[Openswan Users] Connecting to Checkpoint VPN-1

[Eugene Kotlyarov]

do wrote:
> 
> Maybe I'm wrong but I think the best way is to find your problem(s) is to
> allocate always the first error message.
> Shut down the tunnel, start a tshark with -t a to have normal timestamps
> and say ipsec whack --name tunnel_name --debug-all.
> pull up the tunnel and check the tshark for the first informational packet
> coming and check its time in your auth.log what has happened in
> that packet. The reason of your problem should be there.

I think setting plutodebug="all" in ipsec.conf gives same information. But 
anyway I've fixed previous problem by setting nat_traversal=no
Now I have another problem with certificates
Any ideas what's wrong here?


| an RSA Sig check failure SIG length does not match public key length with 
*AQOtGVENk [preloaded key]
  "checkpoint-openswan" #1: Signature check (on x.x.119.254) failed (wrong 
key?); tried *AQOtGVENk
| public key for x.x.119.254 failed: decrypted SIG payload into a malformed 
ECB (SIG length does not match public key length)
| complete state transition with (null)
]: "checkpoint-openswan" #1: sending encrypted notification 
INVALID_KEY_INFORMATION to x.x.119.254:500

Current configuration is

conn checkpoint-openswan
         type=tunnel
         # Left side is Check Point
         left=x.x.119.254
         leftrsasigkey=0x0103A...
         leftsubnet=10.45.0.111/32
         leftsendcert=no
         # Right side is OpenSwan
         right=77.50.36.0
         # As an alternative, the file itself can be specified
         rightcert=checkpoint_cl_cert.pem
         rightrsasigkey=%cert
         authby=rsasig
         auto=start
         # Optional specify encryption/hash methods for phase 1 & 2
         ike=3des-md5-modp1024
         esp=aes-sha1
         # Disable Perfect Forward Secrecy, if not working proper
         pfs=no
         # Optional enable compression (if working)
         #compress=yes