[vpn-help] Shrew (debian lenny) to Checkpoint NGX R65

Luca Arzeni l.arzeni at gmail.com
Mon May 3 06:44:07 CDT 2010


Thanks Carmelo,
it's nice to hear that someone was successfull at this! I'm using lenny,
(kernel 2.6.26-2-amd64), but I hope that this is not a nett/kernel issue.

I've read your first mail (how to reverse the cert from userC.c), and I've
already reversed the cert.
I have a pkcs12 from the checkpint administrator, I followed the
instructions from the debian guy and extracted ca.pem, my_key.pem and
my_crt.pem.

I can confirm that the ca.pem reversed from userc.c it's the same of the one
obtained directly from the pkcs12.

I didn't spotted your second mail until now, but I've realized the bug on
ikea, so I set the asn1dn directly on the ~/.ike/ by hand and run ikec -r
default.

I've set ike to 3DES/SHA1/1024 (the same parameters are used for phase 2. If
I' don't set 3des (using AES, for example), I receive a "peer unknown
notification"

Using 3des, it seems that phase1 was ok, but it cannot go with phase2.

Am I missing something?I'have no "firewall certificate" but only the ca
certificate. Aren't they the same thing?

I spotted a message: "K! : recv X_SPDDUMP message failure ( errno = 2 )"
it's something important?

The error is on the line "ii : received peer PAYLOAD-MALFORMED
notification".
Do you have any hint?

Your faithfully, Luca Arzeni

=== This is my site configuration ===

n:version:2
n:network-ike-port:500
n:network-mtu-size:1300
n:client-addr-auto:0
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:1
n:network-notify-enable:1
n:client-banner-enable:0
n:client-dns-used:0
n:phase1-dhgroup:2
n:phase1-keylen:192
n:phase1-life-secs:3600
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:1
n:phase2-keylen:192
n:phase2-pfsgroup:2
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-nailed:1
n:policy-list-auto:0
s:client-ip-addr:192.168.144.4
s:client-ip-mask:255.255.255.255
s:network-host:x.y.z.t
s:client-auto-mode:pull
s:client-iface:direct
s:network-natt-mode:enable
s:network-frag-mode:enable
s:auth-method:mutual-rsa
s:ident-client-type:asn1dn
s:ident-server-type:asn1dn
s:auth-server-cert:/home/larzeni/.ike/certs/checkpoint-internal-ca.pem
s:auth-client-cert:/home/larzeni/.ike/certs/larzeni-cert.pem
s:auth-client-key:/home/larzeni/.ike/certs/larzeni-key.pem
s:phase1-exchange:main
s:phase1-cipher:3des
s:phase1-hash:sha1
s:phase2-transform:3des
s:phase2-hmac:sha1
s:ipcomp-transform:deflate
s:policy-list-include:192.168.255.0 / 255.255.255.0

=== and this is the output from the command "iked -F -d 6" ===

ii : created ike socket 0.0.0.0:500
ii : created natt socket 0.0.0.0:4500
## : IKE Daemon, ver 2.1.5
## : Copyright 2009 Shrew Soft Inc.
## : This product linked OpenSSL 0.9.8g 19 Oct 2007
ii : opened '/var/log/iked.log'
ii : opened '/var/log/ike-encrypt.pcap'
ii : opened '/var/log/ike-decrypt.pcap'
ii : pfkey process thread begin ...
ii : network process thread begin ...
ii : ipc server process thread begin ...
K< : recv pfkey REGISTER AH message
K< : recv pfkey REGISTER ESP message
K< : recv pfkey REGISTER IPCOMP message
K! : recv X_SPDDUMP message failure ( errno = 2 )


ii : ipc client process thread begin ...
<A : peer config add message
DB : peer added ( obj count = 1 )
ii : local address 192.168.144.4 selected for peer
DB : tunnel added ( obj count = 1 )
<A : proposal config message
<A : proposal config message
<A : proposal config message
<A : client config message
<A : remote cert '/home/larzeni/.ike/certs/checkpoint-internal-ca.pem'
message
ii : '/home/larzeni/.ike/certs/checkpoint-internal-ca.pem' loaded
<A : local cert '/home/larzeni/.ike/certs/larzeni-cert.pem' message
ii : '/home/larzeni/.ike/certs/larzeni-cert.pem' loaded
<A : local key '/home/larzeni/.ike/certs/larzeni-key.pem' message
!! : '/home/larzeni/.ike/certs/larzeni-key.pem' load failed, requesting
password
<A : file password
<A : local key '/home/larzeni/.ike/certs/larzeni-key.pem' message
ii : '/home/larzeni/.ike/certs/larzeni-key.pem' loaded
<A : remote resource message
<A : peer tunnel enable message
ii : obtained x509 cert subject ( 73 bytes )
DB : new phase1 ( ISAKMP initiator )
DB : exchange type is identity protect
DB : 192.168.144.4:500 <-> x.y.z.t:500
DB : d7bc5ca1ef159ea9:0000000000000000
DB : phase1 added ( obj count = 1 )
>> : security association payload
>> : - proposal #1 payload
>> : -- transform #1 payload
>> : vendor id payload
ii : local supports nat-t ( draft v00 )
>> : vendor id payload
ii : local supports nat-t ( draft v01 )
>> : vendor id payload
ii : local supports nat-t ( draft v02 )
>> : vendor id payload
ii : local supports nat-t ( draft v03 )
>> : vendor id payload
ii : local supports nat-t ( rfc )
>> : vendor id payload
ii : local supports FRAGMENTATION
>> : vendor id payload
ii : local supports DPDv1
>> : vendor id payload
ii : local is SHREW SOFT compatible
>> : vendor id payload
ii : local is NETSCREEN compatible
>> : vendor id payload
ii : local is SIDEWINDER compatible
>> : vendor id payload
ii : local is CISCO UNITY compatible
>> : vendor id payload
ii : local is CHECKPOINT compatible
>= : cookies d7bc5ca1ef159ea9:0000000000000000
>= : message 00000000
-> : send IKE packet 192.168.144.4:500 -> x.y.z.t:500 ( 384 bytes )
DB : phase1 resend event scheduled ( ref count = 2 )
<- : recv IKE packet x.y.z.t:500 -> 192.168.144.4:500 ( 148 bytes )
DB : phase1 found
ii : processing phase1 packet ( 148 bytes )
=< : cookies d7bc5ca1ef159ea9:d6f040907755cb6f
=< : message 00000000
<< : security association payload
<< : - propsal #1 payload
<< : -- transform #1 payload
ii : matched isakmp proposal #1 transform #1
ii : - transform    = ike
ii : - cipher type  = 3des
ii : - key length   = default
ii : - hash type    = sha1
ii : - dh group     = modp-1024
ii : - auth type    = sig-rsa
ii : - life seconds = 3600
ii : - life kbytes  = 0
<< : vendor id payload
ii : peer supports nat-t ( draft v02 )
<< : vendor id payload
ii : peer is CHECKPOINT compatible
>> : key exchange payload
>> : nonce payload
>> : cert request payload
>> : nat discovery payload
>> : nat discovery payload
>= : cookies d7bc5ca1ef159ea9:d6f040907755cb6f
>= : message 00000000
DB : phase1 resend event canceled ( ref count = 1 )
-> : send IKE packet 192.168.144.4:500 -> x.y.z.t:500 ( 265 bytes )
DB : phase1 resend event scheduled ( ref count = 2 )
<- : recv IKE packet x.y.z.t:500 -> 192.168.144.4:500 ( 40 bytes )
DB : phase1 found
ii : processing informational packet ( 40 bytes )
== : new informational iv ( 8 bytes )
=< : cookies d7bc5ca1ef159ea9:d6f040907755cb6f
=< : message 776a44a4
<< : notification payload
ii : received peer PAYLOAD-MALFORMED notification
ii : - x.y.z.t:500 -> 192.168.144.4:500
ii : - isakmp spi = none
ii : - data size 0
-> : resend 1 phase1 packet(s) 192.168.144.4:500 -> x.y.z.t:500
-> : resend 1 phase1 packet(s) 192.168.144.4:500 -> x.y.z.t:500
-> : resend 1 phase1 packet(s) 192.168.144.4:500 -> x.y.z.t:500
-> : resend 1 phase1 packet(s) 192.168.144.4:500 -> x.y.z.t:500
-> : resend 1 phase1 packet(s) 192.168.144.4:500 -> x.y.z.t:500
-> : resend 1 phase1 packet(s) 192.168.144.4:500 -> x.y.z.t:500
ii : resend limit exceeded for phase1 exchange
ii : phase1 removal before expire time
DB : phase1 deleted ( obj count = 0 )
DB : policy not found
DB : policy not found
DB : tunnel stats event canceled ( ref count = 1 )
DB : removing tunnel config references
DB : removing tunnel phase2 references
DB : removing tunnel phase1 references
DB : tunnel deleted ( obj count = 0 )
DB : removing all peer tunnel refrences
DB : peer deleted ( obj count = 0 )
ii : ipc client process thread exit ...

=== thaks again, Luca ===

On Sun, May 2, 2010 at 9:08 PM, Carmelo Iannello <c.iannello at codices.com>wrote:

> Luca Arzeni ha scritto:
>
>  Hi there,
>> I'm trying to connect a client (debian lenny) with a checkpoint firewall
>> NGX R65.
>> I can connect with a securemote client from a window XP client to a
>> network behind the firewall.
>> The same connection fails under linux, using Shrew.
>>
>> I followed the instructions on the shred site, with one difference: I'm
>> using a mutual RSA authentication (I have no password... anyway the
>> administrator of the firewall says that he cannot set any password on the
>> firewall, so this should be correct).
>> I use the DN of the certificates as id of the client and of the firewall.
>>
>> The connection fails after phase1, complaining that peer received a
>> MALFORMED-PAYLOAD.
>>
>> I must say that I have no firewall certificate, tha admin says that he has
>> no knowledge of a FW certificate. In the securemote client, I extracted a
>> certificate from the cert(:xxx) string but it's the certificate of the ca,
>> and I'm using that one as certificate for the other endpoint.
>>
>
> Did you reversed the certificate string?
> If you have a pkcs12 client certificate you can extract a PEM version of
> the CA certificate from it, using openssl.
>
> Check out this post:
> http://lists.shrew.net/pipermail/vpn-help/2010-April/003254.html
> for how to reverse the :cert() string
> and this
> http://lists.shrew.net/pipermail/vpn-help/2010-April/003274.html
> for mutual RSA with Checkpoint
>
>
>  Is there anyone that has successfully connected from a linux client to a
>> check point NGX R65?
>>
>
> yes, from debian unstable to R65 and R55
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.shrew.net/pipermail/vpn-help/attachments/20100503/474e9e22/attachment.html>


More information about the vpn-help mailing list