[vpn-help] Checkpoint NGX 8.2.39n - network access issue

Mon May 16 13:31:45 CDT 2011

I have had the NAT-T disabled per the guide.  When I enable it with
the head revision build the client cannot successfully negotiate phase
1.

11/05/16 11:28:26 ii : ipc client process thread begin ...
11/05/16 11:28:26 <A : peer config add message
11/05/16 11:28:26 <A : proposal config message
11/05/16 11:28:26 <A : proposal config message
11/05/16 11:28:26 <A : client config message
11/05/16 11:28:26 <A : xauth username message
11/05/16 11:28:26 <A : xauth password message
11/05/16 11:28:26 <A : local id '' message
11/05/16 11:28:26 <A : remote certificate data message
11/05/16 11:28:26 ii : remote certificate read complete ( 544 bytes )
11/05/16 11:28:26 <A : remote resource message
11/05/16 11:28:26 <A : remote resource message
11/05/16 11:28:26 <A : remote resource message
11/05/16 11:28:26 <A : peer tunnel enable message
11/05/16 11:28:26 DB : peer added ( obj count = 1 )
11/05/16 11:28:26 ii : local address 173.164.101.120 selected for peer
11/05/16 11:28:26 DB : tunnel added ( obj count = 1 )
11/05/16 11:28:26 DB : new phase1 ( ISAKMP initiator )
11/05/16 11:28:26 DB : exchange type is identity protect
11/05/16 11:28:26 DB : 173.164.101.120:500 <-> 173.164.101.125:500
11/05/16 11:28:26 DB : 23081e9ecae41783:0000000000000000
11/05/16 11:28:26 DB : phase1 added ( obj count = 1 )
11/05/16 11:28:26 >> : security association payload
11/05/16 11:28:26 >> : - proposal #1 payload
11/05/16 11:28:26 >> : -- transform #1 payload
11/05/16 11:28:26 >> : -- transform #2 payload
11/05/16 11:28:26 >> : -- transform #3 payload
11/05/16 11:28:26 >> : -- transform #4 payload
11/05/16 11:28:26 >> : -- transform #5 payload
11/05/16 11:28:26 >> : -- transform #6 payload
11/05/16 11:28:26 >> : -- transform #7 payload
11/05/16 11:28:26 >> : -- transform #8 payload
11/05/16 11:28:26 >> : -- transform #9 payload
11/05/16 11:28:26 >> : -- transform #10 payload
11/05/16 11:28:26 >> : -- transform #11 payload
11/05/16 11:28:26 >> : -- transform #12 payload
11/05/16 11:28:26 >> : -- transform #13 payload
11/05/16 11:28:26 >> : -- transform #14 payload
11/05/16 11:28:26 >> : -- transform #15 payload
11/05/16 11:28:26 >> : -- transform #16 payload
11/05/16 11:28:26 >> : -- transform #17 payload
11/05/16 11:28:26 >> : -- transform #18 payload
11/05/16 11:28:26 >> : vendor id payload
11/05/16 11:28:26 ii : local supports XAUTH
11/05/16 11:28:26 >> : vendor id payload
11/05/16 11:28:26 ii : local supports nat-t ( draft v00 )
11/05/16 11:28:26 >> : vendor id payload
11/05/16 11:28:26 ii : local supports nat-t ( draft v01 )
11/05/16 11:28:26 >> : vendor id payload
11/05/16 11:28:26 ii : local supports nat-t ( draft v02 )
11/05/16 11:28:26 >> : vendor id payload
11/05/16 11:28:26 ii : local supports nat-t ( draft v03 )
11/05/16 11:28:26 >> : vendor id payload
11/05/16 11:28:26 ii : local supports nat-t ( rfc )
11/05/16 11:28:26 >> : vendor id payload
11/05/16 11:28:26 ii : local supports FRAGMENTATION
11/05/16 11:28:26 >> : vendor id payload
11/05/16 11:28:26 >> : vendor id payload
11/05/16 11:28:26 ii : local supports DPDv1
11/05/16 11:28:26 >> : vendor id payload
11/05/16 11:28:26 ii : local is SHREW SOFT compatible
11/05/16 11:28:26 >> : vendor id payload
11/05/16 11:28:26 ii : local is NETSCREEN compatible
11/05/16 11:28:26 >> : vendor id payload
11/05/16 11:28:26 ii : local is SIDEWINDER compatible
11/05/16 11:28:26 >> : vendor id payload
11/05/16 11:28:26 ii : local is CISCO UNITY compatible
11/05/16 11:28:26 >> : vendor id payload
11/05/16 11:28:26 ii : local is CHECKPOINT compatible
11/05/16 11:28:26 >= : cookies 23081e9ecae41783:0000000000000000
11/05/16 11:28:26 >= : message 00000000
11/05/16 11:28:26 -> : send IKE packet 173.164.101.120:500 ->
173.164.101.125:500 ( 1076 bytes )
11/05/16 11:28:26 DB : phase1 resend event scheduled ( ref count = 2 )
11/05/16 11:28:27 <- : recv IKE packet 173.164.101.125:500 ->
173.164.101.120:500 ( 152 bytes )
11/05/16 11:28:27 DB : phase1 found
11/05/16 11:28:27 ii : processing phase1 packet ( 152 bytes )
11/05/16 11:28:27 =< : cookies 23081e9ecae41783:ae36079b016b89ae
11/05/16 11:28:27 =< : message 00000000
11/05/16 11:28:27 << : security association payload
11/05/16 11:28:27 << : - propsal #1 payload
11/05/16 11:28:27 << : -- transform #1 payload
11/05/16 11:28:27 ii : matched isakmp proposal #1 transform #1
11/05/16 11:28:27 ii : - transform    = ike
11/05/16 11:28:27 ii : - cipher type  = aes
11/05/16 11:28:27 ii : - key length   = 256 bits
11/05/16 11:28:27 ii : - hash type    = md5
11/05/16 11:28:27 ii : - dh group     = group1 ( modp-768 )
11/05/16 11:28:27 ii : - auth type    = hybrid-initiator-rsa
11/05/16 11:28:27 ii : - life seconds = 86400
11/05/16 11:28:27 ii : - life kbytes  = 0
11/05/16 11:28:27 << : vendor id payload
11/05/16 11:28:27 ii : peer supports nat-t ( draft v02 )
11/05/16 11:28:27 << : vendor id payload
11/05/16 11:28:27 ii : peer is CHECKPOINT compatible
11/05/16 11:28:27 >> : key exchange payload
11/05/16 11:28:27 >> : nonce payload
11/05/16 11:28:27 >> : cert request payload
11/05/16 11:28:27 >> : nat discovery payload
11/05/16 11:28:27 >> : nat discovery payload
11/05/16 11:28:27 >= : cookies 23081e9ecae41783:ae36079b016b89ae
11/05/16 11:28:27 >= : message 00000000
11/05/16 11:28:27 DB : phase1 resend event canceled ( ref count = 1 )
11/05/16 11:28:27 -> : send IKE packet 173.164.101.120:500 ->
173.164.101.125:500 ( 225 bytes )
11/05/16 11:28:27 DB : phase1 resend event scheduled ( ref count = 2 )
11/05/16 11:28:27 <- : recv IKE packet 173.164.101.125:500 ->
173.164.101.120:500 ( 40 bytes )
11/05/16 11:28:27 DB : phase1 found
11/05/16 11:28:27 ii : processing informational packet ( 40 bytes )
11/05/16 11:28:27 == : new informational iv ( 16 bytes )
11/05/16 11:28:27 =< : cookies 23081e9ecae41783:ae36079b016b89ae
11/05/16 11:28:27 =< : message 918915cb
11/05/16 11:28:27 << : notification payload
11/05/16 11:28:27 ii : received peer INVALID-PAYLOAD-TYPE notification
11/05/16 11:28:27 ii : - 173.164.101.125:500 -> 173.164.101.120:500
11/05/16 11:28:27 ii : - isakmp spi = none
11/05/16 11:28:27 ii : - data size 0
11/05/16 11:28:37 -> : resend 1 phase1 packet(s) [0/2]
173.164.101.120:500 -> 173.164.101.125:500
11/05/16 11:28:47 -> : resend 1 phase1 packet(s) [1/2]
173.164.101.120:500 -> 173.164.101.125:500
11/05/16 11:28:57 -> : resend 1 phase1 packet(s) [2/2]
173.164.101.120:500 -> 173.164.101.125:500
11/05/16 11:29:07 ii : resend limit exceeded for phase1 exchange
11/05/16 11:29:07 ii : phase1 removal before expire time
11/05/16 11:29:07 DB : phase1 deleted ( obj count = 0 )
11/05/16 11:29:07 DB : policy not found
11/05/16 11:29:07 DB : policy not found
11/05/16 11:29:07 DB : policy not found
11/05/16 11:29:07 DB : policy not found
11/05/16 11:29:07 DB : policy not found
11/05/16 11:29:07 DB : policy not found
11/05/16 11:29:07 DB : policy not found
11/05/16 11:29:07 DB : policy not found
11/05/16 11:29:07 DB : removing tunnel config references
11/05/16 11:29:07 DB : removing tunnel phase2 references
11/05/16 11:29:07 DB : removing tunnel phase1 references
11/05/16 11:29:07 DB : tunnel deleted ( obj count = 0 )
11/05/16 11:29:07 DB : removing all peer tunnel refrences
11/05/16 11:29:07 DB : peer deleted ( obj count = 0 )
11/05/16 11:29:07 ii : ipc client process thread exit ...

On Mon, May 16, 2011 at 10:57 AM, Matthew Grooms <mgrooms at shrew.net> wrote:
> On 5/11/2011 12:52 AM, Matthew Austin wrote:
>>
>> Greetings,
>>
>> I followed the instructions at
>> http://www.shrew.net/support/wiki/HowtoCheckpoint
>>
>> shrew reports:
>> bringing up tunnel ...
>> network device configured
>> tunnel enabled
>>
>> so it would appear that I can connect to the device, authenticate, and
>> it pulls down an IP and all of that, but I can't ping any internal
>> network or even the gateway.
>>
>> I also applied the setting recommeded here
>> http://lists.shrew.net/pipermail/vpn-help/2008-November/000950.html
>> just in case.
>>
>> Any help would be appreciated.
>>
>
> Do you have NAT-Traversal enabled? If so, try disabling it. If not, try
> enabling it.
>
> -Matthew
>