Mailinglist Archive: opensuse-security (220 mails)

< Previous Next >
RE: [suse-security] FreeSwan <-> CheckPoint
  • From: "Michael Ryan" <michael.ryan@xxxxxxxx>
  • Date: Tue, 4 Nov 2003 15:48:53 -0000
  • Message-id: <93FE26E03122AD418B8E02D7A7069A3827563C@xxxxxxxxxxxxxxxxxx>

Thom, have a look here:

http://www.fw-1.de/aerasec/ng/vpn-freeswan/CP-FW1-NG+Linux-FreeSWAN-Gate
way.html

might be of some use ...

Michael


-----Original Message-----
From: Thorsten Marquardt [mailto:thom@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx]
Sent: Tuesday, November 04, 2003 4:25 PM
To: suse-security@xxxxxxxx
Subject: [suse-security] FreeSwan <-> CheckPoint


Hi,

I need to build an ipsec tunnel between CheckPoint and FreeSwan. The
policy of my communication partner froces me to use presharedkeys

If we try to negotiate the connection the following messages shows
up in /var/log/messages


Nov 4 15:56:08 mail Pluto[2450]: packet from aaa.bbb.ccc.ddd:500:
ignoring Vendor ID payload Nov 4 15:56:08 mail Pluto[2450]:
"here-there" #8: responding to Main Mode Nov 4 15:56:08 mail
Pluto[2450]: "here-there" #8: Can't authenticate: no preshared key.
Attri Nov 4 15:56:08 mail Pluto[2450]: "here-there" #8: no acceptable
Oakley Transform

with /etc/ipsec.conf like:
# sample connection
conn here-there
# Left security gateway, subnet behind it, next hop toward
right.
type=tunnel
authby=secret
keylife=1440
ikelifetime=6h
keyexchange=ike
auth=esp
pfs=no
leftid=@....
left=www.xxx.yyy.zzz
leftnexthop=www.xxx.yyy.zzx
leftsubnet=192.168.1.0/24
leftupdown=/usr/lib/ipsec/_updown.cust
# Right security gateway, subnet behind it, next hop toward
left.
right=aaa.bbb.ccc.ddd
rightupdown=/usr/lib/ipsec/_updown.cust
rightid=@----
rightsubnet=10.1.0.0/16
# To authorize this connection, but not actually start it, at
startup,
# uncomment this.
auto=add
keyingtries=1

and

/etc/ipsec.secrets like:

[...]
# Must be same on both; generate on one and copy to the other.
aaa.bbb.ccc.ddd www.xxx.yyy.zzz : PSK "Rumpelstielzchen"



# RSA private key for this host, authenticating it to any other host #
which knows the public part. Put ONLY the "pubkey" part into connection
# descriptions on the other host(s); it need not be kept secret.
: RSA {
[...]
}

What may go wrong? Any hints are welcome.

Yours sincerly

Thom



--

-------------------------------------------------------------------
bye bye (c) by Thom | Thorsten Marquardt
| EMail: THOM@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
| Member of the pzt project.
| http://kaupp.chemie.uni-oldenburg.de/pzt
-------------------------------------------------------------------



--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here


< Previous Next >