Re: [strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1
Sucha Singh wrote: > Hi Andreas, > > Reviewing the above settings I added the following line to the ipsec.conf: > > ike=3des-sha1-md5-modp1024 > > I then get the following errors: > > 002 "test" #1: initiating Main Mode > 003 "test" #1: no IKE algorithms for this connection (check ike algorithm > string) > 003 "test" #1: empty ISAKMP SA proposal to send (no algorithms for ike > selection?) > > Was I right to add the above setting That setting looks wrong to me. You probably want: ike=3des-sha1-modp1024 or ike=3des-md5-modp1024 or both ike=3des-sha1-modp1024,3des-md5-modp1024 Dimitris Siganos ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1
Hi Andreas, Thanks again, the below was the response from our network administrator to your question: "I don’t think we do any certificate based authentication. There certainly isn’t any client side certificate." Here are some more settings from our VPN:- IKE Properties:- Support key exchange encryption with: 3DES - enabled AES-256 - enabled DES - enabled Support data integrity with: MD5 - enabled SHA1 - enabled Support authentication methods: Pre-Shared Secret - disabled Public Key Signatures - disabled Advanced IKE Properties:- Support Diffie–Hellman groups for IKE (phase 1) Security associations: Group 2 (1024 bit) - enabled Reviewing the above settings I added the following line to the ipsec.conf: ike=3des-sha1-md5-modp1024 I then get the following errors: 002 "test" #1: initiating Main Mode 003 "test" #1: no IKE algorithms for this connection (check ike algorithm string) 003 "test" #1: empty ISAKMP SA proposal to send (no algorithms for ike selection?) Was I right to add the above setting? Just to reiterate the point again, I am using a challenge-response security token that generates a OTP (One Time Password). Just to clarify I do the following in Windows to connect to the VPN: 1) Click connect on the CheckPoint Client 2) It will prompt me for Username and Password credentials 3) I input my Username (Numeric) into the security token, upon entering the correct Username it will generate a Password 4) I then input my Username and the Password generated by the security token, it then gives a message of authenticating against a RADIUS server, then successfully connects I've never been given any certificate to install on my client. I'm optimistic that with the help of all you kind individuals that I am getting closer to connecting :-) Thanks Again, Jana --- On Thu, 4/3/10, Andreas Steffen wrote: From: Andreas Steffen Subject: Re: [strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1 To: "Sucha Singh" Cc: "Martin Willi" , users@lists.strongswan.org Date: Thursday, 4 March, 2010, 6:05 Hello Jana, the log entry: ignoring informational payload, type NO_PROPOSAL_CHOSEN means that the CheckPoint box does not like your proposal. Is it really configuredd to do XAUTH with certificate-based mutual authentication? Regards Andreas Sucha Singh wrote: > Hi All, > > Thanks Martin, I've made some more progress, I am now getting the following > error when I run "ipsec up test": > > 002 "test" #2: initiating Main Mode > 104 "test" #2: STATE_MAIN_I1: initiate > 003 "test" #2: ignoring informational payload, type NO_PROPOSAL_CHOSEN > 010 "test" #2: STATE_MAIN_I1: retransmission; will wait 20s for response > 010 "test" #2: STATE_MAIN_I1: retransmission; will wait 40s for response > 031 "test" #2: max number of retransmissions (2) reached STATE_MAIN_I1. No > response (or no acceptable response) to our first IKE message > > My ipsec.conf now looks like this: > > # ipsec.conf - strongSwan IPsec configuration file > > # basic configuration > > config setup > plutostart=yes > nat_traversal=yes > plutodebug=all > > # Add connections here. > > conn test > auto=add > authby=xauthrsasig > forceencaps=yes > keyexchange=ikev1 > keyingtries=1 > type=tunnel > xauth=client > right= > left= > > # include /var/lib/strongswan/ipsec.conf.inc > >>From what sense I can make from the error, I assume it means that my client >>request has reached the VPN gateway, but the authentication/encryption >>protocols don't match? > > I sincerely appreciate the help you guys are providing. > > Regards, > > Jana > > --- On Wed, 3/3/10, Martin Willi wrote: > > From: Martin Willi > Subject: Re: [strongSwan] Please help - Using strongSwan to connect to > CheckPoint VPN-1 > To: "Sucha Singh" > Cc: "Daniel Mentz" , > users@lists.strongswan.org > Date: Wednesday, 3 March, 2010, 7:32 > > Hi, > >> conn test >> authby=xauthrsasig >> forceencaps=yes >> keyexchange=ikev1 >> keyingtries=1 >> type=tunnel >> xauth=client >> right= >> leftsourceip=%modeconfig > >> ipsec up test >> 021 no connection named "test" > > You additionally need the "auto" parameter. auto=add loads the > configuration to the IKE daemon. auto=start additionally starts the > connection automatically. man ipsec.conf for details. > > Regards > Martin =
Re: [strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1
Hello Jana, the log entry: ignoring informational payload, type NO_PROPOSAL_CHOSEN means that the CheckPoint box does not like your proposal. Is it really configuredd to do XAUTH with certificate-based mutual authentication? Regards Andreas Sucha Singh wrote: > Hi All, > > Thanks Martin, I've made some more progress, I am now getting the following > error when I run "ipsec up test": > > 002 "test" #2: initiating Main Mode > 104 "test" #2: STATE_MAIN_I1: initiate > 003 "test" #2: ignoring informational payload, type NO_PROPOSAL_CHOSEN > 010 "test" #2: STATE_MAIN_I1: retransmission; will wait 20s for response > 010 "test" #2: STATE_MAIN_I1: retransmission; will wait 40s for response > 031 "test" #2: max number of retransmissions (2) reached STATE_MAIN_I1. No > response (or no acceptable response) to our first IKE message > > My ipsec.conf now looks like this: > > # ipsec.conf - strongSwan IPsec configuration file > > # basic configuration > > config setup > plutostart=yes > nat_traversal=yes > plutodebug=all > > # Add connections here. > > conn test >auto=add >authby=xauthrsasig >forceencaps=yes >keyexchange=ikev1 >keyingtries=1 >type=tunnel >xauth=client >right= >left= > > # include /var/lib/strongswan/ipsec.conf.inc > >>From what sense I can make from the error, I assume it means that my client >>request has reached the VPN gateway, but the authentication/encryption >>protocols don't match? > > I sincerely appreciate the help you guys are providing. > > Regards, > > Jana > > --- On Wed, 3/3/10, Martin Willi wrote: > > From: Martin Willi > Subject: Re: [strongSwan] Please help - Using strongSwan to connect to > CheckPoint VPN-1 > To: "Sucha Singh" > Cc: "Daniel Mentz" , > users@lists.strongswan.org > Date: Wednesday, 3 March, 2010, 7:32 > > Hi, > >> conn test >> authby=xauthrsasig >> forceencaps=yes >> keyexchange=ikev1 >> keyingtries=1 >> type=tunnel >> xauth=client >> right= >> leftsourceip=%modeconfig > >> ipsec up test >> 021 no connection named "test" > > You additionally need the "auto" parameter. auto=add loads the > configuration to the IKE daemon. auto=start additionally starts the > connection automatically. man ipsec.conf for details. > > Regards > Martin == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1
Hi All, Thanks Martin, I've made some more progress, I am now getting the following error when I run "ipsec up test": 002 "test" #2: initiating Main Mode 104 "test" #2: STATE_MAIN_I1: initiate 003 "test" #2: ignoring informational payload, type NO_PROPOSAL_CHOSEN 010 "test" #2: STATE_MAIN_I1: retransmission; will wait 20s for response 010 "test" #2: STATE_MAIN_I1: retransmission; will wait 40s for response 031 "test" #2: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message My ipsec.conf now looks like this: # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup plutostart=yes nat_traversal=yes plutodebug=all # Add connections here. conn test auto=add authby=xauthrsasig forceencaps=yes keyexchange=ikev1 keyingtries=1 type=tunnel xauth=client right= left= # include /var/lib/strongswan/ipsec.conf.inc >From what sense I can make from the error, I assume it means that my client >request has reached the VPN gateway, but the authentication/encryption >protocols don't match? I sincerely appreciate the help you guys are providing. Regards, Jana --- On Wed, 3/3/10, Martin Willi wrote: From: Martin Willi Subject: Re: [strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1 To: "Sucha Singh" Cc: "Daniel Mentz" , users@lists.strongswan.org Date: Wednesday, 3 March, 2010, 7:32 Hi, > conn test > authby=xauthrsasig > forceencaps=yes > keyexchange=ikev1 > keyingtries=1 > type=tunnel > xauth=client > right= > leftsourceip=%modeconfig > ipsec up test > 021 no connection named "test" You additionally need the "auto" parameter. auto=add loads the configuration to the IKE daemon. auto=start additionally starts the connection automatically. man ipsec.conf for details. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1
Hi, > conn test >authby=xauthrsasig >forceencaps=yes >keyexchange=ikev1 >keyingtries=1 >type=tunnel >xauth=client >right= >leftsourceip=%modeconfig > ipsec up test > 021 no connection named "test" You additionally need the "auto" parameter. auto=add loads the configuration to the IKE daemon. auto=start additionally starts the connection automatically. man ipsec.conf for details. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1
Thanks Daniel, I've made some progress, please could you take a look at my ipsec.conf: # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup plutostart=yes nat_traversal=yes plutodebug=all # Add connections here. conn test authby=xauthrsasig forceencaps=yes keyexchange=ikev1 keyingtries=1 type=tunnel xauth=client right= leftsourceip=%modeconfig When I attempt to test the configuration I get the following: ipsec up test 021 no connection named "test" I have restarted my laptop still the same error? Is there anything specific I have to do to ensure the ipsec command can read the new connection? Any help would be appreciated. Thanks, Jana --- On Mon, 1/3/10, Daniel Mentz wrote: From: Daniel Mentz Subject: Re: [strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1 To: "Sucha Singh" Cc: users@lists.strongswan.org Date: Monday, 1 March, 2010, 19:48 Hi Jana, please go to http://wiki.strongswan.org/projects/strongswan/wiki/IKEv1Examples for IKEv1 Configuration Examples. "PSK with XAUTH authentication and virtual IP addresses" or "RSA with XAUTH authentication and virtual IP addresse" is probably the right one for you. Please refer to http://wiki.strongswan.org/projects/strongswan/wiki/IpsecConf for definitions of the individual parameters. -Daniel Sucha Singh wrote: > Hi Andreas, > > Thank you for your prompt response, I appreciate it. I can confirm that we > are indeed using IKEv1 Main Mode. > > I have the pluto daemon installed, however I have no idea how to configure > the ipsec.conf file. I have opened it in a text editor and I am struggling > to make sense of most of the parameters. I can't appear to find anything in > the online documentation to define what the parameters mean. > > Could you possibly construct the file for me based on the information I have > already supplied? I will fill the blanks like site IP address etc. > > Thanks again for your time and support. > > Jana > > --- On Sun, 28/2/10, Andreas Steffen wrote: > > From: Andreas Steffen > Subject: Re: [strongSwan] Please help - Using strongSwan to connect to > CheckPoint VPN-1 > To: "Sucha Singh" > Cc: users@lists.strongswan.org > Date: Sunday, 28 February, 2010, 12:12 > > Hi, > > as far as I know, the CheckPoint VPN gateway does not support the IKEv2 > protocol. Therefore you can't use the strongSwan NetworkManager plugin > to set up a connection. > > The CheckPoint VPN gateway most probably will use IKEv1 and XAUTH. > The first thing to find out is whether IKEv1 Main Mode is used > by the CheckPoint box since strongSwan does not support the > potentially insecure IKEv1 Aggressive Mode. If Main Mode is > possible then you can configure strongSwan's IKEv1 pluto daemon > via /etc/ipsec.conf. > > Best regards > > Andreas > > Sucha Singh wrote: >> Hi, >> >> I'm looking to use strongSwan to connect to my company CheckPoint >> VPN, as I am new to Linux and networking I am really struggling to >> get anything working. I have a Actividentity token that generates a >> password that authenticates against a RADIUS server, below is a list >> of facts I know from my CheckPoint config from Windows: >> >> I have an IP address for company site Authentication - Challenge >> Response NAT-T protocol - enabled Office Mode - enabled Use NAT >> traversal tunneling - enabled IKE over TCP - enabled Force UDP >> encapsulation - enabled >> >> I have attempted to use the Network Manager GUI to connect but it >> fails with "VPN service failed to start", the syslog file contains a >> host of errors. The settings I attempted were: >> >> Gateway: Address - IP address of my company site Certificate - None >> >> Client: Authentication - EAP Username - My id I use for my token to >> generate password >> >> Options - Request an inner IP address - unchecked Enforce UDP >> encapsulation - checked Use IP compression - unchecked >> >> My questions would be: >> >> 1) Does strongSwan support the protocols/authentication methods I >> describe for CheckPoint VPN 2) If yes, then does my setup through >> Network Manager look correct 3) If yes, then is it a case of posting >> the sys.log errors for someone to kindly look at >> >> I appreciate anyone's help and time with this. >> >> Regards, >> >> Jana > > == > Andreas Steffen andreas.stef...@strongswan.or
Re: [strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1
Hi Jana, please go to http://wiki.strongswan.org/projects/strongswan/wiki/IKEv1Examples for IKEv1 Configuration Examples. "PSK with XAUTH authentication and virtual IP addresses" or "RSA with XAUTH authentication and virtual IP addresse" is probably the right one for you. Please refer to http://wiki.strongswan.org/projects/strongswan/wiki/IpsecConf for definitions of the individual parameters. -Daniel Sucha Singh wrote: > Hi Andreas, > > Thank you for your prompt response, I appreciate it. I can confirm that we > are indeed using IKEv1 Main Mode. > > I have the pluto daemon installed, however I have no idea how to configure > the ipsec.conf file. I have opened it in a text editor and I am struggling > to make sense of most of the parameters. I can't appear to find anything in > the online documentation to define what the parameters mean. > > Could you possibly construct the file for me based on the information I have > already supplied? I will fill the blanks like site IP address etc. > > Thanks again for your time and support. > > Jana > > --- On Sun, 28/2/10, Andreas Steffen wrote: > > From: Andreas Steffen > Subject: Re: [strongSwan] Please help - Using strongSwan to connect to > CheckPoint VPN-1 > To: "Sucha Singh" > Cc: users@lists.strongswan.org > Date: Sunday, 28 February, 2010, 12:12 > > Hi, > > as far as I know, the CheckPoint VPN gateway does not support the IKEv2 > protocol. Therefore you can't use the strongSwan NetworkManager plugin > to set up a connection. > > The CheckPoint VPN gateway most probably will use IKEv1 and XAUTH. > The first thing to find out is whether IKEv1 Main Mode is used > by the CheckPoint box since strongSwan does not support the > potentially insecure IKEv1 Aggressive Mode. If Main Mode is > possible then you can configure strongSwan's IKEv1 pluto daemon > via /etc/ipsec.conf. > > Best regards > > Andreas > > Sucha Singh wrote: >> Hi, >> >> I'm looking to use strongSwan to connect to my company CheckPoint >> VPN, as I am new to Linux and networking I am really struggling to >> get anything working. I have a Actividentity token that generates a >> password that authenticates against a RADIUS server, below is a list >> of facts I know from my CheckPoint config from Windows: >> >> I have an IP address for company site Authentication - Challenge >> Response NAT-T protocol - enabled Office Mode - enabled Use NAT >> traversal tunneling - enabled IKE over TCP - enabled Force UDP >> encapsulation - enabled >> >> I have attempted to use the Network Manager GUI to connect but it >> fails with "VPN service failed to start", the syslog file contains a >> host of errors. The settings I attempted were: >> >> Gateway: Address - IP address of my company site Certificate - None >> >> Client: Authentication - EAP Username - My id I use for my token to >> generate password >> >> Options - Request an inner IP address - unchecked Enforce UDP >> encapsulation - checked Use IP compression - unchecked >> >> My questions would be: >> >> 1) Does strongSwan support the protocols/authentication methods I >> describe for CheckPoint VPN 2) If yes, then does my setup through >> Network Manager look correct 3) If yes, then is it a case of posting >> the sys.log errors for someone to kindly look at >> >> I appreciate anyone's help and time with this. >> >> Regards, >> >> Jana > > == > Andreas Steffen andreas.stef...@strongswan.org > strongSwan - the Linux VPN Solution!www.strongswan.org > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===[ITA-HSR]== > > > > > ___ > Users mailing list > Users@lists.strongswan.org > https://lists.strongswan.org/mailman/listinfo/users ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1
Hi Andreas, Thank you for your prompt response, I appreciate it. I can confirm that we are indeed using IKEv1 Main Mode. I have the pluto daemon installed, however I have no idea how to configure the ipsec.conf file. I have opened it in a text editor and I am struggling to make sense of most of the parameters. I can't appear to find anything in the online documentation to define what the parameters mean. Could you possibly construct the file for me based on the information I have already supplied? I will fill the blanks like site IP address etc. Thanks again for your time and support. Jana --- On Sun, 28/2/10, Andreas Steffen wrote: From: Andreas Steffen Subject: Re: [strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1 To: "Sucha Singh" Cc: users@lists.strongswan.org Date: Sunday, 28 February, 2010, 12:12 Hi, as far as I know, the CheckPoint VPN gateway does not support the IKEv2 protocol. Therefore you can't use the strongSwan NetworkManager plugin to set up a connection. The CheckPoint VPN gateway most probably will use IKEv1 and XAUTH. The first thing to find out is whether IKEv1 Main Mode is used by the CheckPoint box since strongSwan does not support the potentially insecure IKEv1 Aggressive Mode. If Main Mode is possible then you can configure strongSwan's IKEv1 pluto daemon via /etc/ipsec.conf. Best regards Andreas Sucha Singh wrote: > Hi, > > I'm looking to use strongSwan to connect to my company CheckPoint > VPN, as I am new to Linux and networking I am really struggling to > get anything working. I have a Actividentity token that generates a > password that authenticates against a RADIUS server, below is a list > of facts I know from my CheckPoint config from Windows: > > I have an IP address for company site Authentication - Challenge > Response NAT-T protocol - enabled Office Mode - enabled Use NAT > traversal tunneling - enabled IKE over TCP - enabled Force UDP > encapsulation - enabled > > I have attempted to use the Network Manager GUI to connect but it > fails with "VPN service failed to start", the syslog file contains a > host of errors. The settings I attempted were: > > Gateway: Address - IP address of my company site Certificate - None > > Client: Authentication - EAP Username - My id I use for my token to > generate password > > Options - Request an inner IP address - unchecked Enforce UDP > encapsulation - checked Use IP compression - unchecked > > My questions would be: > > 1) Does strongSwan support the protocols/authentication methods I > describe for CheckPoint VPN 2) If yes, then does my setup through > Network Manager look correct 3) If yes, then is it a case of posting > the sys.log errors for someone to kindly look at > > I appreciate anyone's help and time with this. > > Regards, > > Jana == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1
Hi, as far as I know, the CheckPoint VPN gateway does not support the IKEv2 protocol. Therefore you can't use the strongSwan NetworkManager plugin to set up a connection. The CheckPoint VPN gateway most probably will use IKEv1 and XAUTH. The first thing to find out is whether IKEv1 Main Mode is used by the CheckPoint box since strongSwan does not support the potentially insecure IKEv1 Aggressive Mode. If Main Mode is possible then you can configure strongSwan's IKEv1 pluto daemon via /etc/ipsec.conf. Best regards Andreas Sucha Singh wrote: > Hi, > > I'm looking to use strongSwan to connect to my company CheckPoint > VPN, as I am new to Linux and networking I am really struggling to > get anything working. I have a Actividentity token that generates a > password that authenticates against a RADIUS server, below is a list > of facts I know from my CheckPoint config from Windows: > > I have an IP address for company site Authentication - Challenge > Response NAT-T protocol - enabled Office Mode - enabled Use NAT > traversal tunneling - enabled IKE over TCP - enabled Force UDP > encapsulation - enabled > > I have attempted to use the Network Manager GUI to connect but it > fails with "VPN service failed to start", the syslog file contains a > host of errors. The settings I attempted were: > > Gateway: Address - IP address of my company site Certificate - None > > Client: Authentication - EAP Username - My id I use for my token to > generate password > > Options - Request an inner IP address - unchecked Enforce UDP > encapsulation - checked Use IP compression - unchecked > > My questions would be: > > 1) Does strongSwan support the protocols/authentication methods I > describe for CheckPoint VPN 2) If yes, then does my setup through > Network Manager look correct 3) If yes, then is it a case of posting > the sys.log errors for someone to kindly look at > > I appreciate anyone's help and time with this. > > Regards, > > Jana == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1
Hi, I'm looking to use strongSwan to connect to my company CheckPoint VPN, as I am new to Linux and networking I am really struggling to get anything working. I have a Actividentity token that generates a password that authenticates against a RADIUS server, below is a list of facts I know from my CheckPoint config from Windows: I have an IP address for company site Authentication - Challenge Response NAT-T protocol - enabled Office Mode - enabled Use NAT traversal tunneling - enabled IKE over TCP - enabled Force UDP encapsulation - enabled I have attempted to use the Network Manager GUI to connect but it fails with "VPN service failed to start", the syslog file contains a host of errors. The settings I attempted were: Gateway: Address - IP address of my company site Certificate - None Client: Authentication - EAP Username - My id I use for my token to generate password Options - Request an inner IP address - unchecked Enforce UDP encapsulation - checked Use IP compression - unchecked My questions would be: 1) Does strongSwan support the protocols/authentication methods I describe for CheckPoint VPN 2) If yes, then does my setup through Network Manager look correct 3) If yes, then is it a case of posting the sys.log errors for someone to kindly look at I appreciate anyone's help and time with this. Regards, Jana ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users