Date: Mon, 28 May 2001 13:58:18 -0000 From: Palli <palli@deloitte.is> To: "'freebsd-questions@FreeBSD.ORG'" <freebsd-questions@FreeBSD.ORG> Subject: Creating ipsec tunnel against Checkpoint Firewall-1 Message-ID: <18BADD4033C9D411A5E700A0C9EA2A001C6E30@DTRVK>
next in thread | raw e-mail | index | archive | help
Hello all, I am trying to set up an IPSec tunnel from a freshly installed FreeBSD 4.3 to a Checkpoint Firewall. I followed instructions from: http://www.securityreports.com/article.pl?sid=01/05/11/1711225&mode=thread&t hreshold= And read through an IPSec-mini-howto at: http://www.x-itec.de/projects/tuts/ipsec-howto.txt when i start racoon # racoon -f /etc/racoon.conf -l /var/log/racoon.log i get: 2001-05-28 12:53:50: INFO: main.c:146:main(): @(#)racoon 20001216 sakane@ydc.co.jp 2001-05-28 12:53:50: INFO: main.c:147:main(): @(#)This product linked software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/) 2001-05-28 12:53:50: WARNING: cftoken.l:498:yywarn(): /etc/racoon.conf:47: "MB" the lifetime of bytes in phase 1 will be ignored at the moment. 2001-05-28 12:53:50: WARNING: pfkey.c:1949:pk_checkalg(): compression algorithm can not be checked. This seems ok, except "compression algorithm can not be checked" scares me a bit. But when i try to contact Checkpoints localnet i get this in /var/log/messages and console: key_acquire2: invalid sequence number is passed. I simply cant get my hands on enough racoon or ipsec documentation to find out what im really doing wrong. When i run racoon with: "racoon -F -v -f /etc/racoon.conf" i get output which ends like: 2001-05-28 13:19:02: DEBUG: isakmp.c:1088:isakmp_parsewoh(): succeed. 2001-05-28 13:19:02: ERROR: isakmp_inf.c:776:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. 2001-05-28 13:19:02: DEBUG: isakmp_inf.c:797:isakmp_info_recv_n(): notification message 18:INVALID-ID-INFORMATION, doi=1 proto_id=1 spi=(size=0). 2001-05-28 13:19:10: DEBUG: pfkey.c:191:pfkey_handler(): get pfkey ACQUIRE message 2001-05-28 13:19:10: DEBUG: pfkey.c:1497:pk_recvacquire(): ignore the acquire becuase ph2 found etc etc etc. what I see bad here is INVALID-ID-INFORMATION, and i dont really know what it is telling me. Can anyone tell me where i can seek help because of this ? ps. At the end i posted my kame.sh and /etc/racoonf.conf kame.sh -------------------------- # gifconfig gif0 5.6.7.8 1.2.3.4 # ifconfig gif0 inet 192.168.20.45 192.168.200.3 netmask 255.255.255.0 setkey -FP setkey -F # Configure the Policy setkey -c << END spdadd 5.6.7.8/32 192.168.200.0/24 any -P out ipsec esp/tunnel/5.6.7.8-1.2.3.4/require; spdadd 192.168.200.0/24 5.6.7.8/24 any -P in ipsec esp/tunnel/1.2.3.4-5.6.7.8/require; END ------------------------------ /etc/racoon.conf ---------------- # racoon.conf for use with Checkpoint VPN-1/Firewall-1 # # # Pre-shared key set on the VPN-1 server. # # WARNING: psk.txt must have mode 600 permission. path pre_shared_key "/etc/psk.txt" ; # log debug; # "padding" defines some parameter of padding. You should not touch these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 15 sec; } remote anonymous { exchange_mode aggressive,main; # For Firewall-1 Aggressive mode #my_identifier address; #my_identifier user_fqdn ""; #my_identifier address ""; #peers_identifier address ""; #certificate_type x509 "" ""; nonce_size 16; lifetime time 10 min; # sec,min,hour lifetime byte 5 MB; # B,KB,GB initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key; dh_group 2 ; } } sainfo anonymous { pfs_group 1; lifetime time 10 min; lifetime byte 50000 KB; encryption_algorithm 3des; authentication_algorithm hmac_md5; compression_algorithm deflate ; } ----------- Grtz, Palli To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?18BADD4033C9D411A5E700A0C9EA2A001C6E30>