[vpn-help] Shrew (debian lenny) to Checkpoint NGX R65

Luca Arzeni l.arzeni at gmail.com
Fri May 14 10:59:51 CDT 2010 

Hi Matthew,
here they are...

*** This is my site configuration ***

n:version:2
n:network-ike-port:500
n:network-mtu-size:1300
n:client-addr-auto:0
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:1
n:network-notify-enable:1
n:client-banner-enable:0
n:client-dns-used:0
n:phase1-dhgroup:2
n:phase1-keylen:192
n:phase1-life-secs:3600
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:1
n:phase2-keylen:192
n:phase2-pfsgroup:2
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-nailed:1
n:policy-list-auto:0
s:client-ip-addr:192.168.144.4
s:client-ip-mask:255.255.255.255
s:network-host:x.y.z.t
s:client-auto-mode:pull
s:client-iface:direct
s:network-natt-mode:enable
s:network-frag-mode:enable
s:auth-method:mutual-rsa
s:ident-client-type:asn1dn
s:ident-server-type:asn1dn
s:auth-server-cert:/home/larzeni/.ike/certs/checkpoint-internal-ca.pem
s:auth-client-cert:/home/larzeni/.ike/certs/larzeni-cert.pem
s:auth-client-key:/home/larzeni/.ike/certs/larzeni-key.pem
s:phase1-exchange:main
s:phase1-cipher:3des
s:phase1-hash:sha1
s:phase2-transform:3des
s:phase2-hmac:sha1
s:ipcomp-transform:deflate
s:policy-list-include:192.168.255.0 / 255.255.255.0

*** and this is the output from the command "iked -F -d 6" ***

ii : created ike socket 0.0.0.0:500
ii : created natt socket 0.0.0.0:4500
## : IKE Daemon, ver 2.1.5
## : Copyright 2009 Shrew Soft Inc.
## : This product linked OpenSSL 0.9.8g 19 Oct 2007
ii : opened '/var/log/iked.log'
ii : opened '/var/log/ike-encrypt.pcap'
ii : opened '/var/log/ike-decrypt.pcap'
ii : pfkey process thread begin ...
ii : network process thread begin ...
ii : ipc server process thread begin ...
K< : recv pfkey REGISTER AH message
K< : recv pfkey REGISTER ESP message
K< : recv pfkey REGISTER IPCOMP message
K! : recv X_SPDDUMP message failure ( errno = 2 )


ii : ipc client process thread begin ...
<A : peer config add message
DB : peer added ( obj count = 1 )
ii : local address 192.168.144.4 selected for peer
DB : tunnel added ( obj count = 1 )
<A : proposal config message
<A : proposal config message
<A : proposal config message
<A : client config message
<A : remote cert '/home/larzeni/.ike/certs/checkpoint-internal-ca.pem' message
ii : '/home/larzeni/.ike/certs/checkpoint-internal-ca.pem' loaded
<A : local cert '/home/larzeni/.ike/certs/larzeni-cert.pem' message
ii : '/home/larzeni/.ike/certs/larzeni-cert.pem' loaded
<A : local key '/home/larzeni/.ike/certs/larzeni-key.pem' message
!! : '/home/larzeni/.ike/certs/larzeni-key.pem' load failed, requesting password
<A : file password
<A : local key '/home/larzeni/.ike/certs/larzeni-key.pem' message
ii : '/home/larzeni/.ike/certs/larzeni-key.pem' loaded
<A : remote resource message
<A : peer tunnel enable message
ii : obtained x509 cert subject ( 73 bytes )
DB : new phase1 ( ISAKMP initiator )
DB : exchange type is identity protect
DB : 192.168.144.4:500 <-> x.y.z.t:500
DB : d7bc5ca1ef159ea9:0000000000000000
DB : phase1 added ( obj count = 1 )
>> : security association payload
>> : - proposal #1 payload
>> : -- transform #1 payload
>> : vendor id payload
ii : local supports nat-t ( draft v00 )
>> : vendor id payload
ii : local supports nat-t ( draft v01 )
>> : vendor id payload
ii : local supports nat-t ( draft v02 )
>> : vendor id payload
ii : local supports nat-t ( draft v03 )
>> : vendor id payload
ii : local supports nat-t ( rfc )
>> : vendor id payload
ii : local supports FRAGMENTATION
>> : vendor id payload
ii : local supports DPDv1
>> : vendor id payload
ii : local is SHREW SOFT compatible
>> : vendor id payload
ii : local is NETSCREEN compatible
>> : vendor id payload
ii : local is SIDEWINDER compatible
>> : vendor id payload
ii : local is CISCO UNITY compatible
>> : vendor id payload
ii : local is CHECKPOINT compatible
>= : cookies d7bc5ca1ef159ea9:0000000000000000
>= : message 00000000
-> : send IKE packet 192.168.144.4:500 -> x.y.z.t:500 ( 384 bytes )
DB : phase1 resend event scheduled ( ref count = 2 )
<- : recv IKE packet x.y.z.t:500 -> 192.168.144.4:500 ( 148 bytes )
DB : phase1 found
ii : processing phase1 packet ( 148 bytes )
=< : cookies d7bc5ca1ef159ea9:d6f040907755cb6f
=< : message 00000000
<< : security association payload
<< : - propsal #1 payload
<< : -- transform #1 payload
ii : matched isakmp proposal #1 transform #1
ii : - transform    = ike
ii : - cipher type  = 3des
ii : - key length   = default
ii : - hash type    = sha1
ii : - dh group     = modp-1024
ii : - auth type    = sig-rsa
ii : - life seconds = 3600
ii : - life kbytes  = 0
<< : vendor id payload
ii : peer supports nat-t ( draft v02 )
<< : vendor id payload
ii : peer is CHECKPOINT compatible
>> : key exchange payload
>> : nonce payload
>> : cert request payload
>> : nat discovery payload
>> : nat discovery payload
>= : cookies d7bc5ca1ef159ea9:d6f040907755cb6f
>= : message 00000000
DB : phase1 resend event canceled ( ref count = 1 )
-> : send IKE packet 192.168.144.4:500 -> x.y.z.t:500 ( 265 bytes )
DB : phase1 resend event scheduled ( ref count = 2 )
<- : recv IKE packet x.y.z.t:500 -> 192.168.144.4:500 ( 40 bytes )
DB : phase1 found
ii : processing informational packet ( 40 bytes )
== : new informational iv ( 8 bytes )
=< : cookies d7bc5ca1ef159ea9:d6f040907755cb6f
=< : message 776a44a4
<< : notification payload
ii : received peer PAYLOAD-MALFORMED notification
ii : - x.y.z.t:500 -> 192.168.144.4:500
ii : - isakmp spi = none
ii : - data size 0
-> : resend 1 phase1 packet(s) 192.168.144.4:500 -> x.y.z.t:500
-> : resend 1 phase1 packet(s) 192.168.144.4:500 -> x.y.z.t:500
-> : resend 1 phase1 packet(s) 192.168.144.4:500 -> x.y.z.t:500
-> : resend 1 phase1 packet(s) 192.168.144.4:500 -> x.y.z.t:500
-> : resend 1 phase1 packet(s) 192.168.144.4:500 -> x.y.z.t:500
-> : resend 1 phase1 packet(s) 192.168.144.4:500 -> x.y.z.t:500
ii : resend limit exceeded for phase1 exchange
ii : phase1 removal before expire time
DB : phase1 deleted ( obj count = 0 )
DB : policy not found
DB : policy not found
DB : tunnel stats event canceled ( ref count = 1 )
DB : removing tunnel config references
DB : removing tunnel phase2 references
DB : removing tunnel phase1 references
DB : tunnel deleted ( obj count = 0 )
DB : removing all peer tunnel refrences
DB : peer deleted ( obj count = 0 )
ii : ipc client process thread exit ...

Thanks for your help,
Luca

On Fri, May 14, 2010 at 5:36 PM, Matthew Grooms <mgrooms at shrew.net> wrote:
> On 5/14/2010 10:33 AM, Luca Arzeni wrote:
>>
>> Hi Matthew,
>> I tested with the last stable version: 2.1.5
>>
>> then, after failure, I setup a vmware virtual machine and tested with
>> 2.1.6-beta-4.
>>
>> I didn't use the debian default release (2.1.4) since I understood
>> that it would not allow to connect to a checkpoint NGx R65.
>>
>> Do you think that I must attempt with a 2.2.x version?
>>
>> As additional info, I can say that I've tried also OpenSwan 2.6.25 but
>> I reveived the same error...
>>
>
> I'm not sure. I don't think the 2.2.x version will fair that much better.
> Did you post any log output? Maybe I missed it in your thread.
>
> -Matthew
>

More information about the vpn-help mailing list