[vpn-help] Shrew (debian lenny) to Checkpoint NGX R65

Carmelo Iannello c.iannello at codices.com
Thu May 6 03:17:28 CDT 2010 

Luca Arzeni ha scritto:
> I didn't spotted your second mail until now, but I've realized the bug 
> on ikea, so I set the asn1dn directly on the ~/.ike/ by hand and run 
> ikec -r default.

Well, the bug is not in saving the conf, but in loading it, so you can 
still use ikea, just remember that anytime you save the configuration 
you have to reset the client identity part to ASN.1

> I've set ike to 3DES/SHA1/1024 (the same parameters are used for phase 
> 2. If I' don't set 3des (using AES, for example), I receive a "peer 
> unknown notification"

This is probably due to the server specific configuration: I have 
everything set to "auto", except for DH Exchange=group 2  in Phase1, PFS 
Exchange and Compression Algorithm in Phase 2, both set to disabled.
Oh, and, of course "Enable Checkpoint Compatible...", but that' s quite 
obvious :)

> Using 3des, it seems that phase1 was ok, but it cannot go with phase2.
> Am I missing something?I'have no "firewall certificate" but only the 
> ca certificate. Aren't they the same thing?

in this case, yes.

> I spotted a message: "K! : recv X_SPDDUMP message failure ( errno = 2 
> )"  it's something important?

As a vpn-stuff user (as opposed to developer), I can't really tell.
I could guess that maybe not, 'cause it's just a dump operation (i.e. print)
You could investigate what errno = 2 is.

In http://www.shrew.net/software/todo
"Long Term Goals:
 Write a setkey replacement based on libpfk"

So, "man setkey" should still be a good starting point, at least for 
knowing what we are talking about (I actually don't. well, not a lot :) ).

> The error is on the line "ii : received peer PAYLOAD-MALFORMED 
> notification".
> Do you have any hint?

I could make a guess that the client is sending something that the 
server consider to be wrong.
I have to say that I tried to use srfw.exe to sniff traffic when using 
the windows proprietary client and, looking at the log file with 
wireshark, there  were malformed packets *when the connection succeded*.
Either I'm missing something, or CP client and server are really sending 
each other some weird proprietary stuff.

If you haven't tried yet and you want to make a comparison between the 
logs (ike/linux vs CP/windows) , take a look a that page I mentioned:
http://www.aelita.org/racoon/racoon-securemote-doc

when it says: "2) The SecureClient has a powerfull debugging feature 
that you can activate..."

Use wireshark to display the log file, check for "ISAKMP: Informational" 
messages, click on "Follow the UDP stream" and check the info in the 
lower frame.
Bye

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Carmelo Iannello  
Codices s.r.l.
Via G. Malasoma 24
56121 Pisa, loc. Ospedaletto
Tel: +39 050-3163667 (diretto)
Tel: +39 050-3160136
Fax: +39 050-9655150
http://www.codices.com/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

More information about the vpn-help mailing list