[Openswan Users] Linux (debian lenny) client to Checkpoint Firewall NGx R65 using certificates - secureclient ok, openswan ko - PAYLOAD_MALFORMED
Ondrej Valousek
webserv at s3group.cz
Tue May 11 07:20:27 EDT 2010
Hi Luca,
Make sure you read the article carefully - it contains answers to all
your questions :-)
I have made this article as it was the way which worked for me.
Ondrej
On 11.05.2010 12:26, Luca Arzeni wrote:
> Thanks Ondrej,
> I've already followed that howto, but it fails. It refers to openswan
> in the header, but in the logs you can see that it's really a freeswan.
>
> Can you confirm that you are using openswan?
> What are your openswan and kernel version?
> Are you using netkey or klips for nat traversal?
>
> My guess is that this could be a netkey issue...
> Thanks, Luca
>
> On Tue, May 11, 2010 at 8:36 AM, Ondrej Valousek <webserv at s3group.cz
> <mailto:webserv at s3group.cz>> wrote:
>
> It works fine for me.
> Try this:
> https://gsoc.xelerance.com/projects/openswan/wiki/Connecting_to_the_CheckPoint_VPN-1_NG65_firewall
>
> Ondrej
>
> On 10.05.2010 17:22, Luca Arzeni wrote:
> > Hi there,
> > I'm trying to connect a debian lenny client (Linux 2.6.26-2-amd64 #1
> > SMP x86_64 GNU/Linux) to a Checkpoint Firewall 1 (NGx R65).
> > I'm using openswan 2.4.12 (debian lenny revision is openswan
> > 2.4.12+dfsg-1.3+lenny2)
> > I'm using netkey internal kernel NAT-T, not klips.
> >
> > I can connect using the proprietary checkpoint client application
> > (SecureRemote) without problems.
> > SecureRemote works fine under Windows XP and I was able to setup a
> > connection also from a RedHat73 box using SecureRemote for linux, so
> > the issue is not in the devices between my client and the firewall.
> >
> > I followed various how to, but in the and I'm stuck at this point:
> >
> > May 10 16:49:14 gadara pluto[9253]: | p15 state object #1 found, in
> > STATE_MAIN_I2
> > May 10 16:49:14 gadara pluto[9253]: | processing connection
> checkpoint-vpn
> > May 10 16:49:14 gadara pluto[9253]: | processing informational
> > PAYLOAD_MALFORMED (16)
> > May 10 16:49:14 gadara pluto[9253]: "checkpoint-vpn" #1: received 1
> > malformed payload notifies
> > May 10 16:49:14 gadara pluto[9253]: | complete state transition with
> > STF_IGNORE
> > May 10 16:49:14 gadara pluto[9253]: | next event EVENT_RETRANSMIT in
> > 10 seconds for #1
> >
> > Is there anyone successfull connecting a Checkpoint R65 to an
> openswan
> > client?
> > Connection data and log follows... any hint will be appreciated!
> >
> > Thanks, Luca
> >
> > ############################
> > ### this is the /etc/ipsec.conf ###
> > # basic configuration
> > config setup
> > plutodebug=control
> > nat_traversal=yes
> >
> > conn checkpoint-vpn
> > # left is my lenny client
> > left=%defaultroute
> > leftcert=/etc/ipsec.d/certs/client-cert.pem
> > leftrsasigkey=%cert
> > # right is the checkpoint firewall
> > right=checkpoint-fw
> > rightsubnet=192.168.255.0/24 <http://192.168.255.0/24>
> <http://192.168.255.0/24>
> > rightcert=/etc/ipsec.d/certs/checkpoint-cert.pem
> > rightrsasigkey=%cert
> > auto=start
> >
> > #Disable Opportunistic Encryption
> > include /etc/ipsec.d/examples/no_oe.conf
> >
> > #################################
> > ### this is the /var/log/syslog output ###
> > May 10 16:49:13 gadara ipsec_setup: NETKEY on eth0
> > 192.168.144.162/255.255.255.0
> <http://192.168.144.162/255.255.255.0>
> <http://192.168.144.162/255.255.255.0>
> > broadcast 192.168.144.255
> > May 10 16:49:13 gadara ipsec_setup: ...Openswan IPsec started
> > May 10 16:49:13 gadara ipsec_setup: Starting Openswan IPsec
> > U2.4.12/K2.6.26-2-amd64...
> > May 10 16:49:14 gadara ipsec__plutorun: 104 "checkpoint-vpn" #1:
> > STATE_MAIN_I1: initiate
> > May 10 16:49:14 gadara ipsec__plutorun: ...could not start conn
> > "checkpoint-vpn"
> >
> > ###################################
> > ### this is the /var/log/auth.log output ###
> >
> > May 10 17:17:07 gadara pluto[9858]: "checkpoint-vpn" #3: transition
> > from state STATE_MAIN_I1 to state STATE_MAIN_I2
> > May 10 17:17:07 gadara pluto[9858]: | sending reply packet to
> > x.y.z.w:500 (from port=500)
> > May 10 17:17:07 gadara pluto[9858]: | sending 292 bytes for
> > STATE_MAIN_I1 through eth0:500 to x.y.z.w:500:
> > May 10 17:17:07 gadara pluto[9858]: | inserting event
> > EVENT_RETRANSMIT, timeout in 10 seconds for #3
> > May 10 17:17:07 gadara pluto[9858]: "checkpoint-vpn" #3:
> > STATE_MAIN_I2: sent MI2, expecting MR2
> > May 10 17:17:07 gadara pluto[9858]: | modecfg pull: noquirk
> > policy:push not-client
> > May 10 17:17:07 gadara pluto[9858]: | phase 1 is done, looking for
> > phase 1 to unpend
> > May 10 17:17:07 gadara pluto[9858]: | next event EVENT_RETRANSMIT in
> > 10 seconds for #3
> > May 10 17:17:07 gadara pluto[9858]: |
> > May 10 17:17:07 gadara pluto[9858]: | *received 40 bytes from
> > x.y.z.w:500 on eth0 (port=500)
> > May 10 17:17:07 gadara pluto[9858]: | processing packet with
> exchange
> > type=ISAKMP_XCHG_INFO (5)
> > May 10 17:17:07 gadara pluto[9858]: | ICOOKIE: 62 d9 1d c3 7c
> 2c b2 a9
> > May 10 17:17:07 gadara pluto[9858]: | RCOOKIE: fd 0b ef 4b 36
> d6 7d 9b
> > May 10 17:17:07 gadara pluto[9858]: | peer: x.y.z.w
> > May 10 17:17:07 gadara pluto[9858]: | state hash entry 29
> > May 10 17:17:07 gadara pluto[9858]: | peer and cookies match on #3,
> > provided msgid 00000000 vs 00000000/00000000
> > May 10 17:17:07 gadara pluto[9858]: | p15 state object #3 found, in
> > STATE_MAIN_I2
> > May 10 17:17:07 gadara pluto[9858]: | processing connection
> checkpoint-vpn
> > May 10 17:17:07 gadara pluto[9858]: | processing informational
> > PAYLOAD_MALFORMED (16)
> > May 10 17:17:07 gadara pluto[9858]: "checkpoint-vpn" #3: received 1
> > malformed payload notifies
> > May 10 17:17:07 gadara pluto[9858]: | complete state transition with
> > STF_IGNORE
> > May 10 17:17:07 gadara pluto[9858]: | next event EVENT_RETRANSMIT in
> > 10 seconds for #3
> >
> >
> > --
> > Luca Arzeni
> > Tel.: 339 8350298
> > mailto: l.arzeni at gmail.com <mailto:l.arzeni at gmail.com>
> <mailto:l.arzeni at gmail.com <mailto:l.arzeni at gmail.com>>
> >
> > === Start-of Internet E-mail Confidentiality Footer ===
> >
> > L'uso non autorizzato di questo messaggio o dei suoi allegati e'
> > vietato e potrebbe costituire reato.
> > Se ha ricevuto per errore questo messaggio, La prego di informarmi e
> > di distruggerlo immediatamente coi suoi allegati. Le dichiarazioni
> > contenute in questo messaggio o nei suoi allegati non impegnano Luca
> > Arzeni nei confronti del destinatario o di terzi. Luca Arzeni non si
> > assume alcuna responsabilita' per eventuali intercettazioni,
> modifiche
> > o danneggiamenti del presente messaggio.
> >
> >
> > _______________________________________________
> > Users at openswan.org <mailto:Users at openswan.org>
> > http://lists.openswan.org/mailman/listinfo/users
> > Building and Integrating Virtual Private Networks with Openswan:
> >
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> >
>
> _______________________________________________
> Users at openswan.org <mailto:Users at openswan.org>
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
More information about the Users
mailing list