[vpn-help] Cannot connect to checkpoint firewall

[kevin vpn]

On Sun, 26 Jun 2011 12:17:58 +0200
Antenore Gatta <antenore at gmail.com> wrote:

> Hi all,
> 
> first of all thanks a lot for this fantastic software!
> 
> I'm trying to connect to a checkpoint firewall, I've followed the
> documentation, but it seems there is something missing in my config.
> 
> 11/06/26 11:56:57 -> : send IKE packet 192.168.0.11:500 ->
> 123.123.123.123:500 ( 976 bytes )
> 11/06/26 11:56:57 DB : phase1 resend event scheduled ( ref count = 2 )
> 11/06/26 11:56:57 <- : recv IKE packet 123.123.123.123:500 ->
> 192.168.0.11:500 ( 286 bytes )
> 11/06/26 11:56:57 DB : phase1 found
> 11/06/26 11:56:57 ii : processing informational packet ( 286 bytes )
> 11/06/26 11:56:57 =< : cookies 3c7427610150fdba:0000000000000000
> 11/06/26 11:56:57 =< : message d370f942
> 11/06/26 11:56:57 << : notification payload
> 11/06/26 11:56:57 ii : received peer unknown notification
> 11/06/26 11:56:57 ii : - 123.123.123.123:500 -> 192.168.0.11:500
> 11/06/26 11:56:57 ii : - isakmp spi = none
> 11/06/26 11:56:57 ii : - data size 246
> 11/06/26 11:57:07 -> : resend 1 phase1 packet(s) [0/2]
> 192.168.0.11:500 -> 123.123.123.123:500
> 
> ==> /var/log/iked.log <==
> 11/06/26 11:57:17 -> : resend 1 phase1 packet(s) [1/2]
> 192.168.0.11:500 -> 123.123.123.123:500
> 11/06/26 11:57:27 -> : resend 1 phase1 packet(s) [2/2]
> 192.168.0.11:500 -> 123.123.123.123:500
> 11/06/26 11:57:37 ii : resend limit exceeded for phase1 exchange
> 11/06/26 11:57:37 ii : phase1 removal before expire time
> 11/06/26 11:57:37 DB : phase1 deleted ( obj count = 0 )
...
> 
> Can you kindly help to find out where is the issue and how to solve
> it?
> 

Hi Antenore,

The "resend 1 phase1 packet(s)" messages in the iked.log file suggest
that the CheckPoint gateway is not responding to the Shrew client's
packets.  You may have to look that the CheckPoint logs to see if the
packets are even arriving at the gateway, and if they are, why the
CheckPoint is not responding to them.