<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body text="#000066" bgcolor="#ffffff">
Hi Luca,<br>
<br>
You definitely need to enable pluto to send more debugging messages.<br>
This way we do not even know what is it trying to do.<br>
Also, at this IKE stage is the kernel version not relevant as the VPN
negotiation is fully in charge of pluto.<br>
<br>
Ondrej<br>
<br>
On 11.05.2010 17:36, Luca Arzeni wrote:
<blockquote
cite="mid:AANLkTikllTWyicNmRxUFyspZXnXI58JlF1QQJkWCUuvF@mail.gmail.com"
type="cite">Thanks Ondrej,<br>
you are right, I've read so many articles that I was confused.<br>
Anyway, from your article I understand that:<br>
You are using openswan 2.6.21 on a linux kernel 2.6.18, with netkey.<br>
<br>
I'm on a Debian lenny with kernel 2.6.26-2-amd64. I was using the
debian-provided openswan 2.4.12 using netkey.<br>
<br>
My kernel is newer than the Centos that you've used. I downloaded the
latest openswan (2.6.25) and tested with it.<br>
<br>
Problem is still here. Do you have any other hint? I wouldn't like to
install Centos to open this vpn...<br>
<br>
May 11 16:33:20 gadara pluto[19323]: "openswan-checkpoint" #1:
initiating Main Mode<br>
May 11 16:33:20 gadara pluto[19323]: "openswan-checkpoint" #1: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106<br>
May 11 16:33:20 gadara pluto[19323]: "openswan-checkpoint" #1: enabling
possible NAT-traversal with method draft-ietf-ipsec-nat-t-ike-05<br>
May 11 16:33:20 gadara pluto[19323]: "openswan-checkpoint" #1:
transition from state STATE_MAIN_I1 to state STATE_MAIN_I2<br>
May 11 16:33:20 gadara pluto[19323]: "openswan-checkpoint" #1:
STATE_MAIN_I2: sent MI2, expecting MR2<br>
May 11 16:33:20 gadara pluto[19323]: "openswan-checkpoint" #1: received
1 malformed payload notifies<br>
May 11 16:34:10 gadara pluto[19323]: shutting down<br>
<br>
Thanks, Luca<br>
<br>
<br>
<div class="gmail_quote">On Tue, May 11, 2010 at 1:20 PM, Ondrej
Valousek <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:webserv@s3group.cz">webserv@s3group.cz</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hi
Luca,<br>
<br>
Make sure you read the article carefully - it contains answers to all
your questions :-)<br>
I have made this article as it was the way which worked for me.<br>
<br>
Ondrej
<div class="im"><br>
<br>
<br>
On 11.05.2010 12:26, Luca Arzeni wrote:<br>
</div>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="im">Thanks Ondrej,<br>
I've already followed that howto, but it fails. It refers to openswan
in the header, but in the logs you can see that it's really a freeswan.<br>
<br>
Can you confirm that you are using openswan?<br>
What are your openswan and kernel version?<br>
Are you using netkey or klips for nat traversal?<br>
<br>
My guess is that this could be a netkey issue...<br>
Thanks, Luca<br>
<br>
</div>
<div>
<div class="h5">On Tue, May 11, 2010 at 8:36 AM, Ondrej Valousek
<<a moz-do-not-send="true" href="mailto:webserv@s3group.cz"
target="_blank">webserv@s3group.cz</a> <mailto:<a
moz-do-not-send="true" href="mailto:webserv@s3group.cz" target="_blank">webserv@s3group.cz</a>>>
wrote:<br>
<br>
It works fine for me.<br>
Try this:<br>
<a moz-do-not-send="true"
href="https://gsoc.xelerance.com/projects/openswan/wiki/Connecting_to_the_CheckPoint_VPN-1_NG65_firewall"
target="_blank">https://gsoc.xelerance.com/projects/openswan/wiki/Connecting_to_the_CheckPoint_VPN-1_NG65_firewall</a><br>
<br>
Ondrej<br>
<br>
On 10.05.2010 17:22, Luca Arzeni wrote:<br>
> Hi there,<br>
> I'm trying to connect a debian lenny client (Linux
2.6.26-2-amd64 #1<br>
> SMP x86_64 GNU/Linux) to a Checkpoint Firewall 1 (NGx R65).<br>
> I'm using openswan 2.4.12 (debian lenny revision is openswan<br>
> 2.4.12+dfsg-1.3+lenny2)<br>
> I'm using netkey internal kernel NAT-T, not klips.<br>
><br>
> I can connect using the proprietary checkpoint client
application<br>
> (SecureRemote) without problems.<br>
> SecureRemote works fine under Windows XP and I was able to
setup a<br>
> connection also from a RedHat73 box using SecureRemote for
linux, so<br>
> the issue is not in the devices between my client and the
firewall.<br>
><br>
> I followed various how to, but in the and I'm stuck at this
point:<br>
><br>
> May 10 16:49:14 gadara pluto[9253]: | p15 state object #1
found, in<br>
> STATE_MAIN_I2<br>
> May 10 16:49:14 gadara pluto[9253]: | processing connection<br>
checkpoint-vpn<br>
> May 10 16:49:14 gadara pluto[9253]: | processing informational<br>
> PAYLOAD_MALFORMED (16)<br>
> May 10 16:49:14 gadara pluto[9253]: "checkpoint-vpn" #1:
received 1<br>
> malformed payload notifies<br>
> May 10 16:49:14 gadara pluto[9253]: | complete state transition
with<br>
> STF_IGNORE<br>
> May 10 16:49:14 gadara pluto[9253]: | next event
EVENT_RETRANSMIT in<br>
> 10 seconds for #1<br>
><br>
> Is there anyone successfull connecting a Checkpoint R65 to an<br>
openswan<br>
> client?<br>
> Connection data and log follows... any hint will be appreciated!<br>
><br>
> Thanks, Luca<br>
><br>
> ############################<br>
> ### this is the /etc/ipsec.conf ###<br>
> # basic configuration<br>
> config setup<br>
> plutodebug=control<br>
> nat_traversal=yes<br>
><br>
> conn checkpoint-vpn<br>
> # left is my lenny client<br>
> left=%defaultroute<br>
> leftcert=/etc/ipsec.d/certs/client-cert.pem<br>
> leftrsasigkey=%cert<br>
> # right is the checkpoint firewall<br>
> right=checkpoint-fw<br>
> rightsubnet=<a moz-do-not-send="true"
href="http://192.168.255.0/24" target="_blank">192.168.255.0/24</a>
<<a moz-do-not-send="true" href="http://192.168.255.0/24"
target="_blank">http://192.168.255.0/24</a>><br>
<<a moz-do-not-send="true" href="http://192.168.255.0/24"
target="_blank">http://192.168.255.0/24</a>><br>
> rightcert=/etc/ipsec.d/certs/checkpoint-cert.pem<br>
> rightrsasigkey=%cert<br>
> auto=start<br>
><br>
> #Disable Opportunistic Encryption<br>
> include /etc/ipsec.d/examples/no_oe.conf<br>
><br>
> #################################<br>
> ### this is the /var/log/syslog output ###<br>
> May 10 16:49:13 gadara ipsec_setup: NETKEY on eth0<br>
> <a moz-do-not-send="true"
href="http://192.168.144.162/255.255.255.0" target="_blank">192.168.144.162/255.255.255.0</a><br>
<<a moz-do-not-send="true"
href="http://192.168.144.162/255.255.255.0" target="_blank">http://192.168.144.162/255.255.255.0</a>><br>
<<a moz-do-not-send="true"
href="http://192.168.144.162/255.255.255.0" target="_blank">http://192.168.144.162/255.255.255.0</a>><br>
> broadcast 192.168.144.255<br>
> May 10 16:49:13 gadara ipsec_setup: ...Openswan IPsec started<br>
> May 10 16:49:13 gadara ipsec_setup: Starting Openswan IPsec<br>
> U2.4.12/K2.6.26-2-amd64...<br>
> May 10 16:49:14 gadara ipsec__plutorun: 104 "checkpoint-vpn" #1:<br>
> STATE_MAIN_I1: initiate<br>
> May 10 16:49:14 gadara ipsec__plutorun: ...could not start conn<br>
> "checkpoint-vpn"<br>
><br>
> ###################################<br>
> ### this is the /var/log/auth.log output ###<br>
><br>
> May 10 17:17:07 gadara pluto[9858]: "checkpoint-vpn" #3:
transition<br>
> from state STATE_MAIN_I1 to state STATE_MAIN_I2<br>
> May 10 17:17:07 gadara pluto[9858]: | sending reply packet to<br>
> x.y.z.w:500 (from port=500)<br>
> May 10 17:17:07 gadara pluto[9858]: | sending 292 bytes for<br>
> STATE_MAIN_I1 through eth0:500 to x.y.z.w:500:<br>
> May 10 17:17:07 gadara pluto[9858]: | inserting event<br>
> EVENT_RETRANSMIT, timeout in 10 seconds for #3<br>
> May 10 17:17:07 gadara pluto[9858]: "checkpoint-vpn" #3:<br>
> STATE_MAIN_I2: sent MI2, expecting MR2<br>
> May 10 17:17:07 gadara pluto[9858]: | modecfg pull: noquirk<br>
> policy:push not-client<br>
> May 10 17:17:07 gadara pluto[9858]: | phase 1 is done, looking
for<br>
> phase 1 to unpend<br>
> May 10 17:17:07 gadara pluto[9858]: | next event
EVENT_RETRANSMIT in<br>
> 10 seconds for #3<br>
> May 10 17:17:07 gadara pluto[9858]: |<br>
> May 10 17:17:07 gadara pluto[9858]: | *received 40 bytes from<br>
> x.y.z.w:500 on eth0 (port=500)<br>
> May 10 17:17:07 gadara pluto[9858]: | processing packet with<br>
exchange<br>
> type=ISAKMP_XCHG_INFO (5)<br>
> May 10 17:17:07 gadara pluto[9858]: | ICOOKIE: 62 d9 1d c3 7c<br>
2c b2 a9<br>
> May 10 17:17:07 gadara pluto[9858]: | RCOOKIE: fd 0b ef 4b 36<br>
d6 7d 9b<br>
> May 10 17:17:07 gadara pluto[9858]: | peer: x.y.z.w<br>
> May 10 17:17:07 gadara pluto[9858]: | state hash entry 29<br>
> May 10 17:17:07 gadara pluto[9858]: | peer and cookies match on
#3,<br>
> provided msgid 00000000 vs 00000000/00000000<br>
> May 10 17:17:07 gadara pluto[9858]: | p15 state object #3
found, in<br>
> STATE_MAIN_I2<br>
> May 10 17:17:07 gadara pluto[9858]: | processing connection<br>
checkpoint-vpn<br>
> May 10 17:17:07 gadara pluto[9858]: | processing informational<br>
> PAYLOAD_MALFORMED (16)<br>
> May 10 17:17:07 gadara pluto[9858]: "checkpoint-vpn" #3:
received 1<br>
> malformed payload notifies<br>
> May 10 17:17:07 gadara pluto[9858]: | complete state transition
with<br>
> STF_IGNORE<br>
> May 10 17:17:07 gadara pluto[9858]: | next event
EVENT_RETRANSMIT in<br>
> 10 seconds for #3<br>
><br>
><br>
> --<br>
> Luca Arzeni<br>
> Tel.: 339 8350298<br>
> mailto: <a moz-do-not-send="true"
href="mailto:l.arzeni@gmail.com" target="_blank">l.arzeni@gmail.com</a>
<mailto:<a moz-do-not-send="true" href="mailto:l.arzeni@gmail.com"
target="_blank">l.arzeni@gmail.com</a>><br>
<mailto:<a moz-do-not-send="true" href="mailto:l.arzeni@gmail.com"
target="_blank">l.arzeni@gmail.com</a> <mailto:<a
moz-do-not-send="true" href="mailto:l.arzeni@gmail.com" target="_blank">l.arzeni@gmail.com</a>>><br>
><br>
> === Start-of Internet E-mail Confidentiality Footer ===<br>
><br>
> L'uso non autorizzato di questo messaggio o dei suoi allegati e'<br>
> vietato e potrebbe costituire reato.<br>
> Se ha ricevuto per errore questo messaggio, La prego di
informarmi e<br>
> di distruggerlo immediatamente coi suoi allegati. Le
dichiarazioni<br>
> contenute in questo messaggio o nei suoi allegati non impegnano
Luca<br>
> Arzeni nei confronti del destinatario o di terzi. Luca Arzeni
non si<br>
> assume alcuna responsabilita' per eventuali intercettazioni,<br>
modifiche<br>
> o danneggiamenti del presente messaggio.<br>
><br>
><br>
> _______________________________________________<br>
</div>
</div>
> <a moz-do-not-send="true" href="mailto:Users@openswan.org"
target="_blank">Users@openswan.org</a> <mailto:<a
moz-do-not-send="true" href="mailto:Users@openswan.org" target="_blank">Users@openswan.org</a>>
<div class="im"><br>
> <a moz-do-not-send="true"
href="http://lists.openswan.org/mailman/listinfo/users" target="_blank">http://lists.openswan.org/mailman/listinfo/users</a><br>
> Building and Integrating Virtual Private Networks with Openswan:<br>
><br>
<a moz-do-not-send="true"
href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155"
target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
><br>
<br>
_______________________________________________<br>
</div>
<a moz-do-not-send="true" href="mailto:Users@openswan.org"
target="_blank">Users@openswan.org</a> <mailto:<a
moz-do-not-send="true" href="mailto:Users@openswan.org" target="_blank">Users@openswan.org</a>>
<div class="im"><br>
<a moz-do-not-send="true"
href="http://lists.openswan.org/mailman/listinfo/users" target="_blank">http://lists.openswan.org/mailman/listinfo/users</a><br>
Building and Integrating Virtual Private Networks with Openswan:<br>
<a moz-do-not-send="true"
href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155"
target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
<br>
<br>
</div>
</blockquote>
<br>
</blockquote>
</div>
<br>
</blockquote>
<br>
</body>
</html>