[vpn-help] Shrew (debian lenny) to Checkpoint NGX R65

Matthew Grooms mgrooms at shrew.net
Mon May 24 17:31:13 CDT 2010


On 5/14/2010 10:36 AM, Matthew Grooms wrote:
> On 5/14/2010 10:33 AM, Luca Arzeni wrote:
>> Hi Matthew,
>> I tested with the last stable version: 2.1.5
>>
>> then, after failure, I setup a vmware virtual machine and tested with
>> 2.1.6-beta-4.
>>
>> I didn't use the debian default release (2.1.4) since I understood
>> that it would not allow to connect to a checkpoint NGx R65.
>>
>> Do you think that I must attempt with a 2.2.x version?
>>
>> As additional info, I can say that I've tried also OpenSwan 2.6.25 but
>> I reveived the same error...
>>
>
> I'm not sure. I don't think the 2.2.x version will fair that much
> better. Did you post any log output? Maybe I missed it in your thread.
>

Luca,

A malformed payload notification typically indicates that the gateway is 
incapable of reading the packet sent by the peer. In my opinion, it may 
suggest that the IKE implementations are incompatible using the feature 
set you have enabled. Looking at your log output, the packet being 
rejected appears to contain the following payloads ...

 >> : key exchange payload
 >> : nonce payload
 >> : cert request payload
 >> : nat discovery payload
 >> : nat discovery payload

I have a hard time believing that the Shrew Soft client is incorrectly 
forming these payloads. More than likely, Checkpoint is choking on the 
payload content because its so fickle about vendor ID checks. I would 
suggest disabling the NAT-T option as it is listed as unsupported in our 
Checkpoint NGx document under the section entitled "Known Issues".

-Matthew



More information about the vpn-help mailing list