[strongSwan] VPN to CheckPoint with NAT

Thomas Liesner t.liesner at vignold.de
Mon Dec 2 14:47:09 CET 2013 

Hi all,

i am trying to accomplish a vpn connection via strongSwan 4.6.1 to a 
bigger CheckPoint gateway. strongSwan is built into a Gateprotect 
security appliance.

Left side must be NATed, because the right side is using all of the 
networks of RFC 1918... But anyways, i can't even get close to that...

The connection is defined as:

> conn "checkpoint"
>     keyexchange=ikev2
>     mobike=yes
>     dpdaction=restart
>     closeaction=restart
>     auto=start
>     ikelifetime=86400
>     lifetime=3600
>     ike=3des-sha1-modp1024
>     esp=3des-md5-modp1024
>     left=213.61.219.162
>     leftsubnet=192.168.60.0/24
>     right=164.61.192.1
>     rightsubnet=194.120.220.0/22
>     authby=psk
>     compress=no

When starting the connection all i see is:

> root at GPX-1000:~ # ipsec up Metro_72
> initiating IKE_SA Metro_72[3] to 164.61.192.1
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> sending packet: from 213.61.219.162[500] to 164.61.192.1[500]
> received packet: from 164.61.192.1[500] to 213.61.219.162[500]
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
> N(CHDLESS_SUP) ]
> authentication of '213.61.219.162' (myself) with pre-shared key
> establishing CHILD_SA Metro_72
> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi 
> TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) 
> N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) 
> N(EAP_ONLY) ]
> sending packet: from 213.61.219.162[4500] to 164.61.192.1[4500]
> received packet: from 164.61.192.1[4500] to 213.61.219.162[4500]
> parsed IKE_AUTH response 1 [ N(TS_UNACCEPT) N(TS_UNACCEPT) ]
> IDr payload missing
> root at GPX-1000:~ # 

The right side ist giving me:

 > Ike Ids::
 > Ike Notification::
 > Ike::                  Auth exchange: Sending notification to peer: 
Traffic selectors unacceptable

Unfortunatly i cannot turn on any debugging options because of 
restrictions of the way ipsec is build into the appliance :(

Is there anything you can read from that, which could help me work on this?

Thanks and kind regards,
Thomas



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3750 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131202/f78d5953/attachment.bin>

More information about the Users mailing list