[vpn-help] Checkpoint NGX 8.2.39n - network access issue

Matthew Austin maustin at otsys.com
Sat May 14 17:39:50 CDT 2011 

I am not able to ping the router.  It is the device LAN ip address
that I've been pinging (I've attempted other internal addresses as
well) on the various subnets - office mode ip space, DMZ, and LAN.
The ruleset for the firewall allows ICMP from any.  I also played with
the legacy rule to allow any encrypted which shouldn't be necessary
from what I've read as the office mode IP has a bypass firewall
configuration.

The checkpoint SecureClient and Endpoint clients work without issue.

On Sat, May 14, 2011 at 3:01 PM, Dale Marthaller <dmarthaller at shaw.ca> wrote:
> Are you able to ping the actual router using it's LAN side IP address? It's
> possible that the internal host you are pinging is set to not respond to a
> ping or a firewall setting on one of the devices is blocking the ping.
>
> ----- Original Message -----
> From: Matthew Austin <maustin at otsys.com>
> Date: Saturday, May 14, 2011 12:57 pm
> Subject: Re: [vpn-help] Checkpoint NGX 8.2.39n - network access issue
> To: vpn-help at lists.shrew.net
>
>> I've kept plugging away at this and have gone so far as to download
>> and work through some minor build issues with the head revision with
>> no real delta.  I'm getting through phase 1 and when I ping an
>> internal host it initiates phase 2.  The appliance reports
>> in the log
>> that phase 2 negotiation completes successfully but the ping
>> does not
>> return.  Here is the iked.log debug output from when I
>> initiate the
>> ping forward.
>>
>> 11/05/14 12:46:53 K< : recv pfkey ACQUIRE ESP message
>> 11/05/14 12:46:53 DB : policy found
>> 11/05/14 12:46:53 DB : policy found
>> 11/05/14 12:46:53 DB : tunnel found
>> 11/05/14 12:46:53 DB : new phase2 ( IPSEC initiator )
>> 11/05/14 12:46:53 DB : phase2 added ( obj count = 1 )
>> 11/05/14 12:46:53 K> : send pfkey GETSPI ESP message
>> 11/05/14 12:46:53 K< : recv pfkey GETSPI ESP message
>> 11/05/14 12:46:53 DB : phase2 found
>> 11/05/14 12:46:53 ii : updated spi for 1 ipsec-esp proposal
>> 11/05/14 12:46:53 DB : phase1 found
>> 11/05/14 12:46:53 >> : hash payload
>> 11/05/14 12:46:53 >> : security association payload
>> 11/05/14 12:46:53 >> : - proposal #1 payload
>> 11/05/14 12:46:53 >> : -- transform #1 payload
>> 11/05/14 12:46:53 >> : -- transform #2 payload
>> 11/05/14 12:46:53 >> : -- transform #3 payload
>> 11/05/14 12:46:53 >> : -- transform #4 payload
>> 11/05/14 12:46:53 >> : -- transform #5 payload
>> 11/05/14 12:46:53 >> : -- transform #6 payload
>> 11/05/14 12:46:53 >> : -- transform #7 payload
>> 11/05/14 12:46:53 >> : -- transform #8 payload
>> 11/05/14 12:46:53 >> : -- transform #9 payload
>> 11/05/14 12:46:53 >> : -- transform #10 payload
>> 11/05/14 12:46:53 >> : -- transform #11 payload
>> 11/05/14 12:46:53 >> : -- transform #12 payload
>> 11/05/14 12:46:53 >> : -- transform #13 payload
>> 11/05/14 12:46:53 >> : -- transform #14 payload
>> 11/05/14 12:46:53 >> : -- transform #15 payload
>> 11/05/14 12:46:53 >> : -- transform #16 payload
>> 11/05/14 12:46:53 >> : -- transform #17 payload
>> 11/05/14 12:46:53 >> : -- transform #18 payload
>> 11/05/14 12:46:53 >> : -- transform #19 payload
>> 11/05/14 12:46:53 >> : -- transform #20 payload
>> 11/05/14 12:46:53 >> : -- transform #21 payload
>> 11/05/14 12:46:53 >> : -- transform #22 payload
>> 11/05/14 12:46:53 >> : -- transform #23 payload
>> 11/05/14 12:46:53 >> : -- transform #24 payload
>> 11/05/14 12:46:53 >> : -- transform #25 payload
>> 11/05/14 12:46:53 >> : -- transform #26 payload
>> 11/05/14 12:46:53 >> : -- transform #27 payload
>> 11/05/14 12:46:53 >> : -- transform #28 payload
>> 11/05/14 12:46:53 >> : -- transform #29 payload
>> 11/05/14 12:46:53 >> : -- transform #30 payload
>> 11/05/14 12:46:53 >> : -- transform #31 payload
>> 11/05/14 12:46:53 >> : -- transform #32 payload
>> 11/05/14 12:46:53 >> : -- transform #33 payload
>> 11/05/14 12:46:53 >> : -- transform #34 payload
>> 11/05/14 12:46:53 >> : -- transform #35 payload
>> 11/05/14 12:46:53 >> : -- transform #36 payload
>> 11/05/14 12:46:53 >> : -- transform #37 payload
>> 11/05/14 12:46:53 >> : -- transform #38 payload
>> 11/05/14 12:46:53 >> : -- transform #39 payload
>> 11/05/14 12:46:53 >> : -- transform #40 payload
>> 11/05/14 12:46:53 >> : -- transform #41 payload
>> 11/05/14 12:46:53 >> : -- transform #42 payload
>> 11/05/14 12:46:53 >> : -- transform #43 payload
>> 11/05/14 12:46:53 >> : -- transform #44 payload
>> 11/05/14 12:46:53 >> : -- transform #45 payload
>> 11/05/14 12:46:53 >> : nonce payload
>> 11/05/14 12:46:53 >> : identification payload
>> 11/05/14 12:46:53 >> : identification payload
>> 11/05/14 12:46:53 == : phase2 hash_i ( input ) ( 1460 bytes )
>> 11/05/14 12:46:53 == : phase2 hash_i ( computed ) ( 16 bytes )
>> 11/05/14 12:46:53 == : new phase2 iv ( 16 bytes )
>> 11/05/14 12:46:53 >= : cookies f8d338c27cbb826c:2881de11b69d9df3
>> 11/05/14 12:46:53 >= : message e75b342c
>> 11/05/14 12:46:53 >= : encrypt iv ( 16 bytes )
>> 11/05/14 12:46:53 == : encrypt packet ( 1504 bytes )
>> 11/05/14 12:46:53 == : stored iv ( 16 bytes )
>> 11/05/14 12:46:53 -> : send IKE packet 192.168.0.161:500 ->
>> 173.164.101.125:500 ( 1544 bytes )
>> 11/05/14 12:46:53 DB : phase2 resend event scheduled ( ref count
>> = 2 )
>> 11/05/14 12:46:53 <- : recv IKE packet 173.164.101.125:500 ->
>> 192.168.0.161:500 ( 172 bytes )
>> 11/05/14 12:46:53 DB : phase1 found
>> 11/05/14 12:46:53 ii : processing phase2 packet ( 172 bytes )
>> 11/05/14 12:46:53 DB : phase2 found
>> 11/05/14 12:46:53 =< : cookies f8d338c27cbb826c:2881de11b69d9df3
>> 11/05/14 12:46:53 =< : message e75b342c
>> 11/05/14 12:46:53 =< : decrypt iv ( 16 bytes )
>> 11/05/14 12:46:53 == : decrypt packet ( 172 bytes )
>> 11/05/14 12:46:53 <= : trimmed packet padding ( 16 bytes )
>> 11/05/14 12:46:53 <= : stored iv ( 16 bytes )
>> 11/05/14 12:46:53 << : hash payload
>> 11/05/14 12:46:53 << : security association payload
>> 11/05/14 12:46:53 << : - propsal #1 payload
>> 11/05/14 12:46:53 << : -- transform #1 payload
>> 11/05/14 12:46:53 << : nonce payload
>> 11/05/14 12:46:53 << : identification payload
>> 11/05/14 12:46:53 << : identification payload
>> 11/05/14 12:46:53 == : phase2 hash_r ( input ) ( 132 bytes )
>> 11/05/14 12:46:53 == : phase2 hash_r ( computed ) ( 16 bytes )
>> 11/05/14 12:46:53 == : phase2 hash_r ( received ) ( 16 bytes )
>> 11/05/14 12:46:53 ii : matched ipsec-esp proposal #1 transform #1
>> 11/05/14 12:46:53 ii : - transform    = esp-aes
>> 11/05/14 12:46:53 ii : - key length   = 256 bits
>> 11/05/14 12:46:53 ii : - encap mode   = tunnel
>> 11/05/14 12:46:53 ii : - msg auth     = hmac-md5
>> 11/05/14 12:46:53 ii : - pfs dh group = none
>> 11/05/14 12:46:53 ii : - life seconds = 3600
>> 11/05/14 12:46:53 ii : - life kbytes  = 0
>> 11/05/14 12:46:53 DB : policy found
>> 11/05/14 12:46:53 K> : send pfkey GETSPI ESP message
>> 11/05/14 12:46:53 K< : recv pfkey GETSPI ESP message
>> 11/05/14 12:46:53 DB : phase2 found
>> 11/05/14 12:46:53 ii : phase2 ids accepted
>> 11/05/14 12:46:53 ii : - loc ANY:192.168.254.162:* ->
>> ANY:192.168.200.0/24:*11/05/14 12:46:53 ii : - rmt
>> ANY:192.168.200.0/24:* -> ANY:192.168.254.162:*
>> 11/05/14 12:46:53 ii : phase2 sa established
>> 11/05/14 12:46:53 ii : 192.168.0.161:500 <-> 173.164.101.125:500
>> 11/05/14 12:46:53 == : phase2 hash_p ( input ) ( 45 bytes )
>> 11/05/14 12:46:53 == : phase2 hash_p ( computed ) ( 16 bytes )
>> 11/05/14 12:46:53 >> : hash payload
>> 11/05/14 12:46:53 >= : cookies f8d338c27cbb826c:2881de11b69d9df3
>> 11/05/14 12:46:53 >= : message e75b342c
>> 11/05/14 12:46:53 >= : encrypt iv ( 16 bytes )
>> 11/05/14 12:46:53 == : encrypt packet ( 48 bytes )
>> 11/05/14 12:46:53 == : stored iv ( 16 bytes )
>> 11/05/14 12:46:53 DB : phase2 resend event canceled ( ref count
>> = 1 )
>> 11/05/14 12:46:53 -> : send IKE packet 192.168.0.161:500 ->
>> 173.164.101.125:500 ( 88 bytes )
>> 11/05/14 12:46:53 == : spi cipher key data ( 32 bytes )
>> 11/05/14 12:46:53 == : spi hmac key data ( 16 bytes )
>> 11/05/14 12:46:53 K> : send pfkey UPDATE ESP message
>> 11/05/14 12:46:53 K< : recv pfkey UPDATE ESP message
>> 11/05/14 12:46:53 == : spi cipher key data ( 32 bytes )
>> 11/05/14 12:46:53 == : spi hmac key data ( 16 bytes )
>> 11/05/14 12:46:53 K> : send pfkey UPDATE ESP message
>> 11/05/14 12:46:53 K< : recv pfkey UPDATE ESP message
>>
>> It feels like it is soooo close.
>>
>> On Wed, May 11, 2011 at 5:33 PM, Matthew Austin
>> <maustin at otsys.com> wrote:
>> > Just a quick update that I downloaded and built 2.1.7 on
>> ubuntu 11.04
>> > with no change.  We've tested this with ubuntu 10.10 and 11.04 with
>> > the 2.1.5 packages.  Let me know if you'd like to see some iked.log
>> > output.
>> >
>> > On Tue, May 10, 2011 at 10:52 PM, Matthew Austin
>> <maustin at otsys.com> wrote:
>> >> Greetings,
>> >>
>> >> I followed the instructions at
>> http://www.shrew.net/support/wiki/HowtoCheckpoint>>
>> >> shrew reports:
>> >> bringing up tunnel ...
>> >> network device configured
>> >> tunnel enabled
>> >>
>> >> so it would appear that I can connect to the device,
>> authenticate, and
>> >> it pulls down an IP and all of that, but I can't ping any internal
>> >> network or even the gateway.
>> >>
>> >> I also applied the setting recommeded here
>> >> http://lists.shrew.net/pipermail/vpn-help/2008-November/000950.html
>> >> just in case.
>> >>
>> >> Any help would be appreciated.
>> >>
>> >> Matthew
>> >>
>> >
>> _______________________________________________
>> vpn-help mailing list
>> vpn-help at lists.shrew.net
>> http://lists.shrew.net/mailman/listinfo/vpn-help
>>

More information about the vpn-help mailing list