Hi there,<br>I'm trying to connect a debian lenny client (Linux 2.6.26-2-amd64 #1 SMP x86_64 GNU/Linux) to a Checkpoint Firewall 1 (NGx R65).<br>I'm using openswan 2.4.12 (debian lenny revision is openswan 2.4.12+dfsg-1.3+lenny2)<br>
I'm using netkey internal kernel NAT-T, not klips.<br><br>I can connect using the proprietary checkpoint client application (SecureRemote) without problems.<br>SecureRemote works fine under Windows XP and I was able to setup a connection also from a RedHat73 box using SecureRemote for linux, so the issue is not in the devices between my client and the firewall.<br>
<br>I followed various how to, but in the and I'm stuck at this point:<br><br>May 10 16:49:14 gadara pluto[9253]: | p15 state object #1 found, in STATE_MAIN_I2<br>May 10 16:49:14 gadara pluto[9253]: | processing connection checkpoint-vpn<br>
May 10 16:49:14 gadara pluto[9253]: | processing informational PAYLOAD_MALFORMED (16)<br>May 10 16:49:14 gadara pluto[9253]: "checkpoint-vpn" #1: received 1 malformed payload notifies<br>May 10 16:49:14 gadara pluto[9253]: | complete state transition with STF_IGNORE<br>
May 10 16:49:14 gadara pluto[9253]: | next event EVENT_RETRANSMIT in 10 seconds for #1<br><br>Is there anyone successfull connecting a Checkpoint R65 to an openswan client?<br>Connection data and log follows... any hint will be appreciated!<br>
<br>Thanks, Luca<br><br>############################<br>### this is the /etc/ipsec.conf ###<br># basic configuration<br>config setup<br> plutodebug=control<br> nat_traversal=yes<br><br>conn checkpoint-vpn<br>
# left is my lenny client<br> left=%defaultroute<br> leftcert=/etc/ipsec.d/certs/client-cert.pem<br> leftrsasigkey=%cert<br> # right is the checkpoint firewall<br> right=checkpoint-fw<br>
rightsubnet=<a href="http://192.168.255.0/24">192.168.255.0/24</a><br> rightcert=/etc/ipsec.d/certs/checkpoint-cert.pem<br> rightrsasigkey=%cert<br> auto=start<br><br>#Disable Opportunistic Encryption<br>
include /etc/ipsec.d/examples/no_oe.conf<br><br>#################################<br>
### this is the /var/log/syslog output ###<br>May 10 16:49:13 gadara ipsec_setup: NETKEY on eth0 <a href="http://192.168.144.162/255.255.255.0">192.168.144.162/255.255.255.0</a> broadcast 192.168.144.255<br>May 10 16:49:13 gadara ipsec_setup: ...Openswan IPsec started<br>
May 10 16:49:13 gadara ipsec_setup: Starting Openswan IPsec U2.4.12/K2.6.26-2-amd64...<br>May 10 16:49:14 gadara ipsec__plutorun: 104 "checkpoint-vpn" #1: STATE_MAIN_I1: initiate<br>May 10 16:49:14 gadara ipsec__plutorun: ...could not start conn "checkpoint-vpn"<br>
<br>###################################<br>
### this is the /var/log/auth.log output ###<br><br clear="all">May 10 17:17:07 gadara pluto[9858]: "checkpoint-vpn" #3: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2<br>May 10 17:17:07 gadara pluto[9858]: | sending reply packet to x.y.z.w:500 (from port=500)<br>
May 10 17:17:07 gadara pluto[9858]: | sending 292 bytes for STATE_MAIN_I1 through eth0:500 to x.y.z.w:500:<br>May 10 17:17:07 gadara pluto[9858]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #3<br>May 10 17:17:07 gadara pluto[9858]: "checkpoint-vpn" #3: STATE_MAIN_I2: sent MI2, expecting MR2<br>
May 10 17:17:07 gadara pluto[9858]: | modecfg pull: noquirk policy:push not-client<br>May 10 17:17:07 gadara pluto[9858]: | phase 1 is done, looking for phase 1 to unpend<br>May 10 17:17:07 gadara pluto[9858]: | next event EVENT_RETRANSMIT in 10 seconds for #3<br>
May 10 17:17:07 gadara pluto[9858]: |<br>May 10 17:17:07 gadara pluto[9858]: | *received 40 bytes from x.y.z.w:500 on eth0 (port=500)<br>May 10 17:17:07 gadara pluto[9858]: | processing packet with exchange type=ISAKMP_XCHG_INFO (5)<br>
May 10 17:17:07 gadara pluto[9858]: | ICOOKIE: 62 d9 1d c3 7c 2c b2 a9<br>May 10 17:17:07 gadara pluto[9858]: | RCOOKIE: fd 0b ef 4b 36 d6 7d 9b<br>May 10 17:17:07 gadara pluto[9858]: | peer: x.y.z.w<br>May 10 17:17:07 gadara pluto[9858]: | state hash entry 29<br>
May 10 17:17:07 gadara pluto[9858]: | peer and cookies match on #3, provided msgid 00000000 vs 00000000/00000000<br>May 10 17:17:07 gadara pluto[9858]: | p15 state object #3 found, in STATE_MAIN_I2<br>May 10 17:17:07 gadara pluto[9858]: | processing connection checkpoint-vpn<br>
May 10 17:17:07 gadara pluto[9858]: | processing informational PAYLOAD_MALFORMED (16)<br>May 10 17:17:07 gadara pluto[9858]: "checkpoint-vpn" #3: received 1 malformed payload notifies<br>May 10 17:17:07 gadara pluto[9858]: | complete state transition with STF_IGNORE<br>
May 10 17:17:07 gadara pluto[9858]: | next event EVENT_RETRANSMIT in 10 seconds for #3<br><br><br>-- <br>Luca Arzeni<br>Tel.: 339 8350298<br>mailto: <a href="mailto:l.arzeni@gmail.com">l.arzeni@gmail.com</a><br><br>=== Start-of Internet E-mail Confidentiality Footer ===<br>
<br>L'uso non autorizzato di questo messaggio o dei suoi allegati e' vietato e potrebbe costituire reato.<br>Se ha ricevuto per errore questo messaggio, La prego di informarmi e di distruggerlo immediatamente coi suoi allegati. Le dichiarazioni contenute in questo messaggio o nei suoi allegati non impegnano Luca Arzeni nei confronti del destinatario o di terzi. Luca Arzeni non si assume alcuna responsabilita' per eventuali intercettazioni, modifiche o danneggiamenti del presente messaggio.<br>