[strongSwan] VPN to CheckPoint with NAT

Thomas Liesner t.liesner at vignold.de
Mon Dec 2 14:47:09 CET 2013

Hi all,

i am trying to accomplish a vpn connection via strongSwan 4.6.1 to a 
bigger CheckPoint gateway. strongSwan is built into a Gateprotect 
security appliance.

Left side must be NATed, because the right side is using all of the 
networks of RFC 1918... But anyways, i can't even get close to that...

The connection is defined as:

> conn "checkpoint"
>     keyexchange=ikev2
>     mobike=yes
>     dpdaction=restart
>     closeaction=restart
>     auto=start
>     ikelifetime=86400
>     lifetime=3600
>     ike=3des-sha1-modp1024
>     esp=3des-md5-modp1024
>     left=
>     leftsubnet=
>     right=
>     rightsubnet=
>     authby=psk
>     compress=no

When starting the connection all i see is:

> root at GPX-1000:~ # ipsec up Metro_72
> initiating IKE_SA Metro_72[3] to
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> sending packet: from[500] to[500]
> received packet: from[500] to[500]
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
> authentication of '' (myself) with pre-shared key
> establishing CHILD_SA Metro_72
> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi 
> sending packet: from[4500] to[4500]
> received packet: from[4500] to[4500]
> parsed IKE_AUTH response 1 [ N(TS_UNACCEPT) N(TS_UNACCEPT) ]
> IDr payload missing
> root at GPX-1000:~ # 

The right side ist giving me:

 > Ike Ids::
 > Ike Notification::
 > Ike::                  Auth exchange: Sending notification to peer: 
Traffic selectors unacceptable

Unfortunatly i cannot turn on any debugging options because of 
restrictions of the way ipsec is build into the appliance :(

Is there anything you can read from that, which could help me work on this?

Thanks and kind regards,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3750 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131202/f78d5953/attachment.bin>

More information about the Users mailing list