[Openswan Users] Linux (debian lenny) client to Checkpoint Firewall NGx R65 using certificates - secureclient ok, openswan ko - PAYLOAD_MALFORMED

Luca Arzeni l.arzeni at gmail.com
Wed May 12 10:59:10 EDT 2010


Hi Ondrej,
I've set up a test machine. The current configuration is:

- Linux fwclient 2.6.26-2-686 #1 SMP i686 GNU/Linux (Debian Lenny)
- Openswan IPsec U2.6.25/K2.6.26-2-686

I include in this message the portion of logs that shows the error. Let me
know if you need other infos.

CONFIG:

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        plutodebug="all"
        # plutoopts="--perpeerlog"
        nat_traversal=yes
        #virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        oe=off
        protostack=netkey

## RoadWarrior to Net behind Gateway: FreeS/WAN X.509 <-> Check Point
conn openswan-checkpoint
        # Right side is FreeS/WAN RoadWarrior
        right=%defaultroute
        rightrsasigkey=%cert
        rightcert=/etc/ipsec.d/certs/fwclient-crt.pem
        # Left side is Check Point
        left=fwserver
        leftsubnet=192.168.255.0/24 ## subnet behind the gateway
        leftcert=/etc/ipsec.d/certs/fwserver-crt.pem
        leftrsasigkey=%cert
        auto=start

LOGS:

May 12 16:52:10 fwclient pluto[19602]: | inserting event EVENT_RETRANSMIT,
timeout in 10 seconds for #6
May 12 16:52:10 fwclient pluto[19602]: | event added after event
EVENT_PENDING_PHASE2
May 12 16:52:10 fwclient pluto[19602]: "openswan-checkpoint" #6:
STATE_MAIN_I2: sent MI2, expecting MR2
May 12 16:52:10 fwclient pluto[19602]: | modecfg pull: noquirk policy:push
not-client
May 12 16:52:10 fwclient pluto[19602]: | phase 1 is done, looking for phase
2 to unpend
May 12 16:52:10 fwclient pluto[19602]: | * processed 1 messages from
cryptographic helpers
May 12 16:52:10 fwclient pluto[19602]: | next event EVENT_PENDING_DDNS in 9
seconds
May 12 16:52:10 fwclient pluto[19602]: | next event EVENT_PENDING_DDNS in 9
seconds
May 12 16:52:11 fwclient pluto[19602]: |
May 12 16:52:11 fwclient pluto[19602]: | *received 40 bytes from x.y.z.w:500
on eth0 (port=500)
May 12 16:52:11 fwclient pluto[19602]: |   76 31 8f 3c  49 ba 7c 88  2d b7
41 57  a5 13 58 34
May 12 16:52:11 fwclient pluto[19602]: |   0b 10 05 00  b7 8b 29 04  00 00
00 28  00 00 00 0c
May 12 16:52:11 fwclient pluto[19602]: |   00 00 00 00  01 00 00 10
May 12 16:52:11 fwclient pluto[19602]: | **parse ISAKMP Message:
May 12 16:52:11 fwclient pluto[19602]: |    initiator cookie:
May 12 16:52:11 fwclient pluto[19602]: |   76 31 8f 3c  49 ba 7c 88
May 12 16:52:11 fwclient pluto[19602]: |    responder cookie:
May 12 16:52:11 fwclient pluto[19602]: |   2d b7 41 57  a5 13 58 34
May 12 16:52:11 fwclient pluto[19602]: |    next payload type: ISAKMP_NEXT_N
May 12 16:52:11 fwclient pluto[19602]: |    ISAKMP version: ISAKMP Version
1.0 (rfc2407)
May 12 16:52:11 fwclient pluto[19602]: |    exchange type: ISAKMP_XCHG_INFO
May 12 16:52:11 fwclient pluto[19602]: |    flags: none
May 12 16:52:11 fwclient pluto[19602]: |    message ID:  b7 8b 29 04
May 12 16:52:11 fwclient pluto[19602]: |    length: 40
May 12 16:52:11 fwclient pluto[19602]: |  processing version=1.0 packet with
exchange type=ISAKMP_XCHG_INFO (5)
May 12 16:52:11 fwclient pluto[19602]: | ICOOKIE:  76 31 8f 3c  49 ba 7c 88
May 12 16:52:11 fwclient pluto[19602]: | RCOOKIE:  2d b7 41 57  a5 13 58 34
May 12 16:52:11 fwclient pluto[19602]: | state hash entry 7
May 12 16:52:11 fwclient pluto[19602]: | peer and cookies match on #6,
provided msgid 00000000 vs 00000000/00000000
May 12 16:52:11 fwclient pluto[19602]: | p15 state object #6 found, in
STATE_MAIN_I2
May 12 16:52:11 fwclient pluto[19602]: | processing connection
openswan-checkpoint
May 12 16:52:11 fwclient pluto[19602]: | got payload 0x800(ISAKMP_NEXT_N)
needed: 0x0 opt: 0x0
May 12 16:52:11 fwclient pluto[19602]: | ***parse ISAKMP Notification
Payload:
May 12 16:52:11 fwclient pluto[19602]: |    next payload type:
ISAKMP_NEXT_NONE
May 12 16:52:11 fwclient pluto[19602]: |    length: 12
May 12 16:52:11 fwclient pluto[19602]: |    DOI: ISAKMP_DOI_ISAKMP
May 12 16:52:11 fwclient pluto[19602]: |    protocol ID: 1
May 12 16:52:11 fwclient pluto[19602]: |    SPI size: 0
May 12 16:52:11 fwclient pluto[19602]: |    Notify Message Type:
PAYLOAD_MALFORMED
May 12 16:52:11 fwclient pluto[19602]: | info:
May 12 16:52:11 fwclient pluto[19602]: | processing informational
PAYLOAD_MALFORMED (16)
May 12 16:52:11 fwclient pluto[19602]: "openswan-checkpoint" #6: received 1
malformed payload notifies
May 12 16:52:11 fwclient pluto[19602]: | complete state transition with
STF_IGNORE
May 12 16:52:11 fwclient pluto[19602]: | * processed 0 messages from
cryptographic helpers
May 12 16:52:11 fwclient pluto[19602]: | next event EVENT_PENDING_DDNS in 8
seconds
May 12 16:52:11 fwclient pluto[19602]: | next event EVENT_PENDING_DDNS in 8
seconds

Thanks again for your help, Luca


On Wed, May 12, 2010 at 11:14 AM, Ondrej Valousek <webserv at s3group.cz>wrote:

>  Hi Luca,
>
> You definitely need to enable pluto to send more debugging messages.
> This way we do not even know what is it trying to do.
> Also, at this IKE stage is the kernel version not relevant as the VPN
> negotiation is fully in charge of pluto.
>
> Ondrej
>
>
> On 11.05.2010 17:36, Luca Arzeni wrote:
>
> Thanks Ondrej,
> you are right, I've read so many articles that I was confused.
> Anyway, from your article I understand that:
> You are using openswan 2.6.21 on a linux kernel 2.6.18, with netkey.
>
> I'm on a Debian lenny with kernel 2.6.26-2-amd64. I was using the
> debian-provided openswan 2.4.12 using netkey.
>
> My kernel is newer than the Centos that you've used. I downloaded the
> latest openswan (2.6.25) and tested with it.
>
> Problem is still here. Do you have any other hint? I wouldn't like to
> install Centos to open this vpn...
>
> May 11 16:33:20 gadara pluto[19323]: "openswan-checkpoint" #1: initiating
> Main Mode
> May 11 16:33:20 gadara pluto[19323]: "openswan-checkpoint" #1: received
> Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
> May 11 16:33:20 gadara pluto[19323]: "openswan-checkpoint" #1: enabling
> possible NAT-traversal with method draft-ietf-ipsec-nat-t-ike-05
> May 11 16:33:20 gadara pluto[19323]: "openswan-checkpoint" #1: transition
> from state STATE_MAIN_I1 to state STATE_MAIN_I2
> May 11 16:33:20 gadara pluto[19323]: "openswan-checkpoint" #1:
> STATE_MAIN_I2: sent MI2, expecting MR2
> May 11 16:33:20 gadara pluto[19323]: "openswan-checkpoint" #1: received 1
> malformed payload notifies
> May 11 16:34:10 gadara pluto[19323]: shutting down
>
> Thanks, Luca
>
>
> On Tue, May 11, 2010 at 1:20 PM, Ondrej Valousek <webserv at s3group.cz>wrote:
>
>> Hi Luca,
>>
>> Make sure you read the article carefully - it contains answers to all your
>> questions :-)
>> I have made this article as it was the way which worked for me.
>>
>> Ondrej
>>
>>
>>
>> On 11.05.2010 12:26, Luca Arzeni wrote:
>>
>>> Thanks Ondrej,
>>> I've already followed that howto, but it fails. It refers to openswan in
>>> the header, but in the logs you can see that it's really a freeswan.
>>>
>>> Can you confirm that you are using openswan?
>>> What are your openswan and kernel version?
>>> Are you using netkey or klips for nat traversal?
>>>
>>> My guess is that this could be a netkey issue...
>>> Thanks, Luca
>>>
>>>  On Tue, May 11, 2010 at 8:36 AM, Ondrej Valousek <webserv at s3group.cz<mailto:
>>> webserv at s3group.cz>> wrote:
>>>
>>>    It works fine for me.
>>>    Try this:
>>>
>>> https://gsoc.xelerance.com/projects/openswan/wiki/Connecting_to_the_CheckPoint_VPN-1_NG65_firewall
>>>
>>>    Ondrej
>>>
>>>    On 10.05.2010 17:22, Luca Arzeni wrote:
>>>    > Hi there,
>>>    > I'm trying to connect a debian lenny client (Linux 2.6.26-2-amd64 #1
>>>    > SMP x86_64 GNU/Linux) to a Checkpoint Firewall 1 (NGx R65).
>>>    > I'm using openswan 2.4.12 (debian lenny revision is openswan
>>>    > 2.4.12+dfsg-1.3+lenny2)
>>>    > I'm using netkey internal kernel NAT-T, not klips.
>>>    >
>>>    > I can connect using the proprietary checkpoint client application
>>>    > (SecureRemote) without problems.
>>>    > SecureRemote works fine under Windows XP and I was able to setup a
>>>    > connection also from a RedHat73 box using SecureRemote for linux, so
>>>    > the issue is not in the devices between my client and the firewall.
>>>    >
>>>    > I followed various how to, but in the and I'm stuck at this point:
>>>    >
>>>    > May 10 16:49:14 gadara pluto[9253]: | p15 state object #1 found, in
>>>    > STATE_MAIN_I2
>>>    > May 10 16:49:14 gadara pluto[9253]: | processing connection
>>>    checkpoint-vpn
>>>    > May 10 16:49:14 gadara pluto[9253]: | processing informational
>>>    > PAYLOAD_MALFORMED (16)
>>>    > May 10 16:49:14 gadara pluto[9253]: "checkpoint-vpn" #1: received 1
>>>    > malformed payload notifies
>>>    > May 10 16:49:14 gadara pluto[9253]: | complete state transition with
>>>    > STF_IGNORE
>>>    > May 10 16:49:14 gadara pluto[9253]: | next event EVENT_RETRANSMIT in
>>>    > 10 seconds for #1
>>>    >
>>>    > Is there anyone successfull connecting a Checkpoint R65 to an
>>>    openswan
>>>    > client?
>>>    > Connection data and log follows... any hint will be appreciated!
>>>    >
>>>    > Thanks, Luca
>>>    >
>>>    > ############################
>>>    > ### this is the /etc/ipsec.conf ###
>>>    > # basic configuration
>>>    > config setup
>>>    >         plutodebug=control
>>>    >         nat_traversal=yes
>>>    >
>>>    > conn checkpoint-vpn
>>>    >         # left is my lenny client
>>>    >         left=%defaultroute
>>>    >         leftcert=/etc/ipsec.d/certs/client-cert.pem
>>>    >         leftrsasigkey=%cert
>>>    >         # right is the checkpoint firewall
>>>    >         right=checkpoint-fw
>>>    >         rightsubnet=192.168.255.0/24 <http://192.168.255.0/24>
>>>    <http://192.168.255.0/24>
>>>    >         rightcert=/etc/ipsec.d/certs/checkpoint-cert.pem
>>>    >         rightrsasigkey=%cert
>>>    >         auto=start
>>>    >
>>>    > #Disable Opportunistic Encryption
>>>    > include /etc/ipsec.d/examples/no_oe.conf
>>>    >
>>>    > #################################
>>>    > ### this is the /var/log/syslog output ###
>>>    > May 10 16:49:13 gadara ipsec_setup: NETKEY on eth0
>>>    > 192.168.144.162/255.255.255.0
>>>    <http://192.168.144.162/255.255.255.0>
>>>    <http://192.168.144.162/255.255.255.0>
>>>    > broadcast 192.168.144.255
>>>    > May 10 16:49:13 gadara ipsec_setup: ...Openswan IPsec started
>>>    > May 10 16:49:13 gadara ipsec_setup: Starting Openswan IPsec
>>>    > U2.4.12/K2.6.26-2-amd64...
>>>    > May 10 16:49:14 gadara ipsec__plutorun: 104 "checkpoint-vpn" #1:
>>>    > STATE_MAIN_I1: initiate
>>>    > May 10 16:49:14 gadara ipsec__plutorun: ...could not start conn
>>>    > "checkpoint-vpn"
>>>    >
>>>    > ###################################
>>>    > ### this is the /var/log/auth.log output ###
>>>    >
>>>    > May 10 17:17:07 gadara pluto[9858]: "checkpoint-vpn" #3: transition
>>>    > from state STATE_MAIN_I1 to state STATE_MAIN_I2
>>>    > May 10 17:17:07 gadara pluto[9858]: | sending reply packet to
>>>    > x.y.z.w:500 (from port=500)
>>>    > May 10 17:17:07 gadara pluto[9858]: | sending 292 bytes for
>>>    > STATE_MAIN_I1 through eth0:500 to x.y.z.w:500:
>>>    > May 10 17:17:07 gadara pluto[9858]: | inserting event
>>>    > EVENT_RETRANSMIT, timeout in 10 seconds for #3
>>>    > May 10 17:17:07 gadara pluto[9858]: "checkpoint-vpn" #3:
>>>    > STATE_MAIN_I2: sent MI2, expecting MR2
>>>    > May 10 17:17:07 gadara pluto[9858]: | modecfg pull: noquirk
>>>    > policy:push not-client
>>>    > May 10 17:17:07 gadara pluto[9858]: | phase 1 is done, looking for
>>>    > phase 1 to unpend
>>>    > May 10 17:17:07 gadara pluto[9858]: | next event EVENT_RETRANSMIT in
>>>    > 10 seconds for #3
>>>    > May 10 17:17:07 gadara pluto[9858]: |
>>>    > May 10 17:17:07 gadara pluto[9858]: | *received 40 bytes from
>>>    > x.y.z.w:500 on eth0 (port=500)
>>>    > May 10 17:17:07 gadara pluto[9858]: |  processing packet with
>>>    exchange
>>>    > type=ISAKMP_XCHG_INFO (5)
>>>    > May 10 17:17:07 gadara pluto[9858]: | ICOOKIE:  62 d9 1d c3  7c
>>>    2c b2 a9
>>>    > May 10 17:17:07 gadara pluto[9858]: | RCOOKIE:  fd 0b ef 4b  36
>>>    d6 7d 9b
>>>    > May 10 17:17:07 gadara pluto[9858]: | peer:  x.y.z.w
>>>    > May 10 17:17:07 gadara pluto[9858]: | state hash entry 29
>>>    > May 10 17:17:07 gadara pluto[9858]: | peer and cookies match on #3,
>>>    > provided msgid 00000000 vs 00000000/00000000
>>>    > May 10 17:17:07 gadara pluto[9858]: | p15 state object #3 found, in
>>>    > STATE_MAIN_I2
>>>    > May 10 17:17:07 gadara pluto[9858]: | processing connection
>>>    checkpoint-vpn
>>>    > May 10 17:17:07 gadara pluto[9858]: | processing informational
>>>    > PAYLOAD_MALFORMED (16)
>>>    > May 10 17:17:07 gadara pluto[9858]: "checkpoint-vpn" #3: received 1
>>>    > malformed payload notifies
>>>    > May 10 17:17:07 gadara pluto[9858]: | complete state transition with
>>>    > STF_IGNORE
>>>    > May 10 17:17:07 gadara pluto[9858]: | next event EVENT_RETRANSMIT in
>>>    > 10 seconds for #3
>>>    >
>>>    >
>>>    > === Start-of Internet E-mail Confidentiality Footer ===
>>>    >
>>>    > L'uso non autorizzato di questo messaggio o dei suoi allegati e'
>>>    > vietato e potrebbe costituire reato.
>>>    > Se ha ricevuto per errore questo messaggio, La prego di informarmi e
>>>    > di distruggerlo immediatamente coi suoi allegati. Le dichiarazioni
>>>    > contenute in questo messaggio o nei suoi allegati non impegnano Luca
>>>    > Arzeni nei confronti del destinatario o di terzi. Luca Arzeni non si
>>>    > assume alcuna responsabilita' per eventuali intercettazioni,
>>>    modifiche
>>>    > o danneggiamenti del presente messaggio.
>>>    >
>>>    >
>>>    > _______________________________________________
>>>     > Users at openswan.org <mailto:Users at openswan.org>
>>>
>>>    > http://lists.openswan.org/mailman/listinfo/users
>>>    > Building and Integrating Virtual Private Networks with Openswan:
>>>    >
>>>
>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>>    >
>>>
>>>    _______________________________________________
>>>     Users at openswan.org <mailto:Users at openswan.org>
>>>
>>>    http://lists.openswan.org/mailman/listinfo/users
>>>    Building and Integrating Virtual Private Networks with Openswan:
>>>
>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>>
>>>
>>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100512/1d71fdb2/attachment-0001.html 


More information about the Users mailing list