[vpn-help] Shrew (debian lenny) to Checkpoint NGX R65

[Luca Arzeni]

Hi Carmelo,
I've just one question before quitting my attempt to connect to the R65.

Googling on the net it seems that other people were able to connect
using openswan, but they were using a Checkpoinn R65 HFA4... I'm
failing, but my fw is an HFA1.

Do you know what HFA was installed on the Checkpoint R65 that you were
able to connect?
Thanks, Luca


On Thu, May 13, 2010 at 7:58 PM, Luca Arzeni <l.arzeni at gmail.com> wrote:
> Alas Carmelo,
> I followed all your tips, but I couldn't find any hint to help me.
> I'm (sadly) stuck at my remote client... :-(
> Thanks again, Luca
>
> On Thu, May 6, 2010 at 10:17 AM, Carmelo Iannello
> <c.iannello at codices.com> wrote:
>> Luca Arzeni ha scritto:
>>>
>>> I didn't spotted your second mail until now, but I've realized the bug on
>>> ikea, so I set the asn1dn directly on the ~/.ike/ by hand and run ikec -r
>>> default.
>>
>> Well, the bug is not in saving the conf, but in loading it, so you can still
>> use ikea, just remember that anytime you save the configuration you have to
>> reset the client identity part to ASN.1
>>
>>> I've set ike to 3DES/SHA1/1024 (the same parameters are used for phase 2.
>>> If I' don't set 3des (using AES, for example), I receive a "peer unknown
>>> notification"
>>
>> This is probably due to the server specific configuration: I have everything
>> set to "auto", except for DH Exchange=group 2  in Phase1, PFS Exchange and
>> Compression Algorithm in Phase 2, both set to disabled.
>> Oh, and, of course "Enable Checkpoint Compatible...", but that' s quite
>> obvious :)
>>
>>> Using 3des, it seems that phase1 was ok, but it cannot go with phase2.
>>> Am I missing something?I'have no "firewall certificate" but only the ca
>>> certificate. Aren't they the same thing?
>>
>> in this case, yes.
>>
>>> I spotted a message: "K! : recv X_SPDDUMP message failure ( errno = 2 )"
>>>  it's something important?
>>
>> As a vpn-stuff user (as opposed to developer), I can't really tell.
>> I could guess that maybe not, 'cause it's just a dump operation (i.e. print)
>> You could investigate what errno = 2 is.
>>
>> In http://www.shrew.net/software/todo
>> "Long Term Goals:
>> Write a setkey replacement based on libpfk"
>>
>> So, "man setkey" should still be a good starting point, at least for knowing
>> what we are talking about (I actually don't. well, not a lot :) ).
>>
>>> The error is on the line "ii : received peer PAYLOAD-MALFORMED
>>> notification".
>>> Do you have any hint?
>>
>> I could make a guess that the client is sending something that the server
>> consider to be wrong.
>> I have to say that I tried to use srfw.exe to sniff traffic when using the
>> windows proprietary client and, looking at the log file with wireshark,
>> there  were malformed packets *when the connection succeded*.
>> Either I'm missing something, or CP client and server are really sending
>> each other some weird proprietary stuff.
>>
>> If you haven't tried yet and you want to make a comparison between the logs
>> (ike/linux vs CP/windows) , take a look a that page I mentioned:
>> http://www.aelita.org/racoon/racoon-securemote-doc
>>
>> when it says: "2) The SecureClient has a powerfull debugging feature that
>> you can activate..."
>>
>> Use wireshark to display the log file, check for "ISAKMP: Informational"
>> messages, click on "Follow the UDP stream" and check the info in the lower
>> frame.
>> Bye
>>
>> --
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> Carmelo Iannello  Codices s.r.l.
>> Via G. Malasoma 24
>> 56121 Pisa, loc. Ospedaletto
>> Tel: +39 050-3163667 (diretto)
>> Tel: +39 050-3160136
>> Fax: +39 050-9655150
>> http://www.codices.com/
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>