[vpn-help] CheckPoint VPN server with mutual RSA

Carmelo Iannello c.iannello at codices.com
Mon Apr 26 12:37:13 CDT 2010


Hi everybody.
I've some problem in configuring a connection to a CheckPoint VPN server.
It works perfectly for a user/password authentication scenario (Hybrid
RSA + Xauth), but when it comes to pkcs12 authentication something goes
wrong.

On Windows with the Checkpoint SecuRemote client I configured the
gateway, put in the p12 certificate and it just works.
On Linux with Shrew Soft ike + ikea I followed this HOWTO:

http://www.shrew.net/support/wiki/HowtoCheckpoint


setting: 
- "Mutual RSA" as the Authentication Method 
- Local identity: User FQDN with a blank string
- Remote identity: "IP Address" and "Use discovered remote host address"
(any other combination of local and remote identity gives: INVALID-ID-INFORMATION)
- Credentials: the CA cert, the client cert and the client key (created from the pkcs 12 file using openssl)
- Phase 1 DH Exchange proposal: group 2

anything else strictly follows the howto.
I execute iked with the "-d 6 -F" options, and the last things that it prints when connecting are the next lines, then it get stuck.
Any clue?
Thanks in advance.

Carm


DB : phase1 found
DB : phase1 ref increment ( ref count = 2, obj count = 1 )
ii : processing phase1 packet ( 228 bytes )
=< : cookies 76fe8c6e5343afc9:f2e2f75eedf3d48b
=< : message 00000000
<< : key exchange payload
<< : nonce payload
<< : cert request payload
<< : cert request payload
ii : nat-t is disabled locally
== : DH shared secret ( 128 bytes )
== : SETKEYID ( 16 bytes )
== : SETKEYID_d ( 16 bytes )
== : SETKEYID_a ( 16 bytes )
== : SETKEYID_e ( 16 bytes )
== : cipher key ( 32 bytes )
== : cipher iv ( 16 bytes )
>> : identification payload
>> : certificate payload
== : phase1 hash_i ( computed ) ( 16 bytes )
>> : signature payload
>= : cookies 76fe8c6e5343afc9:f2e2f75eedf3d48b
>= : message 00000000
>= : encrypt iv ( 16 bytes )
== : encrypt packet ( 909 bytes )
== : stored iv ( 16 bytes )
DB : phase1 resend event canceled ( ref count = 1 )
-> : send IKE packet 192.168.10.162:500 -> <server_ip>:500 ( 952 bytes )
DB : phase1 ref decrement ( ref count = 0, obj count = 1 )
<- : recv IKE packet <server_ip>:500 -> 192.168.10.162:500 ( 61 bytes )
DB : phase1 found
DB : phase1 ref increment ( ref count = 1, obj count = 1 )
ii : processing informational packet ( 61 bytes )
== : new informational iv ( 16 bytes )
=< : cookies 76fe8c6e5343afc9:f2e2f75eedf3d48b
=< : message 032d370f
<< : notification payload
ii : received peer unknown notification
ii : - <server_ip>:500 -> 192.168.10.162:500
ii : - isakmp spi = none
ii : - data size 21
DB : phase1 ref decrement ( ref count = 0, obj count = 1 )


-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Carmelo Iannello  
Codices s.r.l.
Via G. Malasoma 24
56121 Pisa, loc. Ospedaletto
Tel: +39 050-3163667 (diretto)
Tel: +39 050-3160136
Fax: +39 050-9655150
http://www.codices.com/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 




More information about the vpn-help mailing list