[vpn-help] Shrew (debian lenny) to Checkpoint NGX R65
Matthew Grooms
mgrooms at shrew.net
Mon May 24 17:31:13 CDT 2010
On 5/14/2010 10:36 AM, Matthew Grooms wrote:
> On 5/14/2010 10:33 AM, Luca Arzeni wrote:
>> Hi Matthew,
>> I tested with the last stable version: 2.1.5
>>
>> then, after failure, I setup a vmware virtual machine and tested with
>> 2.1.6-beta-4.
>>
>> I didn't use the debian default release (2.1.4) since I understood
>> that it would not allow to connect to a checkpoint NGx R65.
>>
>> Do you think that I must attempt with a 2.2.x version?
>>
>> As additional info, I can say that I've tried also OpenSwan 2.6.25 but
>> I reveived the same error...
>>
>
> I'm not sure. I don't think the 2.2.x version will fair that much
> better. Did you post any log output? Maybe I missed it in your thread.
>
Luca,
A malformed payload notification typically indicates that the gateway is
incapable of reading the packet sent by the peer. In my opinion, it may
suggest that the IKE implementations are incompatible using the feature
set you have enabled. Looking at your log output, the packet being
rejected appears to contain the following payloads ...
>> : key exchange payload
>> : nonce payload
>> : cert request payload
>> : nat discovery payload
>> : nat discovery payload
I have a hard time believing that the Shrew Soft client is incorrectly
forming these payloads. More than likely, Checkpoint is choking on the
payload content because its so fickle about vendor ID checks. I would
suggest disabling the NAT-T option as it is listed as unsupported in our
Checkpoint NGx document under the section entitled "Known Issues".
-Matthew
More information about the vpn-help
mailing list