[Openswan Users] Linux (debian lenny) client to Checkpoint Firewall NGx R65 using certificates - secureclient ok, openswan ko - PAYLOAD_MALFORMED

Luca Arzeni l.arzeni at gmail.com
Thu May 13 07:44:18 EDT 2010 

Hi Ondrej,
here are the answers to your questions:

>
> As I said, it has nothing to do with the kernel so at least the IKE stage should work on your debian, too - no need to install CentOS.

You are right, but I am really hitting my head against the wall and I
was trying to reduce noise by removing any difference between my tests
and yours.

>
> Please do:
> 1) plutodebug="control parsing controlmore" ,restart ipsec and send me the whole logs from the daemon start

Logs are attached to this mail

>
> 2) Launch Dashboard monitor and check for any messages here (the attempt for the IKE connection from your Debian should be listed). If not, enable logging for this connection.

Sadly, I've no access to the Checkpoint machine, so I cannot activate
dashboard monitor or logs.

>
> 3) consider installing the latest HFA for your Checkpoint firewall, mine is running HFA 4.

 The checkpoint administrator says that he has installed HFA_01 (and
he cannot install other HFA).

Some other infos:
- I've tested also with shrew VPN but I have the same problem.
 - my p12 cert cointains a ca.cert (which is the same that
secureremote retrieves during it's connection and places in its
userC.c file). This is the ca that I'm putting in the ipsec.d/cacerts
directory.

- The CP admistrator says that he is not able to extract the firewall
cert using the command:

"fwm exportcert -obj checkpoint -cert defaultCert -pem -withroot -file
checkpoint-cert.pkcs7"

instead, he was able to extract the certificates using the gui, but at
this point he sent me 2 certificates: One is what he called the
"firewall" certificate and the other is what he called the
"management" certificate.

I don't understand exactly their purpose, anyway they are trusted from
the same ca that I've extracted from my p12, so one of them shoud be
the peer certificate and the other should be of no use.

I attempted to connect at first using the "firewall" certificate, the
using the "management"certificate, but in both cases I have the same
MALFORMED_PAYLOAD error.

That's all :-(

thanks again for your help!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ondrej.log.gz
Type: application/x-gzip
Size: 5418 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20100513/b304274d/attachment-0001.gz

More information about the Users mailing list