From owner-freebsd-questions  Mon May 28  7: 4:33 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from dtrvk.deloitte.is (veggur.deloitte.is [213.176.146.161])
	by hub.freebsd.org (Postfix) with ESMTP id E040037B422
	for <freebsd-questions@FreeBSD.ORG>; Mon, 28 May 2001 07:04:25 -0700 (PDT)
	(envelope-from palli@deloitte.is)
Received: by DTRVK with Internet Mail Service (5.5.2653.19)
	id <LP28C4W4>; Mon, 28 May 2001 13:58:18 -0000
Message-ID: <18BADD4033C9D411A5E700A0C9EA2A001C6E30@DTRVK>
From: Palli <palli@deloitte.is>
To: "'freebsd-questions@FreeBSD.ORG'" <freebsd-questions@FreeBSD.ORG>
Subject: Creating ipsec tunnel against Checkpoint Firewall-1
Date: Mon, 28 May 2001 13:58:18 -0000
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain;
	charset="iso-8859-1"
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Hello all,

I am trying to set up an IPSec tunnel from a freshly installed FreeBSD 4.3
to a Checkpoint Firewall.

I followed instructions from:
http://www.securityreports.com/article.pl?sid=01/05/11/1711225&mode=thread&t
hreshold=

And read through an IPSec-mini-howto at:

http://www.x-itec.de/projects/tuts/ipsec-howto.txt

when i start racoon # racoon -f /etc/racoon.conf -l /var/log/racoon.log 
 i get:


2001-05-28 12:53:50: INFO: main.c:146:main(): @(#)racoon 20001216
sakane@ydc.co.jp
2001-05-28 12:53:50: INFO: main.c:147:main(): @(#)This product linked
software developed by the OpenSSL Project for use in the OpenSSL Toolkit.
(http://www.openssl.org/)
2001-05-28 12:53:50: WARNING: cftoken.l:498:yywarn(): /etc/racoon.conf:47:
"MB" the lifetime of bytes in phase 1 will be ignored at the moment.
2001-05-28 12:53:50: WARNING: pfkey.c:1949:pk_checkalg(): compression
algorithm can not be checked.  


This seems ok, except "compression algorithm can not be checked" scares me a
bit.





But when i try to contact Checkpoints localnet i get this in
/var/log/messages and console:

	key_acquire2: invalid sequence number is passed.

I simply cant get my hands on enough racoon or ipsec documentation to find
out what im really doing wrong.




When i run racoon with: "racoon -F -v -f /etc/racoon.conf" i get output
which ends like:

2001-05-28 13:19:02: DEBUG: isakmp.c:1088:isakmp_parsewoh(): succeed.
2001-05-28 13:19:02: ERROR: isakmp_inf.c:776:isakmp_info_recv_n(): unknown
notify message, no phase2 handle found.
2001-05-28 13:19:02: DEBUG: isakmp_inf.c:797:isakmp_info_recv_n():
notification message 18:INVALID-ID-INFORMATION, doi=1 proto_id=1
spi=(size=0).
2001-05-28 13:19:10: DEBUG: pfkey.c:191:pfkey_handler(): get pfkey ACQUIRE
message
2001-05-28 13:19:10: DEBUG: pfkey.c:1497:pk_recvacquire(): ignore the
acquire becuase ph2 found


etc etc etc. what I see bad here is INVALID-ID-INFORMATION, and i dont
really know what it is telling me.



Can anyone tell me where i can seek help because of this ?

ps. At the end i posted my kame.sh and /etc/racoonf.conf

















kame.sh
--------------------------

# gifconfig gif0 5.6.7.8 1.2.3.4
# ifconfig gif0 inet 192.168.20.45 192.168.200.3 netmask 255.255.255.0

setkey -FP
setkey -F
# Configure the Policy
setkey -c << END
spdadd 5.6.7.8/32 192.168.200.0/24 any -P out ipsec
esp/tunnel/5.6.7.8-1.2.3.4/require;
spdadd 192.168.200.0/24 5.6.7.8/24 any -P in ipsec
esp/tunnel/1.2.3.4-5.6.7.8/require;
END

------------------------------


/etc/racoon.conf
----------------
# racoon.conf for use with Checkpoint VPN-1/Firewall-1
#
#
# Pre-shared key set on the VPN-1 server.
#
# WARNING: psk.txt must have mode 600 permission.

path pre_shared_key "/etc/psk.txt" ;

#
log debug;

# "padding" defines some parameter of padding.  You should not touch these.
padding
{
        maximum_length 20;      # maximum padding length.
        randomize off;          # enable randomize length.
        strict_check off;       # enable strict check.
        exclusive_tail off;     # extract last one octet.
}

# Specification of default various timer.
timer
{
        # These value can be changed per remote node.
        counter 5;              # maximum trying count to send.
        interval 20 sec;        # maximum interval to resend.
        persend 1;              # the number of packets per a send.

        # timer for waiting to complete each phase.
        phase1 30 sec;
        phase2 15 sec;
}

remote anonymous
{
        exchange_mode aggressive,main; # For Firewall-1 Aggressive mode

        #my_identifier address;
        #my_identifier user_fqdn "";
        #my_identifier address "";
        #peers_identifier address "";
        #certificate_type x509 "" "";

        nonce_size 16;
        lifetime time 10 min;    # sec,min,hour
        lifetime byte 5 MB;     # B,KB,GB
        initial_contact on;
        support_mip6 on;
        proposal_check obey;    # obey, strict or claim

        proposal {
                encryption_algorithm 3des;
                hash_algorithm md5;
                authentication_method pre_shared_key;
                dh_group 2 ;
        }
}

sainfo anonymous
{
        pfs_group 1;
        lifetime time 10 min;
        lifetime byte 50000 KB;
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate ;
}
-----------

 


Grtz, Palli



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message