[vpn-help] Checkpoint NGX 8.2.39n - network access issue

Matthew Austin maustin at otsys.com
Sat May 14 14:57:09 CDT 2011 

I've kept plugging away at this and have gone so far as to download
and work through some minor build issues with the head revision with
no real delta.  I'm getting through phase 1 and when I ping an
internal host it initiates phase 2.  The appliance reports in the log
that phase 2 negotiation completes successfully but the ping does not
return.  Here is the iked.log debug output from when I initiate the
ping forward.

11/05/14 12:46:53 K< : recv pfkey ACQUIRE ESP message
11/05/14 12:46:53 DB : policy found
11/05/14 12:46:53 DB : policy found
11/05/14 12:46:53 DB : tunnel found
11/05/14 12:46:53 DB : new phase2 ( IPSEC initiator )
11/05/14 12:46:53 DB : phase2 added ( obj count = 1 )
11/05/14 12:46:53 K> : send pfkey GETSPI ESP message
11/05/14 12:46:53 K< : recv pfkey GETSPI ESP message
11/05/14 12:46:53 DB : phase2 found
11/05/14 12:46:53 ii : updated spi for 1 ipsec-esp proposal
11/05/14 12:46:53 DB : phase1 found
11/05/14 12:46:53 >> : hash payload
11/05/14 12:46:53 >> : security association payload
11/05/14 12:46:53 >> : - proposal #1 payload
11/05/14 12:46:53 >> : -- transform #1 payload
11/05/14 12:46:53 >> : -- transform #2 payload
11/05/14 12:46:53 >> : -- transform #3 payload
11/05/14 12:46:53 >> : -- transform #4 payload
11/05/14 12:46:53 >> : -- transform #5 payload
11/05/14 12:46:53 >> : -- transform #6 payload
11/05/14 12:46:53 >> : -- transform #7 payload
11/05/14 12:46:53 >> : -- transform #8 payload
11/05/14 12:46:53 >> : -- transform #9 payload
11/05/14 12:46:53 >> : -- transform #10 payload
11/05/14 12:46:53 >> : -- transform #11 payload
11/05/14 12:46:53 >> : -- transform #12 payload
11/05/14 12:46:53 >> : -- transform #13 payload
11/05/14 12:46:53 >> : -- transform #14 payload
11/05/14 12:46:53 >> : -- transform #15 payload
11/05/14 12:46:53 >> : -- transform #16 payload
11/05/14 12:46:53 >> : -- transform #17 payload
11/05/14 12:46:53 >> : -- transform #18 payload
11/05/14 12:46:53 >> : -- transform #19 payload
11/05/14 12:46:53 >> : -- transform #20 payload
11/05/14 12:46:53 >> : -- transform #21 payload
11/05/14 12:46:53 >> : -- transform #22 payload
11/05/14 12:46:53 >> : -- transform #23 payload
11/05/14 12:46:53 >> : -- transform #24 payload
11/05/14 12:46:53 >> : -- transform #25 payload
11/05/14 12:46:53 >> : -- transform #26 payload
11/05/14 12:46:53 >> : -- transform #27 payload
11/05/14 12:46:53 >> : -- transform #28 payload
11/05/14 12:46:53 >> : -- transform #29 payload
11/05/14 12:46:53 >> : -- transform #30 payload
11/05/14 12:46:53 >> : -- transform #31 payload
11/05/14 12:46:53 >> : -- transform #32 payload
11/05/14 12:46:53 >> : -- transform #33 payload
11/05/14 12:46:53 >> : -- transform #34 payload
11/05/14 12:46:53 >> : -- transform #35 payload
11/05/14 12:46:53 >> : -- transform #36 payload
11/05/14 12:46:53 >> : -- transform #37 payload
11/05/14 12:46:53 >> : -- transform #38 payload
11/05/14 12:46:53 >> : -- transform #39 payload
11/05/14 12:46:53 >> : -- transform #40 payload
11/05/14 12:46:53 >> : -- transform #41 payload
11/05/14 12:46:53 >> : -- transform #42 payload
11/05/14 12:46:53 >> : -- transform #43 payload
11/05/14 12:46:53 >> : -- transform #44 payload
11/05/14 12:46:53 >> : -- transform #45 payload
11/05/14 12:46:53 >> : nonce payload
11/05/14 12:46:53 >> : identification payload
11/05/14 12:46:53 >> : identification payload
11/05/14 12:46:53 == : phase2 hash_i ( input ) ( 1460 bytes )
11/05/14 12:46:53 == : phase2 hash_i ( computed ) ( 16 bytes )
11/05/14 12:46:53 == : new phase2 iv ( 16 bytes )
11/05/14 12:46:53 >= : cookies f8d338c27cbb826c:2881de11b69d9df3
11/05/14 12:46:53 >= : message e75b342c
11/05/14 12:46:53 >= : encrypt iv ( 16 bytes )
11/05/14 12:46:53 == : encrypt packet ( 1504 bytes )
11/05/14 12:46:53 == : stored iv ( 16 bytes )
11/05/14 12:46:53 -> : send IKE packet 192.168.0.161:500 ->
173.164.101.125:500 ( 1544 bytes )
11/05/14 12:46:53 DB : phase2 resend event scheduled ( ref count = 2 )
11/05/14 12:46:53 <- : recv IKE packet 173.164.101.125:500 ->
192.168.0.161:500 ( 172 bytes )
11/05/14 12:46:53 DB : phase1 found
11/05/14 12:46:53 ii : processing phase2 packet ( 172 bytes )
11/05/14 12:46:53 DB : phase2 found
11/05/14 12:46:53 =< : cookies f8d338c27cbb826c:2881de11b69d9df3
11/05/14 12:46:53 =< : message e75b342c
11/05/14 12:46:53 =< : decrypt iv ( 16 bytes )
11/05/14 12:46:53 == : decrypt packet ( 172 bytes )
11/05/14 12:46:53 <= : trimmed packet padding ( 16 bytes )
11/05/14 12:46:53 <= : stored iv ( 16 bytes )
11/05/14 12:46:53 << : hash payload
11/05/14 12:46:53 << : security association payload
11/05/14 12:46:53 << : - propsal #1 payload
11/05/14 12:46:53 << : -- transform #1 payload
11/05/14 12:46:53 << : nonce payload
11/05/14 12:46:53 << : identification payload
11/05/14 12:46:53 << : identification payload
11/05/14 12:46:53 == : phase2 hash_r ( input ) ( 132 bytes )
11/05/14 12:46:53 == : phase2 hash_r ( computed ) ( 16 bytes )
11/05/14 12:46:53 == : phase2 hash_r ( received ) ( 16 bytes )
11/05/14 12:46:53 ii : matched ipsec-esp proposal #1 transform #1
11/05/14 12:46:53 ii : - transform    = esp-aes
11/05/14 12:46:53 ii : - key length   = 256 bits
11/05/14 12:46:53 ii : - encap mode   = tunnel
11/05/14 12:46:53 ii : - msg auth     = hmac-md5
11/05/14 12:46:53 ii : - pfs dh group = none
11/05/14 12:46:53 ii : - life seconds = 3600
11/05/14 12:46:53 ii : - life kbytes  = 0
11/05/14 12:46:53 DB : policy found
11/05/14 12:46:53 K> : send pfkey GETSPI ESP message
11/05/14 12:46:53 K< : recv pfkey GETSPI ESP message
11/05/14 12:46:53 DB : phase2 found
11/05/14 12:46:53 ii : phase2 ids accepted
11/05/14 12:46:53 ii : - loc ANY:192.168.254.162:* -> ANY:192.168.200.0/24:*
11/05/14 12:46:53 ii : - rmt ANY:192.168.200.0/24:* -> ANY:192.168.254.162:*
11/05/14 12:46:53 ii : phase2 sa established
11/05/14 12:46:53 ii : 192.168.0.161:500 <-> 173.164.101.125:500
11/05/14 12:46:53 == : phase2 hash_p ( input ) ( 45 bytes )
11/05/14 12:46:53 == : phase2 hash_p ( computed ) ( 16 bytes )
11/05/14 12:46:53 >> : hash payload
11/05/14 12:46:53 >= : cookies f8d338c27cbb826c:2881de11b69d9df3
11/05/14 12:46:53 >= : message e75b342c
11/05/14 12:46:53 >= : encrypt iv ( 16 bytes )
11/05/14 12:46:53 == : encrypt packet ( 48 bytes )
11/05/14 12:46:53 == : stored iv ( 16 bytes )
11/05/14 12:46:53 DB : phase2 resend event canceled ( ref count = 1 )
11/05/14 12:46:53 -> : send IKE packet 192.168.0.161:500 ->
173.164.101.125:500 ( 88 bytes )
11/05/14 12:46:53 == : spi cipher key data ( 32 bytes )
11/05/14 12:46:53 == : spi hmac key data ( 16 bytes )
11/05/14 12:46:53 K> : send pfkey UPDATE ESP message
11/05/14 12:46:53 K< : recv pfkey UPDATE ESP message
11/05/14 12:46:53 == : spi cipher key data ( 32 bytes )
11/05/14 12:46:53 == : spi hmac key data ( 16 bytes )
11/05/14 12:46:53 K> : send pfkey UPDATE ESP message
11/05/14 12:46:53 K< : recv pfkey UPDATE ESP message

It feels like it is soooo close.

On Wed, May 11, 2011 at 5:33 PM, Matthew Austin <maustin at otsys.com> wrote:
> Just a quick update that I downloaded and built 2.1.7 on ubuntu 11.04
> with no change.  We've tested this with ubuntu 10.10 and 11.04 with
> the 2.1.5 packages.  Let me know if you'd like to see some iked.log
> output.
>
> On Tue, May 10, 2011 at 10:52 PM, Matthew Austin <maustin at otsys.com> wrote:
>> Greetings,
>>
>> I followed the instructions at http://www.shrew.net/support/wiki/HowtoCheckpoint
>>
>> shrew reports:
>> bringing up tunnel ...
>> network device configured
>> tunnel enabled
>>
>> so it would appear that I can connect to the device, authenticate, and
>> it pulls down an IP and all of that, but I can't ping any internal
>> network or even the gateway.
>>
>> I also applied the setting recommeded here
>> http://lists.shrew.net/pipermail/vpn-help/2008-November/000950.html
>> just in case.
>>
>> Any help would be appreciated.
>>
>> Matthew
>>
>

More information about the vpn-help mailing list