[Openswan Users] Connecting to Checkpoint VPN-1

Eugene Kotlyarov e.kotlyarov at gmail.com
Thu Apr 9 13:26:55 EDT 2009 

Paul Wouters wrote:
> On Sat, 4 Apr 2009, Eugene Kotlyarov wrote:
> 
>> Apr  4 13:16:25 ekot-desktop pluto[12543]: "checkpoint-openswan" #1:
>> STATE_MAIN_I2: sent MI2, expecting MR2
>> Apr  4 13:16:25 ekot-desktop pluto[12543]: "checkpoint-openswan" #1: more
>> than 20 payloads in message; ignored
> 
> That's a lot of payloads.... You can try upping the limite of 20 by
> editing programs/pluto/demux.h and changing PAYLIMIT to something
> higher, but I'm not sure if that will resolve your problem. It would
> be interesting to see what on earth it is sending as payloads though,
> so the logs of a connection after you raised the PAYLIMIT would be
> appreciated.
If I am not wrong there were 20 ISAKMP_NEXT_NAT-D payloads up to the end of the block, I've checked raw message and there were 20-byte blocks starting with 82 00 00 14.

But I've fixed it with setting nat_traversal=no and now there is another problem. It doesn't want to take certificate.
Any ideas how to make it work?

Apr  9 21:20:53 ekot-desktop pluto[20596]: "checkpoint-openswan" #1: initiating Main Mode
Apr  9 21:20:53 ekot-desktop pluto[20596]: "checkpoint-openswan" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Apr  9 21:20:53 ekot-desktop pluto[20596]: "checkpoint-openswan" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Apr  9 21:20:53 ekot-desktop pluto[20596]: "checkpoint-openswan" #1: I am sending my cert
Apr  9 21:20:53 ekot-desktop pluto[20596]: "checkpoint-openswan" #1: I am sending a certificate request
Apr  9 21:20:53 ekot-desktop pluto[20596]: "checkpoint-openswan" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Apr  9 21:20:53 ekot-desktop pluto[20596]: "checkpoint-openswan" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Apr  9 21:20:53 ekot-desktop pluto[20596]: "checkpoint-openswan" #1: Main mode peer ID is ID_IPV4_ADDR: 'x.x.119.254'
Apr  9 21:20:53 ekot-desktop pluto[20596]: "checkpoint-openswan" #1: no crl from issuer "O=cpmng..b3s9qc" found (strict=no)
Apr  9 21:20:53 ekot-desktop pluto[20596]: "checkpoint-openswan" #1: we require peer to have ID 'O=cpmng..b3s9qc', but peer declares 'x.x.119.254'
Apr  9 21:20:53 ekot-desktop pluto[20596]: "checkpoint-openswan" #1: sending encrypted notification INVALID_ID_INFORMATION to x.x.119.254:500

My config is

conn checkpoint-openswan
        type=tunnel
        # Left side is Check Point
        left=x.x.119.254
        leftcert=checkpoint_ca_cert.pem
        leftrsasigkey=0x0103...
        leftca="O=cpmng..b3s9qc"
        #leftid="CN=cpcluster VPN Certificate,O=cpmng..b3s9qc"
        #leftid=x.x.119.254
        #leftrsasigkey=%cert
        #leftsubnet=10.45.0.111/32
        #leftsendcert=no
        # Right side is OpenSwan
        right=77.50.36.0
        # As an alternative, the file itself can be specified
        rightcert=checkpoint_cl_cert.pem
        rightrsasigkey=%cert
        authby=rsasig
        auto=start
        # Optional specify encryption/hash methods for phase 1 & 2
        ike=3des-md5-modp1024
        esp=aes-sha1
        # Disable Perfect Forward Secrecy, if not working proper
        pfs=no

More information about the Users mailing list