From: jsa62_at_tid.es
Date: Thu Dec 26 2002 - 22:50:38 CET
Hello Shyamal..
let me see if i have understood well..
you dont really have that ip 192.168.168.168 so you have created an ip
alias on the interface.. isnt it?? i do ip alias on interfaces by doing
ifconfig eth0:1 12.12.12.12 netmask 255.255.255.252 up for example...
It also seems, looking at the ipsec verify output, it seems that you
have locally closed udp port number 500, because is puts BLOCKED ..
maybe you have iptables rules for denying or better not accept udp
traffic on that port .. needed for ike interchange..
i dont really know if freeswan accepts interface alias .. but the output
when you try to enable the connection seems to be a problem of that
kind seems to be a problem with left or right directives.
Hope it helps.
Cheers
-------------
Julio Saura Alejandre
Servicios Ip de Banda Ancha
Telef髇ica I+D (913374993)
----- Original Message -----
From: Shyamal Thatte <sthatte_at_madasafish.com>
Date: Thursday, December 26, 2002 4:38 pm
Subject: [VF][Users] Checkpoint FW1 and FreeSwan 1.99
> Hello,
>
> Am trying to create a tunnel between my home machine and the office
> network which has a Checkpoint firewall. All other users use
> Windows
> laptops which seem to work fine with the SecuRemote client. I am
> the
> only one with a Linux machine :(
>
> I have Redhat 7.2, have upgraded the kernel to 2.4.18-18.7.x and
> installed both
> freeswan-1.99_2.4.18_18.7.x-0
> freeswan-module-1.99_2.4.18_18.7.x-0
>
> my problem is the security adminstrator has asked me to use a
> static IP
> address which my ISP says they cannot allocate.
>
> Was trawling through the net for any information about a
> workaround,
> found some information on the freeswan list about iptables and NAT,
> also
> there is an article about using iproute2 to use an alias but that
> too fails.
>
> ipsec verify (after ipsec start shows the following)
>
> Checking your system to see if IPsec got installed and started
> correctlyVersion check and ipsec on-path
> [OK]
> Checking for KLIPS support in kernel [OK]
> Checking for RSA private key (/etc/ipsec.secrets) [OK]
> Checking that pluto is running [OK]
> Checking if IPchains has port 500 hole (all) [BLOCKED]
> Checking if IPchains has port 500 hole (default) [BLOCKED]
> Checking if IPchains has port 500 hole (ipsec0) [BLOCKED]
> Checking if IPchains has port 500 hole (lo) [BLOCKED]
> Checking if IPchains has port 500 hole (ppp0) [BLOCKED]
> DNS checks.
> Looking for forward key for localhost.localdomain [OK]
> Looking for KEY in reverse map: 215.31.1.213.in-addr.arpa [FAILED]
> Does the machine have at least one non-private address [OK]
>
>
> my ipsec.conf is
>
> config setup
> # THIS SETTING MUST BE CORRECT or almost nothing will work;
> # %defaultroute is okay for most simple cases.
> #interfaces=%defaultroute
> interfaces="ipsec0=ppp0"
> # Debug-logging controls: "none" for (almost) none, "all"
> for lots.
> klipsdebug=none
> plutodebug=none
> # Use auto= parameters in conn descriptions to control
> startup
> actions. plutoload=%search
> plutostart=%search
> # Close down old connection when new one using same ID
> shows up.
> uniqueids=yes
>
>
>
> # defaults for subsequent connection descriptions
> # (these defaults will soon go away)
> conn %default
> disablearrivalcheck=no
> keyingtries=2
> keylife=120m
> ikelifetime=120m
> rekeymargin=1m
> rekeyfuzz=50%
> # keyingtries=1
> # authby=rsasig
> # leftrsasigkey=%dnsondemand
> # rightrsasigkey=%dnsondemand
>
>
> conn me-to-office-net
> type=tunnel
> left=194.75.37.251 -- my office gateway
> leftsubnet=172.24.0.0/16 -- the internal network
> right=192.168.168.168 -- this is the ip which I have
> aliased
> using ip addr add
> keyexchange=ike
> authby=secret
> auth=esp
> pfs=no
> auto=add
>
> Nothing seems to work as when I try
> ipsec auto --up me-to-office-net
>
> 022 "me-to-office-net": we have no ipsecN interface for either end
> of
> this connection
>
> how do I alias my machine to have a static IP for the office
> connection
> ?? The shared secret on the firewall has been set for 192.168.168.168
>
> I can ping my office gateway machine but a traceroute fails ...
> would
> that be a reason ?
>
> If I can get this working can standardize a build for all Road
> Warriors
> who want to use Linux from their laptops.
>
> Regards
> Shyamal
>
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users
> _______________________________________________
> Ipsec-users mailing list
> Ipsec-users_at_tossell.net
> http://lists.tossell.net/lists/listinfo/ipsec-users
>
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Sun Dec 29 2002 - 05:21:18 CET