[strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1

Daniel Mentz danielml+mailinglists.strongswan at sent.com
Mon Mar 1 20:48:09 CET 2010

Hi Jana,

please go to


for IKEv1 Configuration Examples. "PSK with XAUTH authentication and 
virtual IP addresses" or "RSA with XAUTH authentication and virtual IP 
addresse" is probably the right one for you.

Please refer to


for definitions of the individual parameters.


Sucha Singh wrote:
> Hi Andreas,
> Thank you for your prompt response, I appreciate it.  I can confirm that we are indeed using IKEv1 Main Mode.
> I have the pluto daemon installed, however I have no idea how to configure the ipsec.conf file.  I have opened it in a text editor and I am struggling to make sense of most of the parameters.  I can't appear to find anything in the online documentation to define what the parameters mean.
> Could you possibly construct the file for me based on the information I have already supplied?  I will fill the blanks like site IP address etc.
> Thanks again for your time and support.
> Jana
> --- On Sun, 28/2/10, Andreas Steffen <andreas.steffen at strongswan.org> wrote:
> From: Andreas Steffen <andreas.steffen at strongswan.org>
> Subject: Re: [strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1
> To: "Sucha Singh" <soorma_j4tt at yahoo.co.uk>
> Cc: users at lists.strongswan.org
> Date: Sunday, 28 February, 2010, 12:12
> Hi,
> as far as I know, the CheckPoint VPN gateway does not support the IKEv2
> protocol. Therefore you can't use the strongSwan NetworkManager plugin
> to set up a connection.
> The CheckPoint VPN gateway most probably will use IKEv1 and XAUTH.
> The first thing to find out is whether IKEv1 Main Mode is used
> by the CheckPoint box since strongSwan does not support the
> potentially insecure IKEv1 Aggressive Mode. If Main Mode is
> possible then you can configure strongSwan's IKEv1 pluto daemon
> via /etc/ipsec.conf.
> Best regards
> Andreas
> Sucha Singh wrote:
>> Hi,
>> I'm looking to use strongSwan to connect to my company CheckPoint
>> VPN, as I am new to Linux and networking I am really struggling to
>> get anything working.  I have a Actividentity token that generates a
>> password that authenticates against a RADIUS server, below is a list
>> of facts I know from my CheckPoint config from Windows:
>> I have an IP address for company site Authentication - Challenge
>> Response NAT-T protocol - enabled Office Mode - enabled Use NAT
>> traversal tunneling - enabled IKE over TCP - enabled Force UDP
>> encapsulation - enabled
>> I have attempted to use the Network Manager GUI to connect but it
>> fails with "VPN service failed to start", the syslog file contains a
>> host of errors.  The settings I attempted were:
>> Gateway: Address - IP address of my company site Certificate - None
>> Client: Authentication - EAP Username - My id I use for my token to
>> generate password
>> Options - Request an inner IP address - unchecked Enforce UDP
>> encapsulation - checked Use IP compression - unchecked
>> My questions would be:
>> 1) Does strongSwan support the protocols/authentication methods I
>> describe for CheckPoint VPN 2) If yes, then does my setup through
>> Network Manager look correct 3) If yes, then is it a case of posting
>> the sys.log errors for someone to kindly look at
>> I appreciate anyone's help and time with this.
>> Regards,
>> Jana
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list