Re: [Users] FreeSwan <---> Watchguard Firebox

From: Cristian Marin <cristian.marin(at)urbisinternational.ro>
Date: Wed Oct 01 2003 - 10:20:22 EDT

 Hello Sascha,
 Thanks for your answer

Here is what I'v tried:

Manual keying

On the Firebox
Key negotiation type: manual
Remote ID type: IP address
Gateway IP: a.b.c.d

---

Use ESP
SPI 257
 Encryption 3DES-CBC
Key - 432a2..... generated
Authentication SHA1-HMAC
Auth key - 2a524.... generated

on FreeSwan
config setup
interface="ipsec0=eth1"
rp_filter=0

conn test

left=myip, leftsubnet=mysubnet, leftnexthop=mygate
rigt=fireboxip, rightsubnet=the other subnet, rightnexthop=hisgate
auto=add

spi=0x101
esp=3des-md5-96
espenckey=0xthe key generated on the firebox espauthkey=0xthe key generated on the firebox pfs=no

---

If I try to start with "ipsec manual --up test" the connection from the linux box, I'm geting the error:
/usr/local/libexec/ipsec/spi --label test: Trouble building kay_a extension, error=-22
If I try to start with "ipsec auto --up test" it stops at STATE_MAIN_I3: sent MI3, expecting MR3 with the message: ignoring informational payload, type INVALID_COOKIE
Also if I used AH instead of esp, the result is the same.

Auto keying

On Firebox
Key Negotiation type: isakmp (dynamic)
remote ID type: IP address
Gate IP address: the IP
Shared key: whatever

---

Local ID type: IP address
Authentication:md5-hmac
Encryption: 3des-cbc
Diffie-Hellman Group: 2
epf=disable
aggressive mode=disable

---

Phase2
SAP type: esp
authentication: md5-hmac
encryption: 3des-cbc

On FreeSWan
config setup
interface="ipsec0=eth1"
rp_filter=0

conn test

left=myip, leftsubnet=mysubnet, leftnexthop=mygate
rigt=fireboxip, rightsubnet=the other subnet, rightnexthop=hisgate
auto=add

authby=secret
esp=3des-md5-96
ah=hmac-md5
pfs=no

ipsec.secrets
myip hisip: PSK "whatever"

with this conf. never passed the STATE_MAIN_I1

I you want I can send you the logs with debug=all or the barf file  

Sory if my other message was so short, but I wanted to know first if someone faced the same problem.

Thank you again
Regards
Cristian

-------Original Message-------  

From: Sascha Runschke
Date: 01 octombrie 2003 14:19:17
To: 'users@mj2.freeswan.org'
Cc: 'Cristian Marin'
Subject: RE: [Users] FreeSwan <---> Watchguard Firebox  

> I'm trying to make a VPN between a Linux RH 7.3 with FreeSwan
> 2.02 and a Firebox III v 6.3 from Watchguard. The linux box installation
> is OK, because I made a tunnel with another system, running RH 9.0 and
FreeSwan 2.02.  

A vague assumption in my opinion ;)  

> I tried all the configurations a have found on the net,
> manual and auto keying, but still not working!
 

What exactly did you try? What exactly is the error message? I'm truly sorry, but I borrowed away my crystal ball yesterday ;-)  

> Does anyone have this pair working?
 

Yes.
Only tips I can give you without any further info:  

Firebox Systems don't use PFS, so don't forget to disable it for the connection.
Set keylife=8h - that's the default that a Firebox expects, it will refuse to build up a tunnel with another setting somehow.  

regards
  sash  

--
Sascha Runschke
Abteilung IT-Services
phinware AG
D-40237 Düsseldorf, Grafenberger Allee 125  

phinfon: +49 (0)211 16686-514 phinmail: sascha.runschke@phinware.de phinfax: +49 (0)211 16686-666 phinweb: http://www.phinware.de .

Received on Wed Oct 1 09:29:03 2003