Hey guys,
I'm struggling to get isakpmd to talk to a checkpoint firewall
I need the following parameters
General IKE Properties = AES-256 with SHA1
IKE Phase 1 SA = Group2 (1024 bit)
IKE Phase 1 SA renegotiation = 1440
IKE Phase 2 SA renegotiation = 3600
The network layout looks as follows:
OurNet OurFirewall Internet TheirFW TheirNet
195.24.xxx.xxx/25 - 195.24.xxx.yyy ----- 62.232.xxx.xxx 62.232.xxx.yyy
I currently have the following in my isakpmd.policy
Keynote-version: 2
Authorizer: "POLICY"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg != "null" -> "true";
And my isakmpd.conf is at the end. Any pointers guys?
[General]
Retransmits= 5
Exchange-max-time= 120
Listen-on= 195.24.xxx.yyy
Default-phase-1-lifetime= 1440,60:86400
Default-phase-2-lifetime= 3600,60:86400
[Phase 1]
62.232.xxx.xxx= local-remote
[local-remote]
Phase= 1
Transport= udp
Local-address= 195.24.xxx.yyy
Address= 62.232.xxx.xxx
Configuration= Default-main-mode
Authentication= makemeagoatorsomething
[Phase 2]
Connections= VPN-local-remote-62.232.xx.yy/255.255.255.224
[VPN-local-remote-62.232.xx.yy/255.255.255.224]
Phase= 2
ISAKMP-peer= local-remote
Configuration= Default-quick-mode
Local-ID= network-195.24.xxx.xxx/255.255.255.128
Remote-ID= network-62.232.xxx.yyy/255.255.255.224
[network-195.24.xxx.xxx/255.255.255.128]
ID-type= IPV4_ADDR_SUBNET
Network= 195.24.xxx.xx
Netmask= 255.255.255.128
[network-62.232.xxx.yyy/255.255.255.0]
ID-type= IPV4_ADDR_SUBNET
Network= 62.232.xxx.yyy
Netmask= 255.255.255.0
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Life= ANY
Transforms= AES-256-SHA
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-AES-256-SHA-SUITE
[AES-256-SHA]
ENCRYPTION_ALGORITHM= AES_CBC
KEY_LENGTH= 256,256:256
HASH_ALGORITHM= SHA
AUTHENTICATION_METHOD= PRE_SHARED
GROUP_DESCRIPTION= MODP_1024
Life= LIFE_MAIN_MODE
[QM-ESP-AES-256-SHA-SUITE]
Protocols= QM-ESP-AES-256-SHA
-- joe.
