[vpn-help] Shrew (debian lenny) to Checkpoint NGX R65
Carmelo Iannello
c.iannello at codices.com
Thu May 6 03:17:28 CDT 2010
Luca Arzeni ha scritto:
> I didn't spotted your second mail until now, but I've realized the bug
> on ikea, so I set the asn1dn directly on the ~/.ike/ by hand and run
> ikec -r default.
Well, the bug is not in saving the conf, but in loading it, so you can
still use ikea, just remember that anytime you save the configuration
you have to reset the client identity part to ASN.1
> I've set ike to 3DES/SHA1/1024 (the same parameters are used for phase
> 2. If I' don't set 3des (using AES, for example), I receive a "peer
> unknown notification"
This is probably due to the server specific configuration: I have
everything set to "auto", except for DH Exchange=group 2 in Phase1, PFS
Exchange and Compression Algorithm in Phase 2, both set to disabled.
Oh, and, of course "Enable Checkpoint Compatible...", but that' s quite
obvious :)
> Using 3des, it seems that phase1 was ok, but it cannot go with phase2.
> Am I missing something?I'have no "firewall certificate" but only the
> ca certificate. Aren't they the same thing?
in this case, yes.
> I spotted a message: "K! : recv X_SPDDUMP message failure ( errno = 2
> )" it's something important?
As a vpn-stuff user (as opposed to developer), I can't really tell.
I could guess that maybe not, 'cause it's just a dump operation (i.e. print)
You could investigate what errno = 2 is.
In http://www.shrew.net/software/todo
"Long Term Goals:
Write a setkey replacement based on libpfk"
So, "man setkey" should still be a good starting point, at least for
knowing what we are talking about (I actually don't. well, not a lot :) ).
> The error is on the line "ii : received peer PAYLOAD-MALFORMED
> notification".
> Do you have any hint?
I could make a guess that the client is sending something that the
server consider to be wrong.
I have to say that I tried to use srfw.exe to sniff traffic when using
the windows proprietary client and, looking at the log file with
wireshark, there were malformed packets *when the connection succeded*.
Either I'm missing something, or CP client and server are really sending
each other some weird proprietary stuff.
If you haven't tried yet and you want to make a comparison between the
logs (ike/linux vs CP/windows) , take a look a that page I mentioned:
http://www.aelita.org/racoon/racoon-securemote-doc
when it says: "2) The SecureClient has a powerfull debugging feature
that you can activate..."
Use wireshark to display the log file, check for "ISAKMP: Informational"
messages, click on "Follow the UDP stream" and check the info in the
lower frame.
Bye
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Carmelo Iannello
Codices s.r.l.
Via G. Malasoma 24
56121 Pisa, loc. Ospedaletto
Tel: +39 050-3163667 (diretto)
Tel: +39 050-3160136
Fax: +39 050-9655150
http://www.codices.com/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
More information about the vpn-help
mailing list