[Openswan Users] Linux (debian lenny) client to Checkpoint Firewall NGx R65 using certificates - secureclient ok, openswan ko - PAYLOAD_MALFORMED

Ondrej Valousek webserv at s3group.cz
Wed May 12 05:14:45 EDT 2010


Hi Luca,

You definitely need to enable pluto to send more debugging messages.
This way we do not even know what is it trying to do.
Also, at this IKE stage is the kernel version not relevant as the VPN 
negotiation is fully in charge of pluto.

Ondrej

On 11.05.2010 17:36, Luca Arzeni wrote:
> Thanks Ondrej,
> you are right, I've read so many articles that I was confused.
> Anyway, from your article I understand that:
> You are using openswan 2.6.21 on a linux kernel 2.6.18, with netkey.
>
> I'm on a Debian lenny with kernel 2.6.26-2-amd64. I was using the 
> debian-provided openswan 2.4.12 using netkey.
>
> My kernel is newer than the Centos that you've used. I downloaded the 
> latest openswan (2.6.25) and tested with it.
>
> Problem is still here. Do you have any other hint? I wouldn't like to 
> install Centos to open this vpn...
>
> May 11 16:33:20 gadara pluto[19323]: "openswan-checkpoint" #1: 
> initiating Main Mode
> May 11 16:33:20 gadara pluto[19323]: "openswan-checkpoint" #1: 
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method 
> set to=106
> May 11 16:33:20 gadara pluto[19323]: "openswan-checkpoint" #1: 
> enabling possible NAT-traversal with method draft-ietf-ipsec-nat-t-ike-05
> May 11 16:33:20 gadara pluto[19323]: "openswan-checkpoint" #1: 
> transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> May 11 16:33:20 gadara pluto[19323]: "openswan-checkpoint" #1: 
> STATE_MAIN_I2: sent MI2, expecting MR2
> May 11 16:33:20 gadara pluto[19323]: "openswan-checkpoint" #1: 
> received 1 malformed payload notifies
> May 11 16:34:10 gadara pluto[19323]: shutting down
>
> Thanks, Luca
>
>
> On Tue, May 11, 2010 at 1:20 PM, Ondrej Valousek <webserv at s3group.cz 
> <mailto:webserv at s3group.cz>> wrote:
>
>     Hi Luca,
>
>     Make sure you read the article carefully - it contains answers to
>     all your questions :-)
>     I have made this article as it was the way which worked for me.
>
>     Ondrej
>
>
>
>     On 11.05.2010 12:26, Luca Arzeni wrote:
>
>         Thanks Ondrej,
>         I've already followed that howto, but it fails. It refers to
>         openswan in the header, but in the logs you can see that it's
>         really a freeswan.
>
>         Can you confirm that you are using openswan?
>         What are your openswan and kernel version?
>         Are you using netkey or klips for nat traversal?
>
>         My guess is that this could be a netkey issue...
>         Thanks, Luca
>
>         On Tue, May 11, 2010 at 8:36 AM, Ondrej Valousek
>         <webserv at s3group.cz <mailto:webserv at s3group.cz>
>         <mailto:webserv at s3group.cz <mailto:webserv at s3group.cz>>> wrote:
>
>            It works fine for me.
>            Try this:
>         https://gsoc.xelerance.com/projects/openswan/wiki/Connecting_to_the_CheckPoint_VPN-1_NG65_firewall
>
>            Ondrej
>
>            On 10.05.2010 17:22, Luca Arzeni wrote:
>         > Hi there,
>         > I'm trying to connect a debian lenny client (Linux
>         2.6.26-2-amd64 #1
>         > SMP x86_64 GNU/Linux) to a Checkpoint Firewall 1 (NGx R65).
>         > I'm using openswan 2.4.12 (debian lenny revision is openswan
>         > 2.4.12+dfsg-1.3+lenny2)
>         > I'm using netkey internal kernel NAT-T, not klips.
>         >
>         > I can connect using the proprietary checkpoint client
>         application
>         > (SecureRemote) without problems.
>         > SecureRemote works fine under Windows XP and I was able to
>         setup a
>         > connection also from a RedHat73 box using SecureRemote for
>         linux, so
>         > the issue is not in the devices between my client and the
>         firewall.
>         >
>         > I followed various how to, but in the and I'm stuck at this
>         point:
>         >
>         > May 10 16:49:14 gadara pluto[9253]: | p15 state object #1
>         found, in
>         > STATE_MAIN_I2
>         > May 10 16:49:14 gadara pluto[9253]: | processing connection
>            checkpoint-vpn
>         > May 10 16:49:14 gadara pluto[9253]: | processing informational
>         > PAYLOAD_MALFORMED (16)
>         > May 10 16:49:14 gadara pluto[9253]: "checkpoint-vpn" #1:
>         received 1
>         > malformed payload notifies
>         > May 10 16:49:14 gadara pluto[9253]: | complete state
>         transition with
>         > STF_IGNORE
>         > May 10 16:49:14 gadara pluto[9253]: | next event
>         EVENT_RETRANSMIT in
>         > 10 seconds for #1
>         >
>         > Is there anyone successfull connecting a Checkpoint R65 to an
>            openswan
>         > client?
>         > Connection data and log follows... any hint will be appreciated!
>         >
>         > Thanks, Luca
>         >
>         > ############################
>         > ### this is the /etc/ipsec.conf ###
>         > # basic configuration
>         > config setup
>         >         plutodebug=control
>         >         nat_traversal=yes
>         >
>         > conn checkpoint-vpn
>         >         # left is my lenny client
>         >         left=%defaultroute
>         >         leftcert=/etc/ipsec.d/certs/client-cert.pem
>         >         leftrsasigkey=%cert
>         >         # right is the checkpoint firewall
>         >         right=checkpoint-fw
>         >         rightsubnet=192.168.255.0/24
>         <http://192.168.255.0/24> <http://192.168.255.0/24>
>         <http://192.168.255.0/24>
>         >         rightcert=/etc/ipsec.d/certs/checkpoint-cert.pem
>         >         rightrsasigkey=%cert
>         >         auto=start
>         >
>         > #Disable Opportunistic Encryption
>         > include /etc/ipsec.d/examples/no_oe.conf
>         >
>         > #################################
>         > ### this is the /var/log/syslog output ###
>         > May 10 16:49:13 gadara ipsec_setup: NETKEY on eth0
>         > 192.168.144.162/255.255.255.0
>         <http://192.168.144.162/255.255.255.0>
>         <http://192.168.144.162/255.255.255.0>
>         <http://192.168.144.162/255.255.255.0>
>         > broadcast 192.168.144.255
>         > May 10 16:49:13 gadara ipsec_setup: ...Openswan IPsec started
>         > May 10 16:49:13 gadara ipsec_setup: Starting Openswan IPsec
>         > U2.4.12/K2.6.26-2-amd64...
>         > May 10 16:49:14 gadara ipsec__plutorun: 104 "checkpoint-vpn" #1:
>         > STATE_MAIN_I1: initiate
>         > May 10 16:49:14 gadara ipsec__plutorun: ...could not start conn
>         > "checkpoint-vpn"
>         >
>         > ###################################
>         > ### this is the /var/log/auth.log output ###
>         >
>         > May 10 17:17:07 gadara pluto[9858]: "checkpoint-vpn" #3:
>         transition
>         > from state STATE_MAIN_I1 to state STATE_MAIN_I2
>         > May 10 17:17:07 gadara pluto[9858]: | sending reply packet to
>         > x.y.z.w:500 (from port=500)
>         > May 10 17:17:07 gadara pluto[9858]: | sending 292 bytes for
>         > STATE_MAIN_I1 through eth0:500 to x.y.z.w:500:
>         > May 10 17:17:07 gadara pluto[9858]: | inserting event
>         > EVENT_RETRANSMIT, timeout in 10 seconds for #3
>         > May 10 17:17:07 gadara pluto[9858]: "checkpoint-vpn" #3:
>         > STATE_MAIN_I2: sent MI2, expecting MR2
>         > May 10 17:17:07 gadara pluto[9858]: | modecfg pull: noquirk
>         > policy:push not-client
>         > May 10 17:17:07 gadara pluto[9858]: | phase 1 is done,
>         looking for
>         > phase 1 to unpend
>         > May 10 17:17:07 gadara pluto[9858]: | next event
>         EVENT_RETRANSMIT in
>         > 10 seconds for #3
>         > May 10 17:17:07 gadara pluto[9858]: |
>         > May 10 17:17:07 gadara pluto[9858]: | *received 40 bytes from
>         > x.y.z.w:500 on eth0 (port=500)
>         > May 10 17:17:07 gadara pluto[9858]: |  processing packet with
>            exchange
>         > type=ISAKMP_XCHG_INFO (5)
>         > May 10 17:17:07 gadara pluto[9858]: | ICOOKIE:  62 d9 1d c3  7c
>            2c b2 a9
>         > May 10 17:17:07 gadara pluto[9858]: | RCOOKIE:  fd 0b ef 4b  36
>            d6 7d 9b
>         > May 10 17:17:07 gadara pluto[9858]: | peer:  x.y.z.w
>         > May 10 17:17:07 gadara pluto[9858]: | state hash entry 29
>         > May 10 17:17:07 gadara pluto[9858]: | peer and cookies match
>         on #3,
>         > provided msgid 00000000 vs 00000000/00000000
>         > May 10 17:17:07 gadara pluto[9858]: | p15 state object #3
>         found, in
>         > STATE_MAIN_I2
>         > May 10 17:17:07 gadara pluto[9858]: | processing connection
>            checkpoint-vpn
>         > May 10 17:17:07 gadara pluto[9858]: | processing informational
>         > PAYLOAD_MALFORMED (16)
>         > May 10 17:17:07 gadara pluto[9858]: "checkpoint-vpn" #3:
>         received 1
>         > malformed payload notifies
>         > May 10 17:17:07 gadara pluto[9858]: | complete state
>         transition with
>         > STF_IGNORE
>         > May 10 17:17:07 gadara pluto[9858]: | next event
>         EVENT_RETRANSMIT in
>         > 10 seconds for #3
>         >
>         >
>         > --
>         > Luca Arzeni
>         > Tel.: 339 8350298
>         > mailto: l.arzeni at gmail.com <mailto:l.arzeni at gmail.com>
>         <mailto:l.arzeni at gmail.com <mailto:l.arzeni at gmail.com>>
>         <mailto:l.arzeni at gmail.com <mailto:l.arzeni at gmail.com>
>         <mailto:l.arzeni at gmail.com <mailto:l.arzeni at gmail.com>>>
>         >
>         > === Start-of Internet E-mail Confidentiality Footer ===
>         >
>         > L'uso non autorizzato di questo messaggio o dei suoi allegati e'
>         > vietato e potrebbe costituire reato.
>         > Se ha ricevuto per errore questo messaggio, La prego di
>         informarmi e
>         > di distruggerlo immediatamente coi suoi allegati. Le
>         dichiarazioni
>         > contenute in questo messaggio o nei suoi allegati non
>         impegnano Luca
>         > Arzeni nei confronti del destinatario o di terzi. Luca
>         Arzeni non si
>         > assume alcuna responsabilita' per eventuali intercettazioni,
>            modifiche
>         > o danneggiamenti del presente messaggio.
>         >
>         >
>         > _______________________________________________
>         > Users at openswan.org <mailto:Users at openswan.org>
>         <mailto:Users at openswan.org <mailto:Users at openswan.org>>
>
>         > http://lists.openswan.org/mailman/listinfo/users
>         > Building and Integrating Virtual Private Networks with Openswan:
>         >
>         http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>         >
>
>            _______________________________________________
>         Users at openswan.org <mailto:Users at openswan.org>
>         <mailto:Users at openswan.org <mailto:Users at openswan.org>>
>
>         http://lists.openswan.org/mailman/listinfo/users
>            Building and Integrating Virtual Private Networks with
>         Openswan:
>         http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100512/562706f6/attachment-0001.html 


More information about the Users mailing list