • Message-id: <200311041624.QAA29889@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Hi,

I need to build an ipsec tunnel between CheckPoint and FreeSwan.
The policy of my communication partner froces me to use presharedkeys

If we try to negotiate the connection the following messages shows
up in /var/log/messages


Nov 4 15:56:08 mail Pluto[2450]: packet from aaa.bbb.ccc.ddd:500: ignoring Vendor ID payload
Nov 4 15:56:08 mail Pluto[2450]: "here-there" #8: responding to Main Mode
Nov 4 15:56:08 mail Pluto[2450]: "here-there" #8: Can't authenticate: no preshared key. Attri
Nov 4 15:56:08 mail Pluto[2450]: "here-there" #8: no acceptable Oakley Transform

with /etc/ipsec.conf like:
# sample connection
conn here-there
# Left security gateway, subnet behind it, next hop toward right.
type=tunnel
authby=secret
keylife=1440
ikelifetime=6h
keyexchange=ike
auth=esp
pfs=no
leftid=@....
left=www.xxx.yyy.zzz
leftnexthop=www.xxx.yyy.zzx
leftsubnet=192.168.1.0/24
leftupdown=/usr/lib/ipsec/_updown.cust
# Right security gateway, subnet behind it, next hop toward left.
right=aaa.bbb.ccc.ddd
rightupdown=/usr/lib/ipsec/_updown.cust
rightid=@----
rightsubnet=10.1.0.0/16
# To authorize this connection, but not actually start it, at startup,
# uncomment this.
auto=add
keyingtries=1

and

/etc/ipsec.secrets like:

[...]
# Must be same on both; generate on one and copy to the other.
aaa.bbb.ccc.ddd www.xxx.yyy.zzz : PSK "Rumpelstielzchen"



# RSA private key for this host, authenticating it to any other host
# which knows the public part. Put ONLY the "pubkey" part into connection
# descriptions on the other host(s); it need not be kept secret.
: RSA {
[...]
}

What may go wrong? Any hints are welcome.

Yours sincerly

Thom



--

-------------------------------------------------------------------
bye bye (c) by Thom | Thorsten Marquardt
| EMail: THOM@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
| Member of the pzt project.
| http://kaupp.chemie.uni-oldenburg.de/pzt
-------------------------------------------------------------------



< Previous Next >
This Thread
  • No further messages