[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

(racoon 919) Problems talking with Checkpoint-NG



Hi all.

I'm trying to get an ipsec tunnel working between a Linux box (Gentoo - amd64) and
a Checkpoint-NG firewall (Nokia platform)

Currently I've got it to the point where it looks like phase-I is almost completing,
but it looks like the linux box thinks phase-II should start, but for some reason
the two ends don't seem to agree on what should be happening.

When running racoon in the foreground I get

damned racoon # racoon -F -f /etc/racoon/racoon.conf
Foreground mode.
2005-03-30 10:12:05: INFO: @(#)ipsec-tools 0.3.3 (http://ipsec-tools.sourceforge.net)
2005-03-30 10:12:05: INFO: @(#)This product linked OpenSSL 0.9.7d 17 Mar 2004 (http://www.openssl.org/)
2005-03-30 10:12:05: INFO: 192.168.254.254[4500] used as isakmp port (fd=6)
2005-03-30 10:12:05: INFO: 192.168.254.254[4500] used for NAT-T
2005-03-30 10:12:05: INFO: 192.168.254.254[500] used as isakmp port (fd=7)
2005-03-30 10:12:10: INFO: IPsec-SA request for 1.2.3.105 queued due to no phase1 found.
2005-03-30 10:12:10: INFO: initiate new phase 1 negotiation: 192.168.254.254[500]<=>1.2.3.105[500]
2005-03-30 10:12:10: INFO: begin Identity Protection mode.
2005-03-30 10:12:11: INFO: ISAKMP-SA established 192.168.254.254[500]-1.2.3.105[500] spi:d981f3f2645fb250:303863887dab4af4
2005-03-30 10:12:12: INFO: initiate new phase 2 negotiation: 192.168.254.254[0]<=>1.2.3.105[0]
2005-03-30 10:12:12: INFO: respond new phase 1 negotiation: 192.168.254.254[500]<=>1.2.3.105[500]
2005-03-30 10:12:12: INFO: begin Identity Protection mode.
2005-03-30 10:12:27: ERROR: 1.2.3.105 give up to get IPsec-SA due to time up to wait.
2005-03-30 10:12:32: ERROR: ignore information because the message has no hash payload.
2005-03-30 10:12:42: INFO: IPsec-SA expired: ESP/Tunnel 1.2.3.105->192.168.254.254 spi=247774983(0xec4bf07)
2005-03-30 10:12:52: ERROR: ignore information because the message has no hash payload.
2005-03-30 10:13:11: INFO: ISAKMP-SA expired 192.168.254.254[500]-1.2.3.105[500] spi:d981f3f2645fb250:303863887dab4af4
2005-03-30 10:13:12: INFO: ISAKMP-SA deleted 192.168.254.254[500]-1.2.3.105[500] spi:d981f3f2645fb250:303863887dab4af4
2005-03-30 10:13:12: ERROR: ignore information because the message has no hash payload.
2005-03-30 10:13:32: ERROR: ignore information because the message has no hash payload.
2005-03-30 10:13:52: ERROR: ignore information because the message has no hash payload.
2005-03-30 10:14:12: ERROR: phase1 negotiation failed due to time up. e4f184cd918a430d:c1d141e4d15d2ede

And that's as far as I get... Running with debug or debug2 yielded little more info (For me at least that I could
follow). 

The only hits I find on google for the "ERROR: ignore information because the message has no hash payload." were for
sonicwall, not checkpoint, and said that

"Enable Perfect Forward Secrecy" option in the advanced settings of the Group VPN configuration page seems to be the 
problem. Make sure it's unchecked.

well checkpoint does have a similiar setting, but it was already unchecked...

The homepage for kame.net says that racoon works for talking to checkpoint... Has anyone got any info they could share 
in trying to get this working? 

The racoon.conf file is

#########################################################
path include "/etc/racoon";

path pre_shared_key "/etc/racoon/psk.txt";

path certificate "/etc/cert";

log notify;

padding
{
        maximum_length 20;      # maximum padding length.
        randomize off;          # enable randomize length.
        strict_check off;       # enable strict check.
        exclusive_tail off;     # extract last one octet.
}

listen
{
        isakmp 192.168.254.254 [500];
        isakmp_natt 192.168.254.254 [4500];
}

timer
{
        counter 5;              # maximum trying count to send.
        interval 20 sec;        # maximum interval to resend.
        persend 1;              # the number of packets per a send.

        # timer for waiting to complete each phase.
        phase1 30 sec;
        phase2 15 sec;
}

remote 1.2.3.105
{
        exchange_mode main,aggressive;
        doi ipsec_doi;

        nat_traversal on;

        lifetime time 1 min;    # sec,min,hour

        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2;
        }
}

sainfo anonymous
{
         pfs_group 2;
         lifetime time 1440 min;
         encryption_algorithm 3des;
         authentication_algorithm hmac_sha1;
         compression_algorithm deflate;
}
#########################################################

Anyone got any ideas?


TIA

Hamish Marson