[strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1

Sucha Singh soorma_j4tt at yahoo.co.uk
Thu Mar 4 20:45:09 CET 2010 

Hi Andreas,

Thanks again, the below was the response from our network administrator to your question:

"I don’t think we do any certificate based authentication.  There certainly isn’t any client side certificate."

Here are some more settings from our VPN:-

IKE Properties:-

Support key exchange encryption with:

3DES - enabled
AES-256 - enabled
DES - enabled

Support data integrity with:

MD5 - enabled
SHA1 - enabled

Support authentication methods:

Pre-Shared Secret - disabled
Public Key Signatures - disabled

Advanced IKE Properties:-

Support Diffie–Hellman groups for IKE (phase 1) Security associations:

Group 2 (1024 bit) - enabled

Reviewing the above settings I added the following line to the ipsec.conf:

ike=3des-sha1-md5-modp1024

I then get the following errors:

002 "test" #1: initiating Main Mode
003 "test" #1: no IKE algorithms for this connection (check ike algorithm string)
003 "test" #1: empty ISAKMP SA proposal to send (no algorithms for ike selection?)

Was I right to add the above setting?

Just to reiterate the point again, I am using a challenge-response security token that generates a OTP (One Time Password).  Just to clarify I do the following in Windows to connect to the VPN:

1) Click connect on the CheckPoint Client
2) It will prompt me for Username and Password credentials
3) I input my Username (Numeric) into the security token, upon entering the correct Username it will generate a Password
4) I then input my Username and the Password generated by the security token, it then gives a message of authenticating against a RADIUS server, then successfully connects

I've never been given any certificate to install on my client.

I'm optimistic that with the help of all you kind individuals that I am getting closer to connecting :-)

Thanks Again,

Jana

--- On Thu, 4/3/10, Andreas Steffen <andreas.steffen at strongswan.org> wrote:

From: Andreas Steffen <andreas.steffen at strongswan.org>
Subject: Re: [strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1
To: "Sucha Singh" <soorma_j4tt at yahoo.co.uk>
Cc: "Martin Willi" <martin at strongswan.org>, users at lists.strongswan.org
Date: Thursday, 4 March, 2010, 6:05

Hello Jana,

the log entry:

ignoring informational payload, type NO_PROPOSAL_CHOSEN

means that the CheckPoint box does not like your proposal.
Is it really configuredd to do XAUTH with certificate-based
mutual authentication?

Regards

Andreas

Sucha Singh wrote:
> Hi All,
> 
> Thanks Martin, I've made some more progress, I am now getting the following error when I run "ipsec up test":
> 
> 002 "test" #2: initiating Main Mode
> 104 "test" #2: STATE_MAIN_I1: initiate
> 003 "test" #2: ignoring informational payload, type NO_PROPOSAL_CHOSEN
> 010 "test" #2: STATE_MAIN_I1: retransmission; will wait 20s for response
> 010 "test" #2: STATE_MAIN_I1: retransmission; will wait 40s for response
> 031 "test" #2: max number of retransmissions (2) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message
> 
> My ipsec.conf now looks like this:
> 
> # ipsec.conf - strongSwan IPsec configuration file
> 
> # basic configuration
> 
> config setup
>     plutostart=yes
>     nat_traversal=yes
>     plutodebug=all
> 
> # Add connections here.
> 
> conn test
>        auto=add
>        authby=xauthrsasig
>        forceencaps=yes
>        keyexchange=ikev1
>        keyingtries=1
>        type=tunnel
>        xauth=client
>        right=<IP address of CheckPoint VPN>
>        left=<IP address of my laptop>
> 
> # include /var/lib/strongswan/ipsec.conf.inc
> 
>>From what sense I can make from the error, I assume it means that my client request has reached the VPN gateway, but the authentication/encryption protocols don't match?
> 
> I sincerely appreciate the help you guys are providing.
> 
> Regards,
> 
> Jana
> 
> --- On Wed, 3/3/10, Martin Willi <martin at strongswan.org> wrote:
> 
> From: Martin Willi <martin at strongswan.org>
> Subject: Re: [strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1
> To: "Sucha Singh" <soorma_j4tt at yahoo.co.uk>
> Cc: "Daniel Mentz" <danielml+mailinglists.strongswan at sent.com>, users at lists.strongswan.org
> Date: Wednesday, 3 March, 2010, 7:32
> 
> Hi,
> 
>> conn test
>>         authby=xauthrsasig
>>         forceencaps=yes
>>         keyexchange=ikev1
>>         keyingtries=1
>>         type=tunnel
>>         xauth=client
>>         right=<CheckPoint VPN Firewall IP Address>
>>         leftsourceip=%modeconfig
> 
>> ipsec up test
>> 021 no connection named "test"
> 
> You additionally need the "auto" parameter. auto=add loads the
> configuration to the IKE daemon. auto=start additionally starts the
> connection automatically. man ipsec.conf for details.
> 
> Regards
> Martin

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list