[vpn-help] Checkpoint NGX 8.2.39n - network access issue

Dale Marthaller dmarthaller at shaw.ca
Sat May 14 17:01:41 CDT 2011 

Are you able to ping the actual router using it's LAN side IP address? It's possible that the internal host you are pinging is set to not respond to a ping or a firewall setting on one of the devices is blocking the ping. 

----- Original Message -----
From: Matthew Austin <maustin at otsys.com>
Date: Saturday, May 14, 2011 12:57 pm
Subject: Re: [vpn-help] Checkpoint NGX 8.2.39n - network access issue
To: vpn-help at lists.shrew.net

> I've kept plugging away at this and have gone so far as to download
> and work through some minor build issues with the head revision with
> no real delta.  I'm getting through phase 1 and when I ping an
> internal host it initiates phase 2.  The appliance reports 
> in the log
> that phase 2 negotiation completes successfully but the ping 
> does not
> return.  Here is the iked.log debug output from when I 
> initiate the
> ping forward.
> 
> 11/05/14 12:46:53 K< : recv pfkey ACQUIRE ESP message
> 11/05/14 12:46:53 DB : policy found
> 11/05/14 12:46:53 DB : policy found
> 11/05/14 12:46:53 DB : tunnel found
> 11/05/14 12:46:53 DB : new phase2 ( IPSEC initiator )
> 11/05/14 12:46:53 DB : phase2 added ( obj count = 1 )
> 11/05/14 12:46:53 K> : send pfkey GETSPI ESP message
> 11/05/14 12:46:53 K< : recv pfkey GETSPI ESP message
> 11/05/14 12:46:53 DB : phase2 found
> 11/05/14 12:46:53 ii : updated spi for 1 ipsec-esp proposal
> 11/05/14 12:46:53 DB : phase1 found
> 11/05/14 12:46:53 >> : hash payload
> 11/05/14 12:46:53 >> : security association payload
> 11/05/14 12:46:53 >> : - proposal #1 payload
> 11/05/14 12:46:53 >> : -- transform #1 payload
> 11/05/14 12:46:53 >> : -- transform #2 payload
> 11/05/14 12:46:53 >> : -- transform #3 payload
> 11/05/14 12:46:53 >> : -- transform #4 payload
> 11/05/14 12:46:53 >> : -- transform #5 payload
> 11/05/14 12:46:53 >> : -- transform #6 payload
> 11/05/14 12:46:53 >> : -- transform #7 payload
> 11/05/14 12:46:53 >> : -- transform #8 payload
> 11/05/14 12:46:53 >> : -- transform #9 payload
> 11/05/14 12:46:53 >> : -- transform #10 payload
> 11/05/14 12:46:53 >> : -- transform #11 payload
> 11/05/14 12:46:53 >> : -- transform #12 payload
> 11/05/14 12:46:53 >> : -- transform #13 payload
> 11/05/14 12:46:53 >> : -- transform #14 payload
> 11/05/14 12:46:53 >> : -- transform #15 payload
> 11/05/14 12:46:53 >> : -- transform #16 payload
> 11/05/14 12:46:53 >> : -- transform #17 payload
> 11/05/14 12:46:53 >> : -- transform #18 payload
> 11/05/14 12:46:53 >> : -- transform #19 payload
> 11/05/14 12:46:53 >> : -- transform #20 payload
> 11/05/14 12:46:53 >> : -- transform #21 payload
> 11/05/14 12:46:53 >> : -- transform #22 payload
> 11/05/14 12:46:53 >> : -- transform #23 payload
> 11/05/14 12:46:53 >> : -- transform #24 payload
> 11/05/14 12:46:53 >> : -- transform #25 payload
> 11/05/14 12:46:53 >> : -- transform #26 payload
> 11/05/14 12:46:53 >> : -- transform #27 payload
> 11/05/14 12:46:53 >> : -- transform #28 payload
> 11/05/14 12:46:53 >> : -- transform #29 payload
> 11/05/14 12:46:53 >> : -- transform #30 payload
> 11/05/14 12:46:53 >> : -- transform #31 payload
> 11/05/14 12:46:53 >> : -- transform #32 payload
> 11/05/14 12:46:53 >> : -- transform #33 payload
> 11/05/14 12:46:53 >> : -- transform #34 payload
> 11/05/14 12:46:53 >> : -- transform #35 payload
> 11/05/14 12:46:53 >> : -- transform #36 payload
> 11/05/14 12:46:53 >> : -- transform #37 payload
> 11/05/14 12:46:53 >> : -- transform #38 payload
> 11/05/14 12:46:53 >> : -- transform #39 payload
> 11/05/14 12:46:53 >> : -- transform #40 payload
> 11/05/14 12:46:53 >> : -- transform #41 payload
> 11/05/14 12:46:53 >> : -- transform #42 payload
> 11/05/14 12:46:53 >> : -- transform #43 payload
> 11/05/14 12:46:53 >> : -- transform #44 payload
> 11/05/14 12:46:53 >> : -- transform #45 payload
> 11/05/14 12:46:53 >> : nonce payload
> 11/05/14 12:46:53 >> : identification payload
> 11/05/14 12:46:53 >> : identification payload
> 11/05/14 12:46:53 == : phase2 hash_i ( input ) ( 1460 bytes )
> 11/05/14 12:46:53 == : phase2 hash_i ( computed ) ( 16 bytes )
> 11/05/14 12:46:53 == : new phase2 iv ( 16 bytes )
> 11/05/14 12:46:53 >= : cookies f8d338c27cbb826c:2881de11b69d9df3
> 11/05/14 12:46:53 >= : message e75b342c
> 11/05/14 12:46:53 >= : encrypt iv ( 16 bytes )
> 11/05/14 12:46:53 == : encrypt packet ( 1504 bytes )
> 11/05/14 12:46:53 == : stored iv ( 16 bytes )
> 11/05/14 12:46:53 -> : send IKE packet 192.168.0.161:500 ->
> 173.164.101.125:500 ( 1544 bytes )
> 11/05/14 12:46:53 DB : phase2 resend event scheduled ( ref count 
> = 2 )
> 11/05/14 12:46:53 <- : recv IKE packet 173.164.101.125:500 ->
> 192.168.0.161:500 ( 172 bytes )
> 11/05/14 12:46:53 DB : phase1 found
> 11/05/14 12:46:53 ii : processing phase2 packet ( 172 bytes )
> 11/05/14 12:46:53 DB : phase2 found
> 11/05/14 12:46:53 =< : cookies f8d338c27cbb826c:2881de11b69d9df3
> 11/05/14 12:46:53 =< : message e75b342c
> 11/05/14 12:46:53 =< : decrypt iv ( 16 bytes )
> 11/05/14 12:46:53 == : decrypt packet ( 172 bytes )
> 11/05/14 12:46:53 <= : trimmed packet padding ( 16 bytes )
> 11/05/14 12:46:53 <= : stored iv ( 16 bytes )
> 11/05/14 12:46:53 << : hash payload
> 11/05/14 12:46:53 << : security association payload
> 11/05/14 12:46:53 << : - propsal #1 payload
> 11/05/14 12:46:53 << : -- transform #1 payload
> 11/05/14 12:46:53 << : nonce payload
> 11/05/14 12:46:53 << : identification payload
> 11/05/14 12:46:53 << : identification payload
> 11/05/14 12:46:53 == : phase2 hash_r ( input ) ( 132 bytes )
> 11/05/14 12:46:53 == : phase2 hash_r ( computed ) ( 16 bytes )
> 11/05/14 12:46:53 == : phase2 hash_r ( received ) ( 16 bytes )
> 11/05/14 12:46:53 ii : matched ipsec-esp proposal #1 transform #1
> 11/05/14 12:46:53 ii : - transform    = esp-aes
> 11/05/14 12:46:53 ii : - key length   = 256 bits
> 11/05/14 12:46:53 ii : - encap mode   = tunnel
> 11/05/14 12:46:53 ii : - msg auth     = hmac-md5
> 11/05/14 12:46:53 ii : - pfs dh group = none
> 11/05/14 12:46:53 ii : - life seconds = 3600
> 11/05/14 12:46:53 ii : - life kbytes  = 0
> 11/05/14 12:46:53 DB : policy found
> 11/05/14 12:46:53 K> : send pfkey GETSPI ESP message
> 11/05/14 12:46:53 K< : recv pfkey GETSPI ESP message
> 11/05/14 12:46:53 DB : phase2 found
> 11/05/14 12:46:53 ii : phase2 ids accepted
> 11/05/14 12:46:53 ii : - loc ANY:192.168.254.162:* -> 
> ANY:192.168.200.0/24:*11/05/14 12:46:53 ii : - rmt 
> ANY:192.168.200.0/24:* -> ANY:192.168.254.162:*
> 11/05/14 12:46:53 ii : phase2 sa established
> 11/05/14 12:46:53 ii : 192.168.0.161:500 <-> 173.164.101.125:500
> 11/05/14 12:46:53 == : phase2 hash_p ( input ) ( 45 bytes )
> 11/05/14 12:46:53 == : phase2 hash_p ( computed ) ( 16 bytes )
> 11/05/14 12:46:53 >> : hash payload
> 11/05/14 12:46:53 >= : cookies f8d338c27cbb826c:2881de11b69d9df3
> 11/05/14 12:46:53 >= : message e75b342c
> 11/05/14 12:46:53 >= : encrypt iv ( 16 bytes )
> 11/05/14 12:46:53 == : encrypt packet ( 48 bytes )
> 11/05/14 12:46:53 == : stored iv ( 16 bytes )
> 11/05/14 12:46:53 DB : phase2 resend event canceled ( ref count 
> = 1 )
> 11/05/14 12:46:53 -> : send IKE packet 192.168.0.161:500 ->
> 173.164.101.125:500 ( 88 bytes )
> 11/05/14 12:46:53 == : spi cipher key data ( 32 bytes )
> 11/05/14 12:46:53 == : spi hmac key data ( 16 bytes )
> 11/05/14 12:46:53 K> : send pfkey UPDATE ESP message
> 11/05/14 12:46:53 K< : recv pfkey UPDATE ESP message
> 11/05/14 12:46:53 == : spi cipher key data ( 32 bytes )
> 11/05/14 12:46:53 == : spi hmac key data ( 16 bytes )
> 11/05/14 12:46:53 K> : send pfkey UPDATE ESP message
> 11/05/14 12:46:53 K< : recv pfkey UPDATE ESP message
> 
> It feels like it is soooo close.
> 
> On Wed, May 11, 2011 at 5:33 PM, Matthew Austin 
> <maustin at otsys.com> wrote:
> > Just a quick update that I downloaded and built 2.1.7 on 
> ubuntu 11.04
> > with no change.  We've tested this with ubuntu 10.10 and 11.04 with
> > the 2.1.5 packages.  Let me know if you'd like to see some iked.log
> > output.
> >
> > On Tue, May 10, 2011 at 10:52 PM, Matthew Austin 
> <maustin at otsys.com> wrote:
> >> Greetings,
> >>
> >> I followed the instructions at 
> http://www.shrew.net/support/wiki/HowtoCheckpoint>>
> >> shrew reports:
> >> bringing up tunnel ...
> >> network device configured
> >> tunnel enabled
> >>
> >> so it would appear that I can connect to the device, 
> authenticate, and
> >> it pulls down an IP and all of that, but I can't ping any internal
> >> network or even the gateway.
> >>
> >> I also applied the setting recommeded here
> >> http://lists.shrew.net/pipermail/vpn-help/2008-November/000950.html
> >> just in case.
> >>
> >> Any help would be appreciated.
> >>
> >> Matthew
> >>
> >
> _______________________________________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> http://lists.shrew.net/mailman/listinfo/vpn-help
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20110514/22c9bf3e/attachment-0002.html>

More information about the vpn-help mailing list