# [VPN] - Ipsec, Racoon, Openswan with checkpoint firewall

## jacques_h

Hello, 

I try to etablish my VPN connexion from Home to Office.

At Office we've an checkpoint access.

At Home I've my Gentoo box  :Wink:  with a lot of vpn tools and ipsec utilities.

Perhaps somebody has already configure a similar configuration.

First I try using the Gnome networkmanager (vpn) but no success... it's too easy to works  :Wink: 

Next I try vpnc and openswan, I read a lot of documentations about this...but no result.

below some informations about my configuration files and log file.

== my conf files ==

```

# cat /etc/ipsec/ipsec.conf

# /etc/ipsec.conf - Openswan IPsec configuration file

# RCSID $Id: ipsec.conf.in,v 1.15.2.6 2006/10/19 03:49:46 paul Exp $

# This file:  /usr/share/doc/openswan-2.4.9/ipsec.conf-sample

#

# Manual:     ipsec.conf.5

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration

config setup

        interfaces="ipsec0=eth1"

        klipsdebug=none

        plutodebug=none

conn checkpoint 

        keyexchange=ike 

        aggrmode=no 

        auth=esp 

        ike=3des-md5 

        esp=3des-md5 

        pfs=no 

        compress=no

        left=192.168.0.1

        right=XXXXXXXX

        authby=secret 

        auto=start 

# Add connections here

# sample VPN connections, see /etc/ipsec.d/examples/

#Disable Opportunistic Encryption

include /etc/ipsec/ipsec.d/examples/no_oe.conf

```

```
# cat /etc/ipsec/ipsec.secrets 

192.168.0.1 XXX.XXX.XXX.XXX: PSK "mypassword"
```

```
/var/log/message

Dec 10 22:29:37 dali ipsec_setup: ...Openswan IPsec stopped

Dec 10 22:29:37 dali ipsec_setup: Starting Openswan IPsec U2.4.9/K2.6.23-gentoo-r3...

Dec 10 22:29:37 dali ipsec_setup: NETKEY on eth1 192.168.0.1/255.255.255.0 broadcast 192.168.0.255 

Dec 10 22:29:37 dali ipsec__plutorun: Unknown default RSA hostkey scheme, not generating a default hostkey

Dec 10 22:29:37 dali ipsec_setup: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")

Dec 10 22:29:37 dali ipsec__plutorun: Starting Pluto subsystem...

Dec 10 22:29:37 dali pluto[23039]: Starting Pluto (Openswan Version 2.4.9 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE_]{vKgCoOI)

Dec 10 22:29:37 dali pluto[23039]: Setting NAT-Traversal port-4500 floating to off

Dec 10 22:29:37 dali pluto[23039]:    port floating activation criteria nat_t=0/port_fload=1

Dec 10 22:29:37 dali pluto[23039]:   including NAT-Traversal patch (Version 0.6c) [disabled]

Dec 10 22:29:37 dali pluto[23039]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)

Dec 10 22:29:37 dali pluto[23039]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)

Dec 10 22:29:37 dali pluto[23039]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)

Dec 10 22:29:37 dali pluto[23039]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)

Dec 10 22:29:37 dali pluto[23039]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)

Dec 10 22:29:37 dali pluto[23039]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)

Dec 10 22:29:37 dali pluto[23039]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)

Dec 10 22:29:37 dali pluto[23039]: starting up 1 cryptographic helpers

Dec 10 22:29:37 dali pluto[23039]: started helper pid=23040 (fd:6)

Dec 10 22:29:37 dali pluto[23039]: Using NETKEY IPsec interface code on 2.6.23-gentoo-r3

Dec 10 22:29:37 dali ipsec_setup: ...Openswan IPsec started

Dec 10 22:29:37 dali pluto[23039]: FATAL ERROR: Failed to bind bcast socket in init_netlink() - Perhaps kernel has no CONFIG_XFRM_USER support. Errno 2: No such file or directory

Dec 10 22:29:37 dali ipsec__plutorun: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")

Dec 10 22:29:37 dali ipsec__plutorun: ...could not add conn "checkpoint"

Dec 10 22:29:37 dali ipsec__plutorun: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")

Dec 10 22:29:37 dali ipsec__plutorun: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")

Dec 10 22:29:37 dali ipsec__plutorun: ...could not route conn "checkpoint"

Dec 10 22:29:37 dali ipsec__plutorun: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")

Dec 10 22:29:37 dali ipsec__plutorun: ...could not start conn "checkpoint"

Dec 10 22:29:47 dali rc-scripts: ERROR: wrong args ( _autorestart ) error status 1

Dec 10 22:29:47 dali rc-scripts: Usage: ipsec { start|stop|restart }

Dec 10 22:29:47 dali rc-scripts:        ipsec without arguments for full help

```

==part kernel config ==

```
# zcat /proc/config.gz | grep -i net | grep -v \#

CONFIG_NET=y

CONFIG_NET_KEY=y

CONFIG_INET=y

CONFIG_NET_IPIP=y

CONFIG_INET_AH=m

CONFIG_INET_ESP=m

CONFIG_INET_IPCOMP=m

CONFIG_INET_XFRM_TUNNEL=m

CONFIG_INET_TUNNEL=y

CONFIG_INET_XFRM_MODE_TRANSPORT=m

CONFIG_INET_XFRM_MODE_TUNNEL=m

CONFIG_INET_XFRM_MODE_BEET=m

CONFIG_INET_DIAG=y

CONFIG_INET_TCP_DIAG=y

CONFIG_INET6_AH=m

CONFIG_INET6_ESP=m

CONFIG_INET6_IPCOMP=m

CONFIG_INET6_XFRM_TUNNEL=m

CONFIG_INET6_TUNNEL=m

CONFIG_INET6_XFRM_MODE_TRANSPORT=m

CONFIG_INET6_XFRM_MODE_TUNNEL=m

CONFIG_INET6_XFRM_MODE_BEET=m

CONFIG_NETFILTER=y

CONFIG_BRIDGE_NETFILTER=y

CONFIG_NETFILTER_NETLINK=y

CONFIG_NETFILTER_NETLINK_QUEUE=m

CONFIG_NETFILTER_NETLINK_LOG=m

CONFIG_NET_SCH_FIFO=y

CONFIG_SCSI_NETLINK=y

CONFIG_NETDEVICES=y

CONFIG_NET_ETHERNET=y

CONFIG_NETDEV_1000=y

CONFIG_NETDEV_10000=y

CONFIG_NETXEN_NIC=m

CONFIG_USB_USBNET_MII=m

CONFIG_USB_USBNET=m

CONFIG_USB_NET_AX8817X=m

CONFIG_USB_NET_CDCETHER=m

CONFIG_USB_NET_GL620A=m

CONFIG_USB_NET_NET1080=m

CONFIG_USB_NET_PLUSB=m

CONFIG_USB_NET_ZAURUS=m

CONFIG_USB_SERIAL_OMNINET=m

CONFIG_USB_GADGET_NET2280=y

CONFIG_USB_NET2280=m

CONFIG_NET_DMA=y

CONFIG_SECURITY_NETWORK=y

CONFIG_SECURITY_NETWORK_XFRM=y

```

THANKS for your help

----------

## Wormo

Probably you have figured this out by now, but you are missing a couple kernel options:

CONFIG_XFRM

CONFIG_XFRM_USER

----------

## jacques_h

no, i've already set this option.

 # zcat /proc/config.gz | grep CONFIG_XFRM

CONFIG_XFRM=y

CONFIG_XFRM_USER=m

# CONFIG_XFRM_SUB_POLICY is not set

# CONFIG_XFRM_MIGRATE is not set

...

----------

## Wormo

I notice xfrm_user is a module; is it getting automatically loaded? 

I remember having to modprobe some modules in an ipsec startup on one system (not gentoo, but still...)

----------

