[Openswan Users] Linux (debian lenny) client to Checkpoint Firewall NGx R65 using certificates - secureclient ok, openswan ko - PAYLOAD_MALFORMED

Luca Arzeni l.arzeni at gmail.com
Tue May 11 06:26:06 EDT 2010 

Thanks Ondrej,
I've already followed that howto, but it fails. It refers to openswan in the
header, but in the logs you can see that it's really a freeswan.

Can you confirm that you are using openswan?
What are your openswan and kernel version?
Are you using netkey or klips for nat traversal?

My guess is that this could be a netkey issue...
Thanks, Luca

On Tue, May 11, 2010 at 8:36 AM, Ondrej Valousek <webserv at s3group.cz> wrote:

> It works fine for me.
> Try this:
>
> https://gsoc.xelerance.com/projects/openswan/wiki/Connecting_to_the_CheckPoint_VPN-1_NG65_firewall
>
> Ondrej
>
> On 10.05.2010 17:22, Luca Arzeni wrote:
> > Hi there,
> > I'm trying to connect a debian lenny client (Linux 2.6.26-2-amd64 #1
> > SMP x86_64 GNU/Linux) to a Checkpoint Firewall 1 (NGx R65).
> > I'm using openswan 2.4.12 (debian lenny revision is openswan
> > 2.4.12+dfsg-1.3+lenny2)
> > I'm using netkey internal kernel NAT-T, not klips.
> >
> > I can connect using the proprietary checkpoint client application
> > (SecureRemote) without problems.
> > SecureRemote works fine under Windows XP and I was able to setup a
> > connection also from a RedHat73 box using SecureRemote for linux, so
> > the issue is not in the devices between my client and the firewall.
> >
> > I followed various how to, but in the and I'm stuck at this point:
> >
> > May 10 16:49:14 gadara pluto[9253]: | p15 state object #1 found, in
> > STATE_MAIN_I2
> > May 10 16:49:14 gadara pluto[9253]: | processing connection
> checkpoint-vpn
> > May 10 16:49:14 gadara pluto[9253]: | processing informational
> > PAYLOAD_MALFORMED (16)
> > May 10 16:49:14 gadara pluto[9253]: "checkpoint-vpn" #1: received 1
> > malformed payload notifies
> > May 10 16:49:14 gadara pluto[9253]: | complete state transition with
> > STF_IGNORE
> > May 10 16:49:14 gadara pluto[9253]: | next event EVENT_RETRANSMIT in
> > 10 seconds for #1
> >
> > Is there anyone successfull connecting a Checkpoint R65 to an openswan
> > client?
> > Connection data and log follows... any hint will be appreciated!
> >
> > Thanks, Luca
> >
> > ############################
> > ### this is the /etc/ipsec.conf ###
> > # basic configuration
> > config setup
> >         plutodebug=control
> >         nat_traversal=yes
> >
> > conn checkpoint-vpn
> >         # left is my lenny client
> >         left=%defaultroute
> >         leftcert=/etc/ipsec.d/certs/client-cert.pem
> >         leftrsasigkey=%cert
> >         # right is the checkpoint firewall
> >         right=checkpoint-fw
> >         rightsubnet=192.168.255.0/24 <http://192.168.255.0/24>
> >         rightcert=/etc/ipsec.d/certs/checkpoint-cert.pem
> >         rightrsasigkey=%cert
> >         auto=start
> >
> > #Disable Opportunistic Encryption
> > include /etc/ipsec.d/examples/no_oe.conf
> >
> > #################################
> > ### this is the /var/log/syslog output ###
> > May 10 16:49:13 gadara ipsec_setup: NETKEY on eth0
> > 192.168.144.162/255.255.255.0 <http://192.168.144.162/255.255.255.0>
> > broadcast 192.168.144.255
> > May 10 16:49:13 gadara ipsec_setup: ...Openswan IPsec started
> > May 10 16:49:13 gadara ipsec_setup: Starting Openswan IPsec
> > U2.4.12/K2.6.26-2-amd64...
> > May 10 16:49:14 gadara ipsec__plutorun: 104 "checkpoint-vpn" #1:
> > STATE_MAIN_I1: initiate
> > May 10 16:49:14 gadara ipsec__plutorun: ...could not start conn
> > "checkpoint-vpn"
> >
> > ###################################
> > ### this is the /var/log/auth.log output ###
> >
> > May 10 17:17:07 gadara pluto[9858]: "checkpoint-vpn" #3: transition
> > from state STATE_MAIN_I1 to state STATE_MAIN_I2
> > May 10 17:17:07 gadara pluto[9858]: | sending reply packet to
> > x.y.z.w:500 (from port=500)
> > May 10 17:17:07 gadara pluto[9858]: | sending 292 bytes for
> > STATE_MAIN_I1 through eth0:500 to x.y.z.w:500:
> > May 10 17:17:07 gadara pluto[9858]: | inserting event
> > EVENT_RETRANSMIT, timeout in 10 seconds for #3
> > May 10 17:17:07 gadara pluto[9858]: "checkpoint-vpn" #3:
> > STATE_MAIN_I2: sent MI2, expecting MR2
> > May 10 17:17:07 gadara pluto[9858]: | modecfg pull: noquirk
> > policy:push not-client
> > May 10 17:17:07 gadara pluto[9858]: | phase 1 is done, looking for
> > phase 1 to unpend
> > May 10 17:17:07 gadara pluto[9858]: | next event EVENT_RETRANSMIT in
> > 10 seconds for #3
> > May 10 17:17:07 gadara pluto[9858]: |
> > May 10 17:17:07 gadara pluto[9858]: | *received 40 bytes from
> > x.y.z.w:500 on eth0 (port=500)
> > May 10 17:17:07 gadara pluto[9858]: |  processing packet with exchange
> > type=ISAKMP_XCHG_INFO (5)
> > May 10 17:17:07 gadara pluto[9858]: | ICOOKIE:  62 d9 1d c3  7c 2c b2 a9
> > May 10 17:17:07 gadara pluto[9858]: | RCOOKIE:  fd 0b ef 4b  36 d6 7d 9b
> > May 10 17:17:07 gadara pluto[9858]: | peer:  x.y.z.w
> > May 10 17:17:07 gadara pluto[9858]: | state hash entry 29
> > May 10 17:17:07 gadara pluto[9858]: | peer and cookies match on #3,
> > provided msgid 00000000 vs 00000000/00000000
> > May 10 17:17:07 gadara pluto[9858]: | p15 state object #3 found, in
> > STATE_MAIN_I2
> > May 10 17:17:07 gadara pluto[9858]: | processing connection
> checkpoint-vpn
> > May 10 17:17:07 gadara pluto[9858]: | processing informational
> > PAYLOAD_MALFORMED (16)
> > May 10 17:17:07 gadara pluto[9858]: "checkpoint-vpn" #3: received 1
> > malformed payload notifies
> > May 10 17:17:07 gadara pluto[9858]: | complete state transition with
> > STF_IGNORE
> > May 10 17:17:07 gadara pluto[9858]: | next event EVENT_RETRANSMIT in
> > 10 seconds for #3
> >
> >
> > --
> > Luca Arzeni
> > Tel.: 339 8350298
> > mailto: l.arzeni at gmail.com <mailto:l.arzeni at gmail.com>
> >
> > === Start-of Internet E-mail Confidentiality Footer ===
> >
> > L'uso non autorizzato di questo messaggio o dei suoi allegati e'
> > vietato e potrebbe costituire reato.
> > Se ha ricevuto per errore questo messaggio, La prego di informarmi e
> > di distruggerlo immediatamente coi suoi allegati. Le dichiarazioni
> > contenute in questo messaggio o nei suoi allegati non impegnano Luca
> > Arzeni nei confronti del destinatario o di terzi. Luca Arzeni non si
> > assume alcuna responsabilita' per eventuali intercettazioni, modifiche
> > o danneggiamenti del presente messaggio.
> >
> >
> > _______________________________________________
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
> > Building and Integrating Virtual Private Networks with Openswan:
> > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> >
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100511/e1deefa4/attachment-0001.html

More information about the Users mailing list