[strongSwan] VPN to CheckPoint with NAT

Mon, 02 Dec 2013 06:18:00 -0800 

Hi all,
i am trying to accomplish a vpn connection via strongSwan 4.6.1 to a bigger CheckPoint gateway. strongSwan is built into a Gateprotect security appliance. 


Left side must be NATed, because the right side is using all of the 
networks of RFC 1918... But anyways, i can't even get close to that...


The connection is defined as:


conn "checkpoint"
    keyexchange=ikev2
    mobike=yes
    dpdaction=restart
    closeaction=restart
    auto=start
    ikelifetime=86400
    lifetime=3600
    ike=3des-sha1-modp1024
    esp=3des-md5-modp1024
    left=213.61.219.162
    leftsubnet=192.168.60.0/24
    right=164.61.192.1
    rightsubnet=194.120.220.0/22
    authby=psk
    compress=no


When starting the connection all i see is:


root@GPX-1000:~ # ipsec up Metro_72
initiating IKE_SA Metro_72[3] to 164.61.192.1
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 213.61.219.162[500] to 164.61.192.1[500]
received packet: from 164.61.192.1[500] to 213.61.219.162[500]

parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
N(CHDLESS_SUP) ]

authentication of '213.61.219.162' (myself) with pre-shared key
establishing CHILD_SA Metro_72

generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi 
TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) 
N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) 
N(EAP_ONLY) ]

sending packet: from 213.61.219.162[4500] to 164.61.192.1[4500]
received packet: from 164.61.192.1[4500] to 213.61.219.162[4500]
parsed IKE_AUTH response 1 [ N(TS_UNACCEPT) N(TS_UNACCEPT) ]
IDr payload missing

root@GPX-1000:~ # 


The right side ist giving me:

> Ike Ids::
> Ike Notification::

> Ike::                  Auth exchange: Sending notification to peer: 
Traffic selectors unacceptable



Unfortunatly i cannot turn on any debugging options because of 
restrictions of the way ipsec is build into the appliance :(


Is there anything you can read from that, which could help me work on this?

Thanks and kind regards,
Thomas






Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature


_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users





















					Reply via email to