[Openswan Users] Linux (debian lenny) client to Checkpoint Firewall NGx R65 using certificates - secureclient ok, openswan ko - PAYLOAD_MALFORMED

Luca Arzeni l.arzeni at gmail.com
Tue May 11 11:36:29 EDT 2010 

Thanks Ondrej,
you are right, I've read so many articles that I was confused.
Anyway, from your article I understand that:
You are using openswan 2.6.21 on a linux kernel 2.6.18, with netkey.

I'm on a Debian lenny with kernel 2.6.26-2-amd64. I was using the
debian-provided openswan 2.4.12 using netkey.

My kernel is newer than the Centos that you've used. I downloaded the latest
openswan (2.6.25) and tested with it.

Problem is still here. Do you have any other hint? I wouldn't like to
install Centos to open this vpn...

May 11 16:33:20 gadara pluto[19323]: "openswan-checkpoint" #1: initiating
Main Mode
May 11 16:33:20 gadara pluto[19323]: "openswan-checkpoint" #1: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
May 11 16:33:20 gadara pluto[19323]: "openswan-checkpoint" #1: enabling
possible NAT-traversal with method draft-ietf-ipsec-nat-t-ike-05
May 11 16:33:20 gadara pluto[19323]: "openswan-checkpoint" #1: transition
from state STATE_MAIN_I1 to state STATE_MAIN_I2
May 11 16:33:20 gadara pluto[19323]: "openswan-checkpoint" #1:
STATE_MAIN_I2: sent MI2, expecting MR2
May 11 16:33:20 gadara pluto[19323]: "openswan-checkpoint" #1: received 1
malformed payload notifies
May 11 16:34:10 gadara pluto[19323]: shutting down

Thanks, Luca


On Tue, May 11, 2010 at 1:20 PM, Ondrej Valousek <webserv at s3group.cz> wrote:

> Hi Luca,
>
> Make sure you read the article carefully - it contains answers to all your
> questions :-)
> I have made this article as it was the way which worked for me.
>
> Ondrej
>
>
>
> On 11.05.2010 12:26, Luca Arzeni wrote:
>
>> Thanks Ondrej,
>> I've already followed that howto, but it fails. It refers to openswan in
>> the header, but in the logs you can see that it's really a freeswan.
>>
>> Can you confirm that you are using openswan?
>> What are your openswan and kernel version?
>> Are you using netkey or klips for nat traversal?
>>
>> My guess is that this could be a netkey issue...
>> Thanks, Luca
>>
>> On Tue, May 11, 2010 at 8:36 AM, Ondrej Valousek <webserv at s3group.cz<mailto:
>> webserv at s3group.cz>> wrote:
>>
>>    It works fine for me.
>>    Try this:
>>
>> https://gsoc.xelerance.com/projects/openswan/wiki/Connecting_to_the_CheckPoint_VPN-1_NG65_firewall
>>
>>    Ondrej
>>
>>    On 10.05.2010 17:22, Luca Arzeni wrote:
>>    > Hi there,
>>    > I'm trying to connect a debian lenny client (Linux 2.6.26-2-amd64 #1
>>    > SMP x86_64 GNU/Linux) to a Checkpoint Firewall 1 (NGx R65).
>>    > I'm using openswan 2.4.12 (debian lenny revision is openswan
>>    > 2.4.12+dfsg-1.3+lenny2)
>>    > I'm using netkey internal kernel NAT-T, not klips.
>>    >
>>    > I can connect using the proprietary checkpoint client application
>>    > (SecureRemote) without problems.
>>    > SecureRemote works fine under Windows XP and I was able to setup a
>>    > connection also from a RedHat73 box using SecureRemote for linux, so
>>    > the issue is not in the devices between my client and the firewall.
>>    >
>>    > I followed various how to, but in the and I'm stuck at this point:
>>    >
>>    > May 10 16:49:14 gadara pluto[9253]: | p15 state object #1 found, in
>>    > STATE_MAIN_I2
>>    > May 10 16:49:14 gadara pluto[9253]: | processing connection
>>    checkpoint-vpn
>>    > May 10 16:49:14 gadara pluto[9253]: | processing informational
>>    > PAYLOAD_MALFORMED (16)
>>    > May 10 16:49:14 gadara pluto[9253]: "checkpoint-vpn" #1: received 1
>>    > malformed payload notifies
>>    > May 10 16:49:14 gadara pluto[9253]: | complete state transition with
>>    > STF_IGNORE
>>    > May 10 16:49:14 gadara pluto[9253]: | next event EVENT_RETRANSMIT in
>>    > 10 seconds for #1
>>    >
>>    > Is there anyone successfull connecting a Checkpoint R65 to an
>>    openswan
>>    > client?
>>    > Connection data and log follows... any hint will be appreciated!
>>    >
>>    > Thanks, Luca
>>    >
>>    > ############################
>>    > ### this is the /etc/ipsec.conf ###
>>    > # basic configuration
>>    > config setup
>>    >         plutodebug=control
>>    >         nat_traversal=yes
>>    >
>>    > conn checkpoint-vpn
>>    >         # left is my lenny client
>>    >         left=%defaultroute
>>    >         leftcert=/etc/ipsec.d/certs/client-cert.pem
>>    >         leftrsasigkey=%cert
>>    >         # right is the checkpoint firewall
>>    >         right=checkpoint-fw
>>    >         rightsubnet=192.168.255.0/24 <http://192.168.255.0/24>
>>    <http://192.168.255.0/24>
>>    >         rightcert=/etc/ipsec.d/certs/checkpoint-cert.pem
>>    >         rightrsasigkey=%cert
>>    >         auto=start
>>    >
>>    > #Disable Opportunistic Encryption
>>    > include /etc/ipsec.d/examples/no_oe.conf
>>    >
>>    > #################################
>>    > ### this is the /var/log/syslog output ###
>>    > May 10 16:49:13 gadara ipsec_setup: NETKEY on eth0
>>    > 192.168.144.162/255.255.255.0
>>    <http://192.168.144.162/255.255.255.0>
>>    <http://192.168.144.162/255.255.255.0>
>>    > broadcast 192.168.144.255
>>    > May 10 16:49:13 gadara ipsec_setup: ...Openswan IPsec started
>>    > May 10 16:49:13 gadara ipsec_setup: Starting Openswan IPsec
>>    > U2.4.12/K2.6.26-2-amd64...
>>    > May 10 16:49:14 gadara ipsec__plutorun: 104 "checkpoint-vpn" #1:
>>    > STATE_MAIN_I1: initiate
>>    > May 10 16:49:14 gadara ipsec__plutorun: ...could not start conn
>>    > "checkpoint-vpn"
>>    >
>>    > ###################################
>>    > ### this is the /var/log/auth.log output ###
>>    >
>>    > May 10 17:17:07 gadara pluto[9858]: "checkpoint-vpn" #3: transition
>>    > from state STATE_MAIN_I1 to state STATE_MAIN_I2
>>    > May 10 17:17:07 gadara pluto[9858]: | sending reply packet to
>>    > x.y.z.w:500 (from port=500)
>>    > May 10 17:17:07 gadara pluto[9858]: | sending 292 bytes for
>>    > STATE_MAIN_I1 through eth0:500 to x.y.z.w:500:
>>    > May 10 17:17:07 gadara pluto[9858]: | inserting event
>>    > EVENT_RETRANSMIT, timeout in 10 seconds for #3
>>    > May 10 17:17:07 gadara pluto[9858]: "checkpoint-vpn" #3:
>>    > STATE_MAIN_I2: sent MI2, expecting MR2
>>    > May 10 17:17:07 gadara pluto[9858]: | modecfg pull: noquirk
>>    > policy:push not-client
>>    > May 10 17:17:07 gadara pluto[9858]: | phase 1 is done, looking for
>>    > phase 1 to unpend
>>    > May 10 17:17:07 gadara pluto[9858]: | next event EVENT_RETRANSMIT in
>>    > 10 seconds for #3
>>    > May 10 17:17:07 gadara pluto[9858]: |
>>    > May 10 17:17:07 gadara pluto[9858]: | *received 40 bytes from
>>    > x.y.z.w:500 on eth0 (port=500)
>>    > May 10 17:17:07 gadara pluto[9858]: |  processing packet with
>>    exchange
>>    > type=ISAKMP_XCHG_INFO (5)
>>    > May 10 17:17:07 gadara pluto[9858]: | ICOOKIE:  62 d9 1d c3  7c
>>    2c b2 a9
>>    > May 10 17:17:07 gadara pluto[9858]: | RCOOKIE:  fd 0b ef 4b  36
>>    d6 7d 9b
>>    > May 10 17:17:07 gadara pluto[9858]: | peer:  x.y.z.w
>>    > May 10 17:17:07 gadara pluto[9858]: | state hash entry 29
>>    > May 10 17:17:07 gadara pluto[9858]: | peer and cookies match on #3,
>>    > provided msgid 00000000 vs 00000000/00000000
>>    > May 10 17:17:07 gadara pluto[9858]: | p15 state object #3 found, in
>>    > STATE_MAIN_I2
>>    > May 10 17:17:07 gadara pluto[9858]: | processing connection
>>    checkpoint-vpn
>>    > May 10 17:17:07 gadara pluto[9858]: | processing informational
>>    > PAYLOAD_MALFORMED (16)
>>    > May 10 17:17:07 gadara pluto[9858]: "checkpoint-vpn" #3: received 1
>>    > malformed payload notifies
>>    > May 10 17:17:07 gadara pluto[9858]: | complete state transition with
>>    > STF_IGNORE
>>    > May 10 17:17:07 gadara pluto[9858]: | next event EVENT_RETRANSMIT in
>>    > 10 seconds for #3
>>    >
>>    >
>>    > --
>>    > Luca Arzeni
>>    > Tel.: 339 8350298
>>    > mailto: l.arzeni at gmail.com <mailto:l.arzeni at gmail.com>
>>    <mailto:l.arzeni at gmail.com <mailto:l.arzeni at gmail.com>>
>>    >
>>    > === Start-of Internet E-mail Confidentiality Footer ===
>>    >
>>    > L'uso non autorizzato di questo messaggio o dei suoi allegati e'
>>    > vietato e potrebbe costituire reato.
>>    > Se ha ricevuto per errore questo messaggio, La prego di informarmi e
>>    > di distruggerlo immediatamente coi suoi allegati. Le dichiarazioni
>>    > contenute in questo messaggio o nei suoi allegati non impegnano Luca
>>    > Arzeni nei confronti del destinatario o di terzi. Luca Arzeni non si
>>    > assume alcuna responsabilita' per eventuali intercettazioni,
>>    modifiche
>>    > o danneggiamenti del presente messaggio.
>>    >
>>    >
>>    > _______________________________________________
>>    > Users at openswan.org <mailto:Users at openswan.org>
>>
>>    > http://lists.openswan.org/mailman/listinfo/users
>>    > Building and Integrating Virtual Private Networks with Openswan:
>>    >
>>
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>    >
>>
>>    _______________________________________________
>>    Users at openswan.org <mailto:Users at openswan.org>
>>
>>    http://lists.openswan.org/mailman/listinfo/users
>>    Building and Integrating Virtual Private Networks with Openswan:
>>
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100511/47dd988a/attachment-0001.html

More information about the Users mailing list