[FW-1] Configuring racoon with CP NGX R65

carlopmart Fri, 25 May 2007 06:56:50 -0700

Hi all,

 Sorry for this topic, but i can't do this and it is very urgent for me. I am
trying to configure a racoon roadwarrior client to establish a vpn tunnel with a
cehckpoint firewall-1 ngx r65 under RHEL 3. I am using x509 certs to accomplish
this.


My racoon.conf:

path certificate "/etc/racoon/certs";

listen
{
        adminsock "/var/racoon/racoon.sock" "root" "nobody" 0660;
}

remote 172.17.35.6
{
        exchange_mode main;
        certificate_type x509 "carlos.pem" "carlos.key";
        verify_cert on;
        ca_type x509 "sauronfw-ca.pem";
        my_identifier asn1dn;
        peers_certfile x509 "sauronfw.pem";
        proposal_check obey;
        nat_traversal on;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method rsasig;
                dh_group 2;
        }
}

sainfo anonymous
{
        lifetime time 24 hour;
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}

And my setkey:

flush;
spdflush;
spdadd 172.17.35.3/32 0.0.0.0/0 any -P out  ipsec
esp/tunnel/172.17.35.3-172.17.35.6/require;
spdadd 0.0.0.0/0 172.17.35.3/32 any -P in   ipsec
esp/tunnel/172.17.35.6-172.17.35.3/require;

 On smartview event tracker shows me authentication is successfull, but i can
not connect to internal network. On racoon logs shows me:

2007-05-25 15:46:40: INFO: @(#)ipsec-tools 0.6.5
(http://ipsec-tools.sourceforge.net)
2007-05-25 15:46:40: INFO: @(#)This product linked OpenSSL 0.9.8b 04 May 2006
(http://www.openssl.org/)
2007-05-25 15:46:40: NOTIFY: NAT-T is enabled, autoconfiguring ports
2007-05-25 15:46:40: INFO: 127.0.0.1[500] used as isakmp port (fd=8)
2007-05-25 15:46:40: INFO: 127.0.0.1[500] used for NAT-T
2007-05-25 15:46:40: INFO: 127.0.0.1[4500] used as isakmp port (fd=9)
2007-05-25 15:46:40: INFO: 127.0.0.1[4500] used for NAT-T
2007-05-25 15:46:40: INFO: 172.17.35.3[500] used as isakmp port (fd=10)
2007-05-25 15:46:40: INFO: 172.17.35.3[500] used for NAT-T
2007-05-25 15:46:40: INFO: 172.17.35.3[4500] used as isakmp port (fd=11)
2007-05-25 15:46:40: INFO: 172.17.35.3[4500] used for NAT-T
2007-05-25 15:46:42: INFO: IPsec-SA request for 172.17.35.6 queued due to no
phase1 found.
2007-05-25 15:46:42: INFO: initiate new phase 1 negotiation:
172.17.35.3[500]<=>172.17.35.6[500]
2007-05-25 15:46:42: INFO: begin Identity Protection mode.
2007-05-25 15:46:42: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2007-05-25 15:46:42: INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02

2007-05-25 15:46:42: INFO: Hashing 172.17.35.6[500] with algo #2
2007-05-25 15:46:42: INFO: Hashing 172.17.35.3[500] with algo #2
2007-05-25 15:46:42: INFO: Adding remote and local NAT-D payloads.
2007-05-25 15:46:42: INFO: Hashing 172.17.35.3[500] with algo #2
2007-05-25 15:46:42: INFO: NAT-D payload #0 verified
2007-05-25 15:46:42: INFO: Hashing 172.17.35.6[500] with algo #2
2007-05-25 15:46:42: INFO: NAT-D payload #1 verified
2007-05-25 15:46:42: INFO: NAT not detected
2007-05-25 15:46:42: ERROR: ID mismatched with subjectAltName.
2007-05-25 15:46:42: ERROR: ID mismatched with subjectAltName.
2007-05-25 15:46:42: ERROR: ID mismatched with subjectAltName.
2007-05-25 15:46:42: ERROR: ID mismatched with subjectAltName.
2007-05-25 15:46:42: ERROR: ID mismatched with subjectAltName.
2007-05-25 15:46:42: ERROR: ID mismatched with subjectAltName.
2007-05-25 15:47:13: ERROR: phase2 negotiation failed due to time up waiting for
phase1. ESP 172.17.35.6[500]->172.17.35.3[500]
2007-05-25 15:47:13: INFO: delete phase 2 handler.

 An it is right: phase1 is never completed ..... I suspect that problem is with
x509 certs generated on checkpoint smartcenter server, but I am not sure ....

 I have use this howto to do my config:
http://www.fw-1.de/aerasec/ng/vpn-racoon/CP-VPN1-NG-Linux-racoon-roadwarrior.html.

 Somebody knows how can I resolve this???

 Many thanks.



--
CL Martinez
carlopmart {at} gmail {d0t} com

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================

[FW-1] Configuring racoon with CP NGX R65

Reply via email to