On Wed, Nov 12 2008 at 18:13, Joe Warren-Meeks wrote: > Hey guys, Hi, > I'm struggling to get isakpmd to talk to a checkpoint firewall > > I need the following parameters > > General IKE Properties = AES-256 with SHA1 > IKE Phase 1 SA = Group2 (1024 bit) > IKE Phase 1 SA renegotiation = 1440 > IKE Phase 2 SA renegotiation = 3600 > > The network layout looks as follows: > > OurNet OurFirewall Internet TheirFW TheirNet > > 195.24.xxx.xxx/25 - 195.24.xxx.yyy ----- 62.232.xxx.xxx 62.232.xxx.yyy > > I currently have the following in my isakpmd.policy > > Keynote-version: 2 > Authorizer: "POLICY" > Conditions: app_domain == "IPsec policy" && > esp_present == "yes" && > esp_enc_alg != "null" -> "true"; > > And my isakmpd.conf is at the end. Any pointers guys?
I don't know if your isakmpd.conf is good or not. The general part seems good. But I'm wondering why you are not using the new configuration file (/etc/ipsec.conf) It's much easier to use and to maintain over time. For your part, you'll have to keep default lifetime in isakmpd.conf as it's not supported in ipsec.conf. >From experience I can assure you it works also with Check Point (R60 to R65) you just have to carefully ensure that all ipsec variables are the same (As always with ipsec). Please review the parameters with the other end. If you can, also ask them for their error message when establishing the tunnel. I found the CheckPoint messages more usefull than the isakmpd ones. > [General] > Retransmits= 5 > Exchange-max-time= 120 > Listen-on= 195.24.xxx.yyy > Default-phase-1-lifetime= 1440,60:86400 > Default-phase-2-lifetime= 3600,60:86400 > > > > [Phase 1] > 62.232.xxx.xxx= local-remote > > [local-remote] > Phase= 1 > Transport= udp > Local-address= 195.24.xxx.yyy > Address= 62.232.xxx.xxx > Configuration= Default-main-mode > Authentication= makemeagoatorsomething > > [Phase 2] > Connections= VPN-local-remote-62.232.xx.yy/255.255.255.224 > > > [VPN-local-remote-62.232.xx.yy/255.255.255.224] > Phase= 2 > ISAKMP-peer= local-remote > Configuration= Default-quick-mode > Local-ID= network-195.24.xxx.xxx/255.255.255.128 > Remote-ID= network-62.232.xxx.yyy/255.255.255.224 > > > > [network-195.24.xxx.xxx/255.255.255.128] > ID-type= IPV4_ADDR_SUBNET > Network= 195.24.xxx.xx > Netmask= 255.255.255.128 > > > > [network-62.232.xxx.yyy/255.255.255.0] > ID-type= IPV4_ADDR_SUBNET > Network= 62.232.xxx.yyy > Netmask= 255.255.255.0 > > > [Default-main-mode] > DOI= IPSEC > EXCHANGE_TYPE= ID_PROT > Life= ANY > Transforms= AES-256-SHA > > [Default-quick-mode] > DOI= IPSEC > EXCHANGE_TYPE= QUICK_MODE > Suites= QM-ESP-AES-256-SHA-SUITE > > [AES-256-SHA] > ENCRYPTION_ALGORITHM= AES_CBC > KEY_LENGTH= 256,256:256 > HASH_ALGORITHM= SHA > AUTHENTICATION_METHOD= PRE_SHARED > GROUP_DESCRIPTION= MODP_1024 > Life= LIFE_MAIN_MODE > > [QM-ESP-AES-256-SHA-SUITE] > Protocols= QM-ESP-AES-256-SHA > > -- joe.
