[vpn-help] Shrew (debian lenny) to Checkpoint NGX R65

Luca Arzeni l.arzeni at gmail.com
Thu May 13 12:58:05 CDT 2010


Alas Carmelo,
I followed all your tips, but I couldn't find any hint to help me.
I'm (sadly) stuck at my remote client... :-(
Thanks again, Luca

On Thu, May 6, 2010 at 10:17 AM, Carmelo Iannello
<c.iannello at codices.com> wrote:
> Luca Arzeni ha scritto:
>>
>> I didn't spotted your second mail until now, but I've realized the bug on
>> ikea, so I set the asn1dn directly on the ~/.ike/ by hand and run ikec -r
>> default.
>
> Well, the bug is not in saving the conf, but in loading it, so you can still
> use ikea, just remember that anytime you save the configuration you have to
> reset the client identity part to ASN.1
>
>> I've set ike to 3DES/SHA1/1024 (the same parameters are used for phase 2.
>> If I' don't set 3des (using AES, for example), I receive a "peer unknown
>> notification"
>
> This is probably due to the server specific configuration: I have everything
> set to "auto", except for DH Exchange=group 2  in Phase1, PFS Exchange and
> Compression Algorithm in Phase 2, both set to disabled.
> Oh, and, of course "Enable Checkpoint Compatible...", but that' s quite
> obvious :)
>
>> Using 3des, it seems that phase1 was ok, but it cannot go with phase2.
>> Am I missing something?I'have no "firewall certificate" but only the ca
>> certificate. Aren't they the same thing?
>
> in this case, yes.
>
>> I spotted a message: "K! : recv X_SPDDUMP message failure ( errno = 2 )"
>>  it's something important?
>
> As a vpn-stuff user (as opposed to developer), I can't really tell.
> I could guess that maybe not, 'cause it's just a dump operation (i.e. print)
> You could investigate what errno = 2 is.
>
> In http://www.shrew.net/software/todo
> "Long Term Goals:
> Write a setkey replacement based on libpfk"
>
> So, "man setkey" should still be a good starting point, at least for knowing
> what we are talking about (I actually don't. well, not a lot :) ).
>
>> The error is on the line "ii : received peer PAYLOAD-MALFORMED
>> notification".
>> Do you have any hint?
>
> I could make a guess that the client is sending something that the server
> consider to be wrong.
> I have to say that I tried to use srfw.exe to sniff traffic when using the
> windows proprietary client and, looking at the log file with wireshark,
> there  were malformed packets *when the connection succeded*.
> Either I'm missing something, or CP client and server are really sending
> each other some weird proprietary stuff.
>
> If you haven't tried yet and you want to make a comparison between the logs
> (ike/linux vs CP/windows) , take a look a that page I mentioned:
> http://www.aelita.org/racoon/racoon-securemote-doc
>
> when it says: "2) The SecureClient has a powerfull debugging feature that
> you can activate..."
>
> Use wireshark to display the log file, check for "ISAKMP: Informational"
> messages, click on "Follow the UDP stream" and check the info in the lower
> frame.
> Bye
>
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Carmelo Iannello  Codices s.r.l.
> Via G. Malasoma 24
> 56121 Pisa, loc. Ospedaletto
> Tel: +39 050-3163667 (diretto)
> Tel: +39 050-3160136
> Fax: +39 050-9655150
> http://www.codices.com/
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>



More information about the vpn-help mailing list