Ipcop


IPcop VPN issues

The other day I brought the new checkpoint firewall for the new building and tried to get the VPN tunnels up between the satellite offices and failed. At the satellite offices we use IPCop as our firewalls.

I had set up the policies on the IPCop boxes and the corresponding ones on the Checkpoint firewall. When I went to bring up the tunnels I got nothing. There was no traffic going out the Checkpoint unit and I saw nothing on the IPCop boxes. I spent 3 hours on the phone with Checkpoint and got the box reconfigured and started getting errors on the IPCop boxes but still no tunnels. The Checkpoint tech was stumped as was I. I went so far as to blame the new T-1 provider of munging my packets so they would be accepted at the other offices.

So the error I was getting on the IPCop boxes was:

packet from X.X.X.X:500: initial Main Mode message received on X.X.X.X:500 but no connection has been authorized with policy=PSK

Now most of the information on the internet talks about this being a problem with the IPCop box getting a request from a box that it isn’t expecting. Well the policy was set up right on all the boxes. I even took out the checkpoint firewall and replaced it with an IPCop box..same error. So after spending all day and most of the night I headed home.

Around 3am I woke up and started thinking about the issue. In my mind I started going over the list of all the VPNs I had set up at the time and it came to me.

I got up and headed back to the new office. When I got there I made sure that the problem was still happening.

Now I had named the VPN policy on the IPCop boxes 1200Lenox. Well the problem is…you can’t start the name of the policy with a number. So the minute I changed the policy name to l1200lenox the tunnels came right up.

So for all of you who are getting the same error make sure the name of your policy starts with a letter and not a number.