Hi there community,
We’ve been trying for days to make following configuration to work:
Creating a VPN Ipsec connection using certificate:
- RUTX50 with dynamic IP
- CheckPoint Firewall
Generated self-signed certificates (CA and server side), imported it to the RUTX50 and Checkpoint firewall (signed both sides).
Now, when I start the vpn, the connection is not getting finished:
Thu Aug 22 08:39:10 2024 daemon.info ipsec: 11[IKE] <CHKP-CHKP_c|424> initiating IKE_SA CHKP-CHKP_c[424] to xxx.xx.xx.xx
Thu Aug 22 08:39:10 2024 daemon.info ipsec: 11[ENC] <CHKP-CHKP_c|424> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Thu Aug 22 08:39:10 2024 daemon.info ipsec: 11[NET] <CHKP-CHKP_c|424> sending packet: from xxx.xx.xx.xx[500] to xxx.xx.xx.xx[500] (884 bytes)
Thu Aug 22 08:39:10 2024 daemon.info ipsec: 01[NET] <CHKP-CHKP_c|424> received packet: from xxx.xx.xx.xx[500] to xxx.xx.xx.xx[500] (228 bytes)
Thu Aug 22 08:39:10 2024 daemon.info ipsec: 01[ENC] <CHKP-CHKP_c|424> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Thu Aug 22 08:39:10 2024 daemon.info ipsec: 01[CFG] <CHKP-CHKP_c|424> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_256
Thu Aug 22 08:39:10 2024 daemon.info ipsec: 01[IKE] <CHKP-CHKP_c|424> sending cert request for “CN=daipvpn”
Thu Aug 22 08:39:10 2024 daemon.info ipsec: 01[IKE] <CHKP-CHKP_c|424> authentication of ‘CN=rutx50_test1’ (myself) with RSA signature successful
Thu Aug 22 08:39:10 2024 daemon.info ipsec: 01[IKE] <CHKP-CHKP_c|424> establishing CHILD_SA CHKP-CHKP_c{1271}
Thu Aug 22 08:39:10 2024 daemon.info ipsec: 01[ENC] <CHKP-CHKP_c|424> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Thu Aug 22 08:39:10 2024 daemon.info ipsec: 01[NET] <CHKP-CHKP_c|424> sending packet: from xxx.xx.xx.xx[4500] to xxx.xx.xx.xx[4500] (672 bytes)
Thu Aug 22 08:39:14 2024 daemon.info ipsec: 14[IKE] <CHKP-CHKP_c|424> retransmit 1 of request with message ID 1
Thu Aug 22 08:39:14 2024 daemon.info ipsec: 14[NET] <CHKP-CHKP_c|424> sending packet: from xxx.xx.xx.xx[4500] to xxx.xx.xx.xx[4500] (672 bytes)
Thu Aug 22 08:39:22 2024 daemon.info ipsec: 08[IKE] <CHKP-CHKP_c|424> retransmit 2 of request with message ID 1
Thu Aug 22 08:39:22 2024 daemon.info ipsec: 08[NET] <CHKP-CHKP_c|424> sending packet: from xxx.xx.xx.xx[4500] to xxx.xx.xx.xx[4500] (672 bytes)
Thu Aug 22 08:39:34 2024 daemon.info ipsec: 05[IKE] <CHKP-CHKP_c|424> retransmit 3 of request with message ID 1
Thu Aug 22 08:39:34 2024 daemon.info ipsec: 05[NET] <CHKP-CHKP_c|424> sending packet: from xxx.xx.xx.xx[4500] to xxx.xx.xx.xx[4500] (672 bytes)
Thu Aug 22 08:39:58 2024 daemon.info ipsec: 01[IKE] <CHKP-CHKP_c|424> giving up after 3 retransmits
Thu Aug 22 08:39:58 2024 daemon.info ipsec: 01[IKE] <CHKP-CHKP_c|424> peer not responding, trying again (3/3)
We could imagine that something is wrong on the CheckPoint firewall but, in the logs I can see the following:
[iked 29652 4071057408]@sw-fw002[22 Aug 9:01:42][ikev2] ikeAuthExchange_r::expectedPayloadTypesExist: Cannot authenticate peer: RSA sig is configured but no certificate has been sent.
When I look at a log of strongswan example, I see this:
Mar 19 11:28:53 moon charon-systemd: 09[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519
Mar 19 11:28:53 moon charon-systemd: 09[IKE] received cert request for “C=CH, O=strongSwan Project, CN=strongSwan Root CA”
Mar 19 11:28:53 moon charon-systemd: 09[IKE] sending cert request for “C=CH, O=strongSwan Project, CN=strongSwan Root CA”
Mar 19 11:28:53 moon charon-systemd: 09[IKE] authentication of ‘moon.strongswan.org’ (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
Mar 19 11:28:53 moon charon-systemd: 09[IKE] sending end entity cert “C=CH, O=strongSwan Project, CN=moon.strongswan.org”
Mar 19 11:28:53 moon charon-systemd: 09[IKE] establishing CHILD_SA net-net{1}
Does anybody have good experience in such configuration?
I have to mention, when I configure the VPN Ipsec with shared secret, it is working. But of course, not usable in our case, as our IP is dynamic.
Help would be much apreciated.
Thanks in advance.