[strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1

Tue Mar 2 20:49:22 CET 2010

Thanks Daniel, I've made some progress, please could you take a look at my ipsec.conf:

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
    plutostart=yes
        nat_traversal=yes
        plutodebug=all

# Add connections here.

conn test
       authby=xauthrsasig
       forceencaps=yes
       keyexchange=ikev1
       keyingtries=1
       type=tunnel
       xauth=client
       right=<CheckPoint VPN Firewall IP Address>
       leftsourceip=%modeconfig

When I attempt to test the configuration I get the following:

ipsec up test
021 no connection named "test"

I have restarted my laptop still the same error?  Is there anything specific I have to do to ensure the ipsec command can read the new connection?  Any help would be appreciated.

Thanks,

Jana

--- On Mon, 1/3/10, Daniel Mentz <danielml+mailinglists.strongswan at sent.com> wrote:

From: Daniel Mentz <danielml+mailinglists.strongswan at sent.com>
Subject: Re: [strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1
To: "Sucha Singh" <soorma_j4tt at yahoo.co.uk>
Cc: users at lists.strongswan.org
Date: Monday, 1 March, 2010, 19:48

Hi Jana,

please go to

http://wiki.strongswan.org/projects/strongswan/wiki/IKEv1Examples

for IKEv1 Configuration Examples. "PSK with XAUTH authentication and 
virtual IP addresses" or "RSA with XAUTH authentication and virtual IP 
addresse" is probably the right one for you.

Please refer to

http://wiki.strongswan.org/projects/strongswan/wiki/IpsecConf

for definitions of the individual parameters.

-Daniel

Sucha Singh wrote:
> Hi Andreas,
> 
> Thank you for your prompt response, I appreciate it.  I can confirm that we are indeed using IKEv1 Main Mode.
> 
> I have the pluto daemon installed, however I have no idea how to configure the ipsec.conf file.  I have opened it in a text editor and I am struggling to make sense of most of the parameters.  I can't appear to find anything in the online documentation to define what the parameters mean.
> 
> Could you possibly construct the file for me based on the information I have already supplied?  I will fill the blanks like site IP address etc.
> 
> Thanks again for your time and support.
> 
> Jana
> 
> --- On Sun, 28/2/10, Andreas Steffen <andreas.steffen at strongswan.org> wrote:
> 
> From: Andreas Steffen <andreas.steffen at strongswan.org>
> Subject: Re: [strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1
> To: "Sucha Singh" <soorma_j4tt at yahoo.co.uk>
> Cc: users at lists.strongswan.org
> Date: Sunday, 28 February, 2010, 12:12
> 
> Hi,
> 
> as far as I know, the CheckPoint VPN gateway does not support the IKEv2
> protocol. Therefore you can't use the strongSwan NetworkManager plugin
> to set up a connection.
> 
> The CheckPoint VPN gateway most probably will use IKEv1 and XAUTH.
> The first thing to find out is whether IKEv1 Main Mode is used
> by the CheckPoint box since strongSwan does not support the
> potentially insecure IKEv1 Aggressive Mode. If Main Mode is
> possible then you can configure strongSwan's IKEv1 pluto daemon
> via /etc/ipsec.conf.
> 
> Best regards
> 
> Andreas
> 
> Sucha Singh wrote:
>> Hi,
>>
>> I'm looking to use strongSwan to connect to my company CheckPoint
>> VPN, as I am new to Linux and networking I am really struggling to
>> get anything working.  I have a Actividentity token that generates a
>> password that authenticates against a RADIUS server, below is a list
>> of facts I know from my CheckPoint config from Windows:
>>
>> I have an IP address for company site Authentication - Challenge
>> Response NAT-T protocol - enabled Office Mode - enabled Use NAT
>> traversal tunneling - enabled IKE over TCP - enabled Force UDP
>> encapsulation - enabled
>>
>> I have attempted to use the Network Manager GUI to connect but it
>> fails with "VPN service failed to start", the syslog file contains a
>> host of errors.  The settings I attempted were:
>>
>> Gateway: Address - IP address of my company site Certificate - None
>>
>> Client: Authentication - EAP Username - My id I use for my token to
>> generate password
>>
>> Options - Request an inner IP address - unchecked Enforce UDP
>> encapsulation - checked Use IP compression - unchecked
>>
>> My questions would be:
>>
>> 1) Does strongSwan support the protocols/authentication methods I
>> describe for CheckPoint VPN 2) If yes, then does my setup through
>> Network Manager look correct 3) If yes, then is it a case of posting
>> the sys.log errors for someone to kindly look at
>>
>> I appreciate anyone's help and time with this.
>>
>> Regards,
>>
>> Jana
> 
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
> 
> 
> 
>       
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users