Discussion:
Please help - Using strongSwan to connect to CheckPoint VPN-1
Andreas Steffen
2010-02-28 12:12:09 UTC
Permalink
Hi,

as far as I know, the CheckPoint VPN gateway does not support the IKEv2
protocol. Therefore you can't use the strongSwan NetworkManager plugin
to set up a connection.

The CheckPoint VPN gateway most probably will use IKEv1 and XAUTH.
The first thing to find out is whether IKEv1 Main Mode is used
by the CheckPoint box since strongSwan does not support the
potentially insecure IKEv1 Aggressive Mode. If Main Mode is
possible then you can configure strongSwan's IKEv1 pluto daemon
via /etc/ipsec.conf.

Best regards

Andreas
Hi,
I'm looking to use strongSwan to connect to my company CheckPoint
VPN, as I am new to Linux and networking I am really struggling to
get anything working. I have a Actividentity token that generates a
password that authenticates against a RADIUS server, below is a list
I have an IP address for company site Authentication - Challenge
Response NAT-T protocol - enabled Office Mode - enabled Use NAT
traversal tunneling - enabled IKE over TCP - enabled Force UDP
encapsulation - enabled
I have attempted to use the Network Manager GUI to connect but it
fails with "VPN service failed to start", the syslog file contains a
Gateway: Address - IP address of my company site Certificate - None
Client: Authentication - EAP Username - My id I use for my token to
generate password
Options - Request an inner IP address - unchecked Enforce UDP
encapsulation - checked Use IP compression - unchecked
1) Does strongSwan support the protocols/authentication methods I
describe for CheckPoint VPN 2) If yes, then does my setup through
Network Manager look correct 3) If yes, then is it a case of posting
the sys.log errors for someone to kindly look at
I appreciate anyone's help and time with this.
Regards,
Jana
======================================================================
Andreas Steffen andreas.steffen-***@public.gmane.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
Sucha Singh
2010-03-01 19:25:24 UTC
Permalink
Hi Andreas,

Thank you for your prompt response, I appreciate it.  I can confirm that we are indeed using IKEv1 Main Mode.

I have the pluto daemon installed, however I have no idea how to configure the ipsec.conf file.  I have opened it in a text editor and I am struggling to make sense of most of the parameters.  I can't appear to find anything in the online documentation to define what the parameters mean.

Could you possibly construct the file for me based on the information I have already supplied?  I will fill the blanks like site IP address etc.

Thanks again for your time and support.

Jana

--- On Sun, 28/2/10, Andreas Steffen <andreas.steffen-***@public.gmane.org> wrote:

From: Andreas Steffen <andreas.steffen-***@public.gmane.org>
Subject: Re: [strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1
To: "Sucha Singh" <soorma_j4tt-/E1597aS9LT10XsdtD+***@public.gmane.org>
Cc: users-3+4lAyCyj6DkhV4RL1hkzWD2FQJk+8+***@public.gmane.org
Date: Sunday, 28 February, 2010, 12:12

Hi,

as far as I know, the CheckPoint VPN gateway does not support the IKEv2
protocol. Therefore you can't use the strongSwan NetworkManager plugin
to set up a connection.

The CheckPoint VPN gateway most probably will use IKEv1 and XAUTH.
The first thing to find out is whether IKEv1 Main Mode is used
by the CheckPoint box since strongSwan does not support the
potentially insecure IKEv1 Aggressive Mode. If Main Mode is
possible then you can configure strongSwan's IKEv1 pluto daemon
via /etc/ipsec.conf.

Best regards

Andreas
Hi,
I'm looking to use strongSwan to connect to my company CheckPoint
VPN, as I am new to Linux and networking I am really struggling to
get anything working.  I have a Actividentity token that generates a
password that authenticates against a RADIUS server, below is a list
I have an IP address for company site Authentication - Challenge
Response NAT-T protocol - enabled Office Mode - enabled Use NAT
traversal tunneling - enabled IKE over TCP - enabled Force UDP
encapsulation - enabled
I have attempted to use the Network Manager GUI to connect but it
fails with "VPN service failed to start", the syslog file contains a
Gateway: Address - IP address of my company site Certificate - None
Client: Authentication - EAP Username - My id I use for my token to
generate password
Options - Request an inner IP address - unchecked Enforce UDP
encapsulation - checked Use IP compression - unchecked
1) Does strongSwan support the protocols/authentication methods I
describe for CheckPoint VPN 2) If yes, then does my setup through
Network Manager look correct 3) If yes, then is it a case of posting
the sys.log errors for someone to kindly look at
I appreciate anyone's help and time with this.
Regards,
Jana
======================================================================
Andreas Steffen                         andreas.steffen-***@public.gmane.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
Daniel Mentz
2010-03-01 19:48:09 UTC
Permalink
Hi Jana,

please go to

http://wiki.strongswan.org/projects/strongswan/wiki/IKEv1Examples

for IKEv1 Configuration Examples. "PSK with XAUTH authentication and
virtual IP addresses" or "RSA with XAUTH authentication and virtual IP
addresse" is probably the right one for you.

Please refer to

http://wiki.strongswan.org/projects/strongswan/wiki/IpsecConf

for definitions of the individual parameters.

-Daniel
Post by Sucha Singh
Hi Andreas,
Thank you for your prompt response, I appreciate it. I can confirm that we are indeed using IKEv1 Main Mode.
I have the pluto daemon installed, however I have no idea how to configure the ipsec.conf file. I have opened it in a text editor and I am struggling to make sense of most of the parameters. I can't appear to find anything in the online documentation to define what the parameters mean.
Could you possibly construct the file for me based on the information I have already supplied? I will fill the blanks like site IP address etc.
Thanks again for your time and support.
Jana
Subject: Re: [strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1
Date: Sunday, 28 February, 2010, 12:12
Hi,
as far as I know, the CheckPoint VPN gateway does not support the IKEv2
protocol. Therefore you can't use the strongSwan NetworkManager plugin
to set up a connection.
The CheckPoint VPN gateway most probably will use IKEv1 and XAUTH.
The first thing to find out is whether IKEv1 Main Mode is used
by the CheckPoint box since strongSwan does not support the
potentially insecure IKEv1 Aggressive Mode. If Main Mode is
possible then you can configure strongSwan's IKEv1 pluto daemon
via /etc/ipsec.conf.
Best regards
Andreas
Hi,
I'm looking to use strongSwan to connect to my company CheckPoint
VPN, as I am new to Linux and networking I am really struggling to
get anything working. I have a Actividentity token that generates a
password that authenticates against a RADIUS server, below is a list
I have an IP address for company site Authentication - Challenge
Response NAT-T protocol - enabled Office Mode - enabled Use NAT
traversal tunneling - enabled IKE over TCP - enabled Force UDP
encapsulation - enabled
I have attempted to use the Network Manager GUI to connect but it
fails with "VPN service failed to start", the syslog file contains a
Gateway: Address - IP address of my company site Certificate - None
Client: Authentication - EAP Username - My id I use for my token to
generate password
Options - Request an inner IP address - unchecked Enforce UDP
encapsulation - checked Use IP compression - unchecked
1) Does strongSwan support the protocols/authentication methods I
describe for CheckPoint VPN 2) If yes, then does my setup through
Network Manager look correct 3) If yes, then is it a case of posting
the sys.log errors for someone to kindly look at
I appreciate anyone's help and time with this.
Regards,
Jana
======================================================================
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
_______________________________________________
Users mailing list
https://lists.strongswan.org/mailman/listinfo/users
Sucha Singh
2010-03-02 19:49:22 UTC
Permalink
Thanks Daniel, I've made some progress, please could you take a look at my ipsec.conf:

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
    plutostart=yes
        nat_traversal=yes
        plutodebug=all

# Add connections here.

conn test
       authby=xauthrsasig
       forceencaps=yes
       keyexchange=ikev1
       keyingtries=1
       type=tunnel
       xauth=client
       right=<CheckPoint VPN Firewall IP Address>
       leftsourceip=%modeconfig

When I attempt to test the configuration I get the following:

ipsec up test
021 no connection named "test"

I have restarted my laptop still the same error?  Is there anything specific I have to do to ensure the ipsec command can read the new connection?  Any help would be appreciated.

Thanks,

Jana

--- On Mon, 1/3/10, Daniel Mentz <danielml+mailinglists.strongswan-***@public.gmane.org> wrote:

From: Daniel Mentz <danielml+mailinglists.strongswan-***@public.gmane.org>
Subject: Re: [strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1
To: "Sucha Singh" <soorma_j4tt-/E1597aS9LT10XsdtD+***@public.gmane.org>
Cc: users-3+4lAyCyj6DkhV4RL1hkzWD2FQJk+8+***@public.gmane.org
Date: Monday, 1 March, 2010, 19:48

Hi Jana,

please go to

http://wiki.strongswan.org/projects/strongswan/wiki/IKEv1Examples

for IKEv1 Configuration Examples. "PSK with XAUTH authentication and
virtual IP addresses" or "RSA with XAUTH authentication and virtual IP
addresse" is probably the right one for you.

Please refer to

http://wiki.strongswan.org/projects/strongswan/wiki/IpsecConf

for definitions of the individual parameters.

-Daniel
Post by Sucha Singh
Hi Andreas,
Thank you for your prompt response, I appreciate it.  I can confirm that we are indeed using IKEv1 Main Mode.
I have the pluto daemon installed, however I have no idea how to configure the ipsec.conf file.  I have opened it in a text editor and I am struggling to make sense of most of the parameters.  I can't appear to find anything in the online documentation to define what the parameters mean.
Could you possibly construct the file for me based on the information I have already supplied?  I will fill the blanks like site IP address etc.
Thanks again for your time and support.
Jana
Subject: Re: [strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1
Date: Sunday, 28 February, 2010, 12:12
Hi,
as far as I know, the CheckPoint VPN gateway does not support the IKEv2
protocol. Therefore you can't use the strongSwan NetworkManager plugin
to set up a connection.
The CheckPoint VPN gateway most probably will use IKEv1 and XAUTH.
The first thing to find out is whether IKEv1 Main Mode is used
by the CheckPoint box since strongSwan does not support the
potentially insecure IKEv1 Aggressive Mode. If Main Mode is
possible then you can configure strongSwan's IKEv1 pluto daemon
via /etc/ipsec.conf.
Best regards
Andreas
Hi,
I'm looking to use strongSwan to connect to my company CheckPoint
VPN, as I am new to Linux and networking I am really struggling to
get anything working.  I have a Actividentity token that generates a
password that authenticates against a RADIUS server, below is a list
I have an IP address for company site Authentication - Challenge
Response NAT-T protocol - enabled Office Mode - enabled Use NAT
traversal tunneling - enabled IKE over TCP - enabled Force UDP
encapsulation - enabled
I have attempted to use the Network Manager GUI to connect but it
fails with "VPN service failed to start", the syslog file contains a
Gateway: Address - IP address of my company site Certificate - None
Client: Authentication - EAP Username - My id I use for my token to
generate password
Options - Request an inner IP address - unchecked Enforce UDP
encapsulation - checked Use IP compression - unchecked
1) Does strongSwan support the protocols/authentication methods I
describe for CheckPoint VPN 2) If yes, then does my setup through
Network Manager look correct 3) If yes, then is it a case of posting
the sys.log errors for someone to kindly look at
I appreciate anyone's help and time with this.
Regards,
Jana
======================================================================
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
       
_______________________________________________
Users mailing list
https://lists.strongswan.org/mailman/listinfo/users
Martin Willi
2010-03-03 07:32:42 UTC
Permalink
Hi,
Post by Sucha Singh
conn test
authby=xauthrsasig
forceencaps=yes
keyexchange=ikev1
keyingtries=1
type=tunnel
xauth=client
right=<CheckPoint VPN Firewall IP Address>
leftsourceip=%modeconfig
ipsec up test
021 no connection named "test"
You additionally need the "auto" parameter. auto=add loads the
configuration to the IKE daemon. auto=start additionally starts the
connection automatically. man ipsec.conf for details.

Regards
Martin
Sucha Singh
2010-03-03 20:15:54 UTC
Permalink
Hi All,

Thanks Martin, I've made some more progress, I am now getting the following error when I run "ipsec up test":

002 "test" #2: initiating Main Mode
104 "test" #2: STATE_MAIN_I1: initiate
003 "test" #2: ignoring informational payload, type NO_PROPOSAL_CHOSEN
010 "test" #2: STATE_MAIN_I1: retransmission; will wait 20s for response
010 "test" #2: STATE_MAIN_I1: retransmission; will wait 40s for response
031 "test" #2: max number of retransmissions (2) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message

My ipsec.conf now looks like this:

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
    plutostart=yes
    nat_traversal=yes
    plutodebug=all

# Add connections here.

conn test
       auto=add
       authby=xauthrsasig
       forceencaps=yes
       keyexchange=ikev1
       keyingtries=1
       type=tunnel
       xauth=client
       right=<IP address of CheckPoint VPN>
       left=<IP address of my laptop>

# include /var/lib/strongswan/ipsec.conf.inc
From what sense I can make from the error, I assume it means that my client request has reached the VPN gateway, but the authentication/encryption protocols don't match?
I sincerely appreciate the help you guys are providing.

Regards,

Jana

--- On Wed, 3/3/10, Martin Willi <martin-***@public.gmane.org> wrote:

From: Martin Willi <martin-***@public.gmane.org>
Subject: Re: [strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1
To: "Sucha Singh" <soorma_j4tt-/E1597aS9LT10XsdtD+***@public.gmane.org>
Cc: "Daniel Mentz" <danielml+mailinglists.strongswan-***@public.gmane.org>, ***@lists.strongswan.org
Date: Wednesday, 3 March, 2010, 7:32

Hi,
conn test
        authby=xauthrsasig
        forceencaps=yes
        keyexchange=ikev1
        keyingtries=1
        type=tunnel
        xauth=client
        right=<CheckPoint VPN Firewall IP Address>
        leftsourceip=%modeconfig
ipsec up test
021 no connection named "test"
You additionally need the "auto" parameter. auto=add loads the
configuration to the IKE daemon. auto=start additionally starts the
connection automatically. man ipsec.conf for details.

Regards
Martin
Andreas Steffen
2010-03-04 06:05:54 UTC
Permalink
Hello Jana,

the log entry:

ignoring informational payload, type NO_PROPOSAL_CHOSEN

means that the CheckPoint box does not like your proposal.
Is it really configuredd to do XAUTH with certificate-based
mutual authentication?

Regards

Andreas
Post by Sucha Singh
Hi All,
002 "test" #2: initiating Main Mode
104 "test" #2: STATE_MAIN_I1: initiate
003 "test" #2: ignoring informational payload, type NO_PROPOSAL_CHOSEN
010 "test" #2: STATE_MAIN_I1: retransmission; will wait 20s for response
010 "test" #2: STATE_MAIN_I1: retransmission; will wait 40s for response
031 "test" #2: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
plutostart=yes
nat_traversal=yes
plutodebug=all
# Add connections here.
conn test
auto=add
authby=xauthrsasig
forceencaps=yes
keyexchange=ikev1
keyingtries=1
type=tunnel
xauth=client
right=<IP address of CheckPoint VPN>
left=<IP address of my laptop>
# include /var/lib/strongswan/ipsec.conf.inc
From what sense I can make from the error, I assume it means that my client request has reached the VPN gateway, but the authentication/encryption protocols don't match?
I sincerely appreciate the help you guys are providing.
Regards,
Jana
Subject: Re: [strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1
Date: Wednesday, 3 March, 2010, 7:32
Hi,
conn test
authby=xauthrsasig
forceencaps=yes
keyexchange=ikev1
keyingtries=1
type=tunnel
xauth=client
right=<CheckPoint VPN Firewall IP Address>
leftsourceip=%modeconfig
ipsec up test
021 no connection named "test"
You additionally need the "auto" parameter. auto=add loads the
configuration to the IKE daemon. auto=start additionally starts the
connection automatically. man ipsec.conf for details.
Regards
Martin
======================================================================
Andreas Steffen andreas.steffen-***@public.gmane.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
Sucha Singh
2010-03-04 19:45:09 UTC
Permalink
Hi Andreas,

Thanks again, the below was the response from our network administrator to your question:

"I don’t think we do any certificate based authentication.  There certainly isn’t any client side certificate."

Here are some more settings from our VPN:-

IKE Properties:-

Support key exchange encryption with:

3DES - enabled
AES-256 - enabled
DES - enabled

Support data integrity with:

MD5 - enabled
SHA1 - enabled

Support authentication methods:

Pre-Shared Secret - disabled
Public Key Signatures - disabled

Advanced IKE Properties:-

Support Diffie–Hellman groups for IKE (phase 1) Security associations:

Group 2 (1024 bit) - enabled

Reviewing the above settings I added the following line to the ipsec.conf:

ike=3des-sha1-md5-modp1024

I then get the following errors:

002 "test" #1: initiating Main Mode
003 "test" #1: no IKE algorithms for this connection (check ike algorithm string)
003 "test" #1: empty ISAKMP SA proposal to send (no algorithms for ike selection?)

Was I right to add the above setting?

Just to reiterate the point again, I am using a challenge-response security token that generates a OTP (One Time Password).  Just to clarify I do the following in Windows to connect to the VPN:

1) Click connect on the CheckPoint Client
2) It will prompt me for Username and Password credentials
3) I input my Username (Numeric) into the security token, upon entering the correct Username it will generate a Password
4) I then input my Username and the Password generated by the security token, it then gives a message of authenticating against a RADIUS server, then successfully connects

I've never been given any certificate to install on my client.

I'm optimistic that with the help of all you kind individuals that I am getting closer to connecting :-)

Thanks Again,

Jana

--- On Thu, 4/3/10, Andreas Steffen <***@strongswan.org> wrote:

From: Andreas Steffen <***@strongswan.org>
Subject: Re: [strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1
To: "Sucha Singh" <***@yahoo.co.uk>
Cc: "Martin Willi" <***@strongswan.org>, ***@lists.strongswan.org
Date: Thursday, 4 March, 2010, 6:05

Hello Jana,

the log entry:

ignoring informational payload, type NO_PROPOSAL_CHOSEN

means that the CheckPoint box does not like your proposal.
Is it really configuredd to do XAUTH with certificate-based
mutual authentication?

Regards

Andreas
Post by Sucha Singh
Hi All,
002 "test" #2: initiating Main Mode
104 "test" #2: STATE_MAIN_I1: initiate
003 "test" #2: ignoring informational payload, type NO_PROPOSAL_CHOSEN
010 "test" #2: STATE_MAIN_I1: retransmission; will wait 20s for response
010 "test" #2: STATE_MAIN_I1: retransmission; will wait 40s for response
031 "test" #2: max number of retransmissions (2) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
     plutostart=yes
     nat_traversal=yes
     plutodebug=all
# Add connections here.
conn test
        auto=add
        authby=xauthrsasig
        forceencaps=yes
        keyexchange=ikev1
        keyingtries=1
        type=tunnel
        xauth=client
        right=<IP address of CheckPoint VPN>
        left=<IP address of my laptop>
# include /var/lib/strongswan/ipsec.conf.inc
From what sense I can make from the error, I assume it means that my client request has reached the VPN gateway, but the authentication/encryption protocols don't match?
I sincerely appreciate the help you guys are providing.
Regards,
Jana
Subject: Re: [strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1
Date: Wednesday, 3 March, 2010, 7:32
Hi,
conn test
         authby=xauthrsasig
         forceencaps=yes
         keyexchange=ikev1
         keyingtries=1
         type=tunnel
         xauth=client
         right=<CheckPoint VPN Firewall IP Address>
         leftsourceip=%modeconfig
ipsec up test
021 no connection named "test"
You additionally need the "auto" parameter. auto=add loads the
configuration to the IKE daemon. auto=start additionally starts the
connection automatically. man ipsec.conf for details.
Regards
Martin
======================================================================
Andreas Steffen                         ***@strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
Dimitrios Siganos
2010-03-05 22:09:41 UTC
Permalink
Post by Sucha Singh
Hi Andreas,
ike=3des-sha1-md5-modp1024
002 "test" #1: initiating Main Mode
003 "test" #1: no IKE algorithms for this connection (check ike algorithm string)
003 "test" #1: empty ISAKMP SA proposal to send (no algorithms for ike selection?)
Was I right to add the above setting
That setting looks wrong to me. You probably want:

ike=3des-sha1-modp1024
or
ike=3des-md5-modp1024
or both
ike=3des-sha1-modp1024,3des-md5-modp1024

Dimitris Siganos

Loading...