[vpn-help] Cannot connect to checkpoint firewall

Antenore Gatta antenore at gmail.com
Sun Jun 26 05:17:58 CDT 2011 

Hi all,

first of all thanks a lot for this fantastic software!

I'm trying to connect to a checkpoint firewall, I've followed the
documentation, but it seems there is something missing in my config.

I can provide a userc.C configuration file (privately) in case of needs.

This is the log of the connection that fails:


==> /var/log/iked.log <==
11/06/26 11:56:57 ii : ipc client process thread begin ...
11/06/26 11:56:57 <A : peer config add message
11/06/26 11:56:57 <A : proposal config message
11/06/26 11:56:57 <A : proposal config message
11/06/26 11:56:57 <A : client config message
11/06/26 11:56:57 <A : xauth username message
11/06/26 11:56:57 <A : xauth password message
11/06/26 11:56:57 <A : local id '' message
11/06/26 11:56:57 <A : remote certificate data message
11/06/26 11:56:57 ii : remote certificate read complete ( 726 bytes )
11/06/26 11:56:57 <A : remote resource message
11/06/26 11:56:57 <A : remote resource message
11/06/26 11:56:57 <A : remote resource message
11/06/26 11:56:57 <A : remote resource message
11/06/26 11:56:57 <A : remote resource message
11/06/26 11:56:57 <A : remote resource message
11/06/26 11:56:57 <A : remote resource message
11/06/26 11:56:57 <A : remote resource message
11/06/26 11:56:57 <A : remote resource message
11/06/26 11:56:57 <A : remote resource message
11/06/26 11:56:57 <A : remote resource message
11/06/26 11:56:57 <A : remote resource message
11/06/26 11:56:57 <A : remote resource message
11/06/26 11:56:57 <A : remote resource message
11/06/26 11:56:57 <A : remote resource message
11/06/26 11:56:57 <A : remote resource message
11/06/26 11:56:57 <A : remote resource message
11/06/26 11:56:57 <A : remote resource message
11/06/26 11:56:57 <A : remote resource message
11/06/26 11:56:57 <A : remote resource message
11/06/26 11:56:57 <A : remote resource message
11/06/26 11:56:57 <A : remote resource message
11/06/26 11:56:57 <A : remote resource message
11/06/26 11:56:57 <A : remote resource message
11/06/26 11:56:57 <A : remote resource message
11/06/26 11:56:57 <A : remote resource message
11/06/26 11:56:57 <A : remote resource message
11/06/26 11:56:57 <A : remote resource message
11/06/26 11:56:57 <A : remote resource message
11/06/26 11:56:57 <A : remote resource message
11/06/26 11:56:57 <A : remote resource message
11/06/26 11:56:57 <A : remote resource message
11/06/26 11:56:57 <A : remote resource message
11/06/26 11:56:57 <A : remote resource message
11/06/26 11:56:57 <A : remote resource message
11/06/26 11:56:57 <A : remote resource message
11/06/26 11:56:57 <A : remote resource message
11/06/26 11:56:57 <A : remote resource message
11/06/26 11:56:57 <A : remote resource message
11/06/26 11:56:57 <A : remote resource message
11/06/26 11:56:57 <A : peer tunnel enable message
11/06/26 11:56:57 DB : peer added ( obj count = 1 )
11/06/26 11:56:57 ii : local address 192.168.0.11 selected for peer
11/06/26 11:56:57 DB : tunnel added ( obj count = 1 )
11/06/26 11:56:57 DB : new phase1 ( ISAKMP initiator )
11/06/26 11:56:57 DB : exchange type is identity protect
11/06/26 11:56:57 DB : 192.168.0.11:500 <-> 123.123.123.123:500
11/06/26 11:56:57 DB : 3c7427610150fdba:0000000000000000
11/06/26 11:56:57 DB : phase1 added ( obj count = 1 )
11/06/26 11:56:57 >> : security association payload
11/06/26 11:56:57 >> : - proposal #1 payload
11/06/26 11:56:57 >> : -- transform #1 payload
11/06/26 11:56:57 >> : -- transform #2 payload
11/06/26 11:56:57 >> : -- transform #3 payload
11/06/26 11:56:57 >> : -- transform #4 payload
11/06/26 11:56:57 >> : -- transform #5 payload
11/06/26 11:56:57 >> : -- transform #6 payload
11/06/26 11:56:57 >> : -- transform #7 payload
11/06/26 11:56:57 >> : -- transform #8 payload
11/06/26 11:56:57 >> : -- transform #9 payload
11/06/26 11:56:57 >> : -- transform #10 payload
11/06/26 11:56:57 >> : -- transform #11 payload
11/06/26 11:56:57 >> : -- transform #12 payload
11/06/26 11:56:57 >> : -- transform #13 payload
11/06/26 11:56:57 >> : -- transform #14 payload
11/06/26 11:56:57 >> : -- transform #15 payload
11/06/26 11:56:57 >> : -- transform #16 payload
11/06/26 11:56:57 >> : -- transform #17 payload
11/06/26 11:56:57 >> : -- transform #18 payload
11/06/26 11:56:57 >> : vendor id payload
11/06/26 11:56:57 ii : local supports XAUTH
11/06/26 11:56:57 >> : vendor id payload
11/06/26 11:56:57 ii : local supports FRAGMENTATION
11/06/26 11:56:57 >> : vendor id payload
11/06/26 11:56:57 >> : vendor id payload
11/06/26 11:56:57 ii : local supports DPDv1
11/06/26 11:56:57 >> : vendor id payload
11/06/26 11:56:57 ii : local is SHREW SOFT compatible
11/06/26 11:56:57 >> : vendor id payload
11/06/26 11:56:57 ii : local is NETSCREEN compatible
11/06/26 11:56:57 >> : vendor id payload
11/06/26 11:56:57 ii : local is SIDEWINDER compatible
11/06/26 11:56:57 >> : vendor id payload
11/06/26 11:56:57 ii : local is CISCO UNITY compatible
11/06/26 11:56:57 >> : vendor id payload
11/06/26 11:56:57 ii : local is CHECKPOINT compatible
11/06/26 11:56:57 >= : cookies 3c7427610150fdba:0000000000000000
11/06/26 11:56:57 >= : message 00000000
11/06/26 11:56:57 -> : send IKE packet 192.168.0.11:500 ->
123.123.123.123:500 ( 976 bytes )
11/06/26 11:56:57 DB : phase1 resend event scheduled ( ref count = 2 )
11/06/26 11:56:57 <- : recv IKE packet 123.123.123.123:500 ->
192.168.0.11:500 ( 286 bytes )
11/06/26 11:56:57 DB : phase1 found
11/06/26 11:56:57 ii : processing informational packet ( 286 bytes )
11/06/26 11:56:57 =< : cookies 3c7427610150fdba:0000000000000000
11/06/26 11:56:57 =< : message d370f942
11/06/26 11:56:57 << : notification payload
11/06/26 11:56:57 ii : received peer unknown notification
11/06/26 11:56:57 ii : - 123.123.123.123:500 -> 192.168.0.11:500
11/06/26 11:56:57 ii : - isakmp spi = none
11/06/26 11:56:57 ii : - data size 246
11/06/26 11:57:07 -> : resend 1 phase1 packet(s) [0/2]
192.168.0.11:500 -> 123.123.123.123:500

==> /var/log/wcstatus.log <==
3056597872 : device : (2011-06-26 / 11:57:11.036964) :
wg_status_adapter_event_thread: broke out of read for IP interface
state changes.
3056597872 : device : (2011-06-26 / 11:57:11.037084) :
wg_status_adapter_event_thread: calling event function so the event
can be processed.
3056597872 : device : (2011-06-26 / 11:57:11.037775) :
wg_status_gather_unix_add_new_ifaces: see if we have new ifaces
3056597872 : device : (2011-06-26 / 11:57:11.037852) :
wg_status_gather_linux_if_info: The ifr struct from hwaddr ioctl for
adapter eth0 is
    0x0000 : 65 74 68 30 00 00 00 00 00 00 00 00 00 00 00 00 	
[eth0............]
    0x0010 : 01 00 48 5b 39 4a 32 eb c8 d9 2f b6 b1 90 81 b7 	
[..H[9J2.../.....]
.
3056597872 : device : (2011-06-26 / 11:57:11.037918) :
wg_status_gather_linux_if_info: The adapter description for adapter
eth0 is Ethernet.
3056597872 : device : (2011-06-26 / 11:57:11.038535) :
wg_status_linux_hw_name:  eth0 is a PCI interface.
3056597872 : device : (2011-06-26 / 11:57:11.048482) :
wg_status_gather_linux_if_info: The ifr struct from hwaddr ioctl for
adapter wlan0 is
    0x0000 : 77 6c 61 6e 30 00 00 00 00 00 00 00 00 00 00 00 	
[wlan0...........]
    0x0010 : 01 00 1c 4b d6 a8 32 25 c8 d9 2f b6 30 99 81 b7 	
[...K..2%../.0...]
.
3056597872 : device : (2011-06-26 / 11:57:11.048542) :
wg_status_gather_linux_if_info: The adapter description for adapter
wlan0 is Ethernet.
3056597872 : device : (2011-06-26 / 11:57:11.048991) :
wg_status_linux_hw_name:  wlan0 is a PCI interface.
3056597872 : device : (2011-06-26 / 11:57:11.054520) : <Name:  wlan0 >
	<Received Stats: (6641850 Byte)(9096 Pack)(0000 Err) >
	<Transmit Stats: (1909780 Byte)(8155 Pack)(0000 Err) >
3056597872 : device : (2011-06-26 / 11:57:11.054566) : <Name: wlan0
><Wireless Link Quality 0055 >
	<Wireless Quality Level 0201 >
	<Wireless Noise Quality 0000 ><Wireless Missed Beacon 0000 >
	<Wireless Discarded: (0000 NWID)(0000 Crypt)(0000 Frag)(0003 Rtry)(0425 Misc) >
3056597872 : device : (2011-06-26 / 11:57:11.054601) :
wg_status_gather_impl::wg_consumer_add_item added object to consumer
signal the consumer thread.

==> /var/log/iked.log <==
11/06/26 11:57:17 -> : resend 1 phase1 packet(s) [1/2]
192.168.0.11:500 -> 123.123.123.123:500
11/06/26 11:57:27 -> : resend 1 phase1 packet(s) [2/2]
192.168.0.11:500 -> 123.123.123.123:500
11/06/26 11:57:37 ii : resend limit exceeded for phase1 exchange
11/06/26 11:57:37 ii : phase1 removal before expire time
11/06/26 11:57:37 DB : phase1 deleted ( obj count = 0 )
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : policy not found
11/06/26 11:57:37 DB : removing tunnel config references
11/06/26 11:57:37 DB : removing tunnel phase2 references
11/06/26 11:57:37 DB : removing tunnel phase1 references
11/06/26 11:57:37 DB : tunnel deleted ( obj count = 0 )
11/06/26 11:57:37 DB : removing all peer tunnel refrences
11/06/26 11:57:37 DB : peer deleted ( obj count = 0 )
11/06/26 11:57:37 ii : ipc client process thread exit ...


Can you kindly help to find out where is the issue and how to solve it?

Thank you very much in advance
Best regards

--

Antenore Gatta
Free Software Foundation Europe
FSFE fellow #1881
http://www.fsfeurope.org
http://fslug.simbiosi.org

More information about the vpn-help mailing list