[Openswan Users] Linux (debian lenny) client to Checkpoint Firewall NGx R65 using certificates - secureclient ok, openswan ko - PAYLOAD_MALFORMED

Luca Arzeni l.arzeni at gmail.com
Thu May 13 05:37:22 EDT 2010 

Hi Paul,
thanks for your help. You lost a mail, no problem, here is the data that you
requested:

I've set up a test machine. The current configuration is:

- Linux fwclient 2.6.26-2-686 #1 SMP i686 GNU/Linux (Debian Lenny)
- Openswan IPsec U2.6.25/K2.6.26-2-686

I include in this message the portion of logs that shows the error. Let me
know if you need other infos.

CONFIG:

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        plutodebug="all"
        # plutoopts="--perpeerlog"
        nat_traversal=yes
        #virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        oe=off
        protostack=netkey

## RoadWarrior to Net behind Gateway: FreeS/WAN X.509 <-> Check Point
conn openswan-checkpoint
        # Right side is FreeS/WAN RoadWarrior
        right=%defaultroute
        rightrsasigkey=%cert
        rightcert=/etc/ipsec.d/certs/fwclient-crt.pem
        # Left side is Check Point
        left=fwserver
        leftsubnet=192.168.255.0/24 ## subnet behind the gateway
        leftcert=/etc/ipsec.d/certs/fwserver-crt.pem
        leftrsasigkey=%cert
        auto=start

LOGS:

May 12 16:52:10 fwclient pluto[19602]: | inserting event EVENT_RETRANSMIT,
timeout in 10 seconds for #6
May 12 16:52:10 fwclient pluto[19602]: | event added after event
EVENT_PENDING_PHASE2
May 12 16:52:10 fwclient pluto[19602]: "openswan-checkpoint" #6:
STATE_MAIN_I2: sent MI2, expecting MR2
May 12 16:52:10 fwclient pluto[19602]: | modecfg pull: noquirk policy:push
not-client
May 12 16:52:10 fwclient pluto[19602]: | phase 1 is done, looking for phase
2 to unpend
May 12 16:52:10 fwclient pluto[19602]: | * processed 1 messages from
cryptographic helpers
May 12 16:52:10 fwclient pluto[19602]: | next event EVENT_PENDING_DDNS in 9
seconds
May 12 16:52:10 fwclient pluto[19602]: | next event EVENT_PENDING_DDNS in 9
seconds
May 12 16:52:11 fwclient pluto[19602]: |
May 12 16:52:11 fwclient pluto[19602]: | *received 40 bytes from x.y.z.w:500
on eth0 (port=500)
May 12 16:52:11 fwclient pluto[19602]: |   76 31 8f 3c  49 ba 7c 88  2d b7
41 57  a5 13 58 34
May 12 16:52:11 fwclient pluto[19602]: |   0b 10 05 00  b7 8b 29 04  00 00
00 28  00 00 00 0c
May 12 16:52:11 fwclient pluto[19602]: |   00 00 00 00  01 00 00 10
May 12 16:52:11 fwclient pluto[19602]: | **parse ISAKMP Message:
May 12 16:52:11 fwclient pluto[19602]: |    initiator cookie:
May 12 16:52:11 fwclient pluto[19602]: |   76 31 8f 3c  49 ba 7c 88
May 12 16:52:11 fwclient pluto[19602]: |    responder cookie:
May 12 16:52:11 fwclient pluto[19602]: |   2d b7 41 57  a5 13 58 34
May 12 16:52:11 fwclient pluto[19602]: |    next payload type: ISAKMP_NEXT_N
May 12 16:52:11 fwclient pluto[19602]: |    ISAKMP version: ISAKMP Version
1.0 (rfc2407)
May 12 16:52:11 fwclient pluto[19602]: |    exchange type: ISAKMP_XCHG_INFO
May 12 16:52:11 fwclient pluto[19602]: |    flags: none
May 12 16:52:11 fwclient pluto[19602]: |    message ID:  b7 8b 29 04
May 12 16:52:11 fwclient pluto[19602]: |    length: 40
May 12 16:52:11 fwclient pluto[19602]: |  processing version=1.0 packet with
exchange type=ISAKMP_XCHG_INFO (5)
May 12 16:52:11 fwclient pluto[19602]: | ICOOKIE:  76 31 8f 3c  49 ba 7c 88
May 12 16:52:11 fwclient pluto[19602]: | RCOOKIE:  2d b7 41 57  a5 13 58 34
May 12 16:52:11 fwclient pluto[19602]: | state hash entry 7
May 12 16:52:11 fwclient pluto[19602]: | peer and cookies match on #6,
provided msgid 00000000 vs 00000000/00000000
May 12 16:52:11 fwclient pluto[19602]: | p15 state object #6 found, in
STATE_MAIN_I2
May 12 16:52:11 fwclient pluto[19602]: | processing connection
openswan-checkpoint
May 12 16:52:11 fwclient pluto[19602]: | got payload 0x800(ISAKMP_NEXT_N)
needed: 0x0 opt: 0x0
May 12 16:52:11 fwclient pluto[19602]: | ***parse ISAKMP Notification
Payload:
May 12 16:52:11 fwclient pluto[19602]: |    next payload type:
ISAKMP_NEXT_NONE
May 12 16:52:11 fwclient pluto[19602]: |    length: 12
May 12 16:52:11 fwclient pluto[19602]: |    DOI: ISAKMP_DOI_ISAKMP
May 12 16:52:11 fwclient pluto[19602]: |    protocol ID: 1
May 12 16:52:11 fwclient pluto[19602]: |    SPI size: 0
May 12 16:52:11 fwclient pluto[19602]: |    Notify Message Type:
PAYLOAD_MALFORMED
May 12 16:52:11 fwclient pluto[19602]: | info:
May 12 16:52:11 fwclient pluto[19602]: | processing informational
PAYLOAD_MALFORMED (16)
May 12 16:52:11 fwclient pluto[19602]: "openswan-checkpoint" #6: received 1
malformed payload notifies
May 12 16:52:11 fwclient pluto[19602]: | complete state transition with
STF_IGNORE
May 12 16:52:11 fwclient pluto[19602]: | * processed 0 messages from
cryptographic helpers
May 12 16:52:11 fwclient pluto[19602]: | next event EVENT_PENDING_DDNS in 8
seconds
May 12 16:52:11 fwclient pluto[19602]: | next event EVENT_PENDING_DDNS in 8
seconds


On Wed, May 12, 2010 at 8:48 PM, Paul Wouters <paul at xelerance.com> wrote:

> On Wed, 12 May 2010, Luca Arzeni wrote:
>
>  just to be sure, I've set up a CentOS machine with vmware player, and
>> tried a connection using exactly the same configuration
>> that you used (Openswan IPsec U2.6.21/K2.6.18-164.el5), but I had no
>> luck... same failure that I received under Lenny...
>>
>
> vmware is known the mess with packets. You might be looking at a vmware
> bug.
>
>
>  May 12 19:02:25 fwcentos pluto[3807]: "openswan-checkpoint" #2: received 1
>> malformed payload notifies
>>
>> I don't know what else could be the cause of the problems...
>>
>> Your, faithfully (and desperately), Luca
>>
>
> Didn't I request a plutodebug=all with the actual malformed payloads
> before?
> Did I miss an email?
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100513/d1c05936/attachment.html

More information about the Users mailing list