Thanks Carmelo,<br>it's nice to hear that someone was successfull at this! I'm using lenny, (kernel 2.6.26-2-amd64), but I hope that this is not a nett/kernel issue. <br><br>I've read your first mail (how to reverse the cert from userC.c), and I've already reversed the cert. <br>
I have a pkcs12 from the checkpint administrator, I followed the instructions from the debian guy and extracted ca.pem, my_key.pem and my_crt.pem.<br><br>I can confirm that the ca.pem reversed from userc.c it's the same of the one obtained directly from the pkcs12.<br>
<br>I didn't spotted your second mail until now, but I've realized the bug on ikea, so I set the asn1dn directly on the ~/.ike/ by hand and run ikec -r default.<br><br>I've set ike to 3DES/SHA1/1024 (the same parameters are used for phase 2. If I' don't set 3des (using AES, for example), I receive a "peer unknown notification"<br>
<br>Using 3des, it seems that phase1 was ok, but it cannot go with phase2. <br><br>Am I missing something?I'have no "firewall certificate" but only the ca certificate. Aren't they the same thing? <br><br>
I spotted a message:
"K! : recv X_SPDDUMP message failure ( errno = 2 )" it's something important?<br><br>The error is on the line "ii : received peer PAYLOAD-MALFORMED notification".<br>Do you have any hint?<br><br>
Your faithfully, Luca Arzeni<br><br>=== This is my site configuration ===<br><br>n:version:2<br>n:network-ike-port:500<br>n:network-mtu-size:1300<br>n:client-addr-auto:0<br>n:network-natt-port:4500<br>n:network-natt-rate:15<br>
n:network-frag-size:540<br>n:network-dpd-enable:1<br>n:network-notify-enable:1<br>n:client-banner-enable:0<br>n:client-dns-used:0<br>n:phase1-dhgroup:2<br>n:phase1-keylen:192<br>n:phase1-life-secs:3600<br>n:phase1-life-kbytes:0<br>
n:vendor-chkpt-enable:1<br>n:phase2-keylen:192<br>n:phase2-pfsgroup:2<br>n:phase2-life-secs:3600<br>n:phase2-life-kbytes:0<br>n:policy-nailed:1<br>n:policy-list-auto:0<br>s:client-ip-addr:192.168.144.4<br>s:client-ip-mask:255.255.255.255<br>
s:network-host:x.y.z.t<br>s:client-auto-mode:pull<br>s:client-iface:direct<br>s:network-natt-mode:enable<br>s:network-frag-mode:enable<br>s:auth-method:mutual-rsa<br>s:ident-client-type:asn1dn<br>s:ident-server-type:asn1dn<br>
s:auth-server-cert:/home/larzeni/.ike/certs/checkpoint-internal-ca.pem<br>s:auth-client-cert:/home/larzeni/.ike/certs/larzeni-cert.pem<br>s:auth-client-key:/home/larzeni/.ike/certs/larzeni-key.pem<br>s:phase1-exchange:main<br>
s:phase1-cipher:3des<br>s:phase1-hash:sha1<br>s:phase2-transform:3des<br>s:phase2-hmac:sha1<br>s:ipcomp-transform:deflate<br>s:policy-list-include:192.168.255.0 / 255.255.255.0<br><br>=== and this is the output from the command "iked -F -d 6" ===<br>
<br>ii : created ike socket <a href="http://0.0.0.0:500" target="_blank">0.0.0.0:500</a><br>ii : created natt socket <a href="http://0.0.0.0:4500" target="_blank">0.0.0.0:4500</a><br>
## : IKE Daemon, ver 2.1.5<br>## : Copyright 2009 Shrew Soft Inc.<br>## : This product linked OpenSSL 0.9.8g 19 Oct 2007<br>ii : opened '/var/log/iked.log'<br>ii : opened '/var/log/ike-encrypt.pcap'<br>ii : opened '/var/log/ike-decrypt.pcap'<br>
ii : pfkey process thread begin ...<br>ii : network process thread begin ...<br>ii : ipc server process thread begin ...<br>K< : recv pfkey REGISTER AH message<br>K< : recv pfkey REGISTER ESP message<br>K< : recv pfkey REGISTER IPCOMP message<br>
K! : recv X_SPDDUMP message failure ( errno = 2 )<br><br><br>ii : ipc client process thread begin ...<br><A : peer config add message<br>DB : peer added ( obj count = 1 )<br>ii : local address 192.168.144.4 selected for peer<br>
DB : tunnel added ( obj count = 1 )<br><A : proposal config message<br><A : proposal config message<br><A : proposal config message<br><A : client config message<br><A : remote cert '/home/larzeni/.ike/certs/checkpoint-internal-ca.pem' message<br>
ii : '/home/larzeni/.ike/certs/checkpoint-internal-ca.pem' loaded<br><A : local cert '/home/larzeni/.ike/certs/larzeni-cert.pem' message<br>ii : '/home/larzeni/.ike/certs/larzeni-cert.pem' loaded<br>
<A : local key '/home/larzeni/.ike/certs/larzeni-key.pem' message<br>!! : '/home/larzeni/.ike/certs/larzeni-key.pem' load failed, requesting password<br><A : file password<br><A : local key '/home/larzeni/.ike/certs/larzeni-key.pem' message<br>
ii : '/home/larzeni/.ike/certs/larzeni-key.pem' loaded<br><A : remote resource message<br><A : peer tunnel enable message<br>ii : obtained x509 cert subject ( 73 bytes )<br>DB : new phase1 ( ISAKMP initiator )<br>
DB : exchange type is identity protect<br>DB : <a href="http://192.168.144.4:500">192.168.144.4:500</a> <-> x.y.z.t:500<br>DB : d7bc5ca1ef159ea9:0000000000000000<br>DB : phase1 added ( obj count = 1 )<br>>> : security association payload<br>
>> : - proposal #1 payload<br>>> : -- transform #1 payload<br>>> : vendor id payload<br>ii : local supports nat-t ( draft v00 )<br>>> : vendor id payload<br>ii : local supports nat-t ( draft v01 )<br>
>> : vendor id payload<br>ii : local supports nat-t ( draft v02 )<br>>> : vendor id payload<br>ii : local supports nat-t ( draft v03 )<br>>> : vendor id payload<br>ii : local supports nat-t ( rfc )<br>>> : vendor id payload<br>
ii : local supports FRAGMENTATION<br>>> : vendor id payload<br>ii : local supports DPDv1<br>>> : vendor id payload<br>ii : local is SHREW SOFT compatible<br>>> : vendor id payload<br>ii : local is NETSCREEN compatible<br>
>> : vendor id payload<br>ii : local is SIDEWINDER compatible<br>>> : vendor id payload<br>ii : local is CISCO UNITY compatible<br>>> : vendor id payload<br>ii : local is CHECKPOINT compatible<br>>= : cookies d7bc5ca1ef159ea9:0000000000000000<br>
>= : message 00000000<br>-> : send IKE packet <a href="http://192.168.144.4:500">192.168.144.4:500</a> -> x.y.z.t:500 ( 384 bytes )<br>DB : phase1 resend event scheduled ( ref count = 2 )<br><- : recv IKE packet x.y.z.t:500 -> <a href="http://192.168.144.4:500">192.168.144.4:500</a> ( 148 bytes )<br>
DB : phase1 found<br>ii : processing phase1 packet ( 148 bytes )<br>=< : cookies d7bc5ca1ef159ea9:d6f040907755cb6f<br>=< : message 00000000<br><< : security association payload<br><< : - propsal #1 payload<br>
<< : -- transform #1 payload<br>ii : matched isakmp proposal #1 transform #1<br>ii : - transform = ike<br>ii : - cipher type = 3des<br>ii : - key length = default<br>ii : - hash type = sha1<br>ii : - dh group = modp-1024<br>
ii : - auth type = sig-rsa<br>ii : - life seconds = 3600<br>ii : - life kbytes = 0<br><< : vendor id payload<br>ii : peer supports nat-t ( draft v02 )<br><< : vendor id payload<br>ii : peer is CHECKPOINT compatible<br>
>> : key exchange payload<br>>> : nonce payload<br>>> : cert request payload<br>>> : nat discovery payload<br>>> : nat discovery payload<br>>= : cookies d7bc5ca1ef159ea9:d6f040907755cb6f<br>
>= : message 00000000<br>DB : phase1 resend event canceled ( ref count = 1 )<br>-> : send IKE packet <a href="http://192.168.144.4:500">192.168.144.4:500</a> -> x.y.z.t:500 ( 265 bytes )<br>DB : phase1 resend event scheduled ( ref count = 2 )<br>
<- : recv IKE packet x.y.z.t:500 -> <a href="http://192.168.144.4:500">192.168.144.4:500</a> ( 40 bytes )<br>DB : phase1 found<br>ii : processing informational packet ( 40 bytes )<br>== : new informational iv ( 8 bytes )<br>
=< : cookies d7bc5ca1ef159ea9:d6f040907755cb6f<br>=< : message 776a44a4<br><< : notification payload<br>ii : received peer PAYLOAD-MALFORMED notification<br>ii : - x.y.z.t:500 -> <a href="http://192.168.144.4:500">192.168.144.4:500</a><br>
ii : - isakmp spi = none<br>ii : - data size 0<br>-> : resend 1 phase1 packet(s) <a href="http://192.168.144.4:500">192.168.144.4:500</a> -> x.y.z.t:500<br>-> : resend 1 phase1 packet(s) <a href="http://192.168.144.4:500">192.168.144.4:500</a> -> x.y.z.t:500<br>
-> : resend 1 phase1 packet(s) <a href="http://192.168.144.4:500">192.168.144.4:500</a> -> x.y.z.t:500<br>-> : resend 1 phase1 packet(s) <a href="http://192.168.144.4:500">192.168.144.4:500</a> -> x.y.z.t:500<br>
-> : resend 1 phase1 packet(s) <a href="http://192.168.144.4:500">192.168.144.4:500</a> -> x.y.z.t:500<br>
-> : resend 1 phase1 packet(s) <a href="http://192.168.144.4:500">192.168.144.4:500</a> -> x.y.z.t:500<br>
ii : resend limit exceeded for phase1 exchange<br>ii : phase1 removal before expire time<br>DB : phase1 deleted ( obj count = 0 )<br>DB : policy not found<br>DB : policy not found<br>DB : tunnel stats event canceled ( ref count = 1 )<br>
DB : removing tunnel config references<br>DB : removing tunnel phase2 references<br>DB : removing tunnel phase1 references<br>DB : tunnel deleted ( obj count = 0 )<br>DB : removing all peer tunnel refrences<br>DB : peer deleted ( obj count = 0 )<br>
ii : ipc client process thread exit ...<br><br>=== thaks again, Luca ===<br><br><div class="gmail_quote">On Sun, May 2, 2010 at 9:08 PM, Carmelo Iannello <span dir="ltr"><<a href="mailto:c.iannello@codices.com" target="_blank">c.iannello@codices.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Luca Arzeni ha scritto:<div><br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi there,<br>
I'm trying to connect a client (debian lenny) with a checkpoint firewall NGX R65.<br>
I can connect with a securemote client from a window XP client to a network behind the firewall.<br>
The same connection fails under linux, using Shrew.<br>
<br>
I followed the instructions on the shred site, with one difference: I'm using a mutual RSA authentication (I have no password... anyway the administrator of the firewall says that he cannot set any password on the firewall, so this should be correct).<br>
I use the DN of the certificates as id of the client and of the firewall.<br>
<br>
The connection fails after phase1, complaining that peer received a MALFORMED-PAYLOAD.<br>
<br>
I must say that I have no firewall certificate, tha admin says that he has no knowledge of a FW certificate. In the securemote client, I extracted a certificate from the cert(:xxx) string but it's the certificate of the ca, and I'm using that one as certificate for the other endpoint.<br>
</blockquote>
<br></div>
Did you reversed the certificate string?<br>
If you have a pkcs12 client certificate you can extract a PEM version of the CA certificate from it, using openssl.<br>
<br>
Check out this post:<br>
<a href="http://lists.shrew.net/pipermail/vpn-help/2010-April/003254.html" target="_blank">http://lists.shrew.net/pipermail/vpn-help/2010-April/003254.html</a><br>
for how to reverse the :cert() string<br>
and this<br>
<a href="http://lists.shrew.net/pipermail/vpn-help/2010-April/003274.html" target="_blank">http://lists.shrew.net/pipermail/vpn-help/2010-April/003274.html</a><br>
for mutual RSA with Checkpoint<div><br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Is there anyone that has successfully connected from a linux client to a check point NGX R65?<br>
</blockquote>
<br></div>
yes, from debian unstable to R65 and R55<br>
<br>
</blockquote></div><br><br>