[Openswan Users] Linux (debian lenny) client to Checkpoint Firewall NGx R65 using certificates - secureclient ok, openswan ko - PAYLOAD_MALFORMED

Ondrej Valousek webserv at s3group.cz
Thu May 13 08:44:36 EDT 2010

Hi Luca,

I have compared your logs with mine and it really looks like there is 
some problem with your Checkpoint configuration.
My wild guess is that the your Checkpoint only accepts SecurID clients 
and not authentication using certificates.
Note that SecurID is Checkpoint speciality and nonstandard.
You definitely need access to the Dashboard to find out (make sure 
authentication via certificates is allowed and see logs).

If you do not have such an access, your only chance is SSL-Extender as 
there is a linux client from Checkpoint that is using SSL-Extender.


On 13.05.2010 13:44, Luca Arzeni wrote:
> Hi Ondrej,
> here are the answers to your questions:
>> As I said, it has nothing to do with the kernel so at least the IKE stage should work on your debian, too - no need to install CentOS.
> You are right, but I am really hitting my head against the wall and I
> was trying to reduce noise by removing any difference between my tests
> and yours.
>> Please do:
>> 1) plutodebug="control parsing controlmore" ,restart ipsec and send me the whole logs from the daemon start
> Logs are attached to this mail
>> 2) Launch Dashboard monitor and check for any messages here (the attempt for the IKE connection from your Debian should be listed). If not, enable logging for this connection.
> Sadly, I've no access to the Checkpoint machine, so I cannot activate
> dashboard monitor or logs.
>> 3) consider installing the latest HFA for your Checkpoint firewall, mine is running HFA 4.
>   The checkpoint administrator says that he has installed HFA_01 (and
> he cannot install other HFA).
> Some other infos:
> - I've tested also with shrew VPN but I have the same problem.
>   - my p12 cert cointains a ca.cert (which is the same that
> secureremote retrieves during it's connection and places in its
> userC.c file). This is the ca that I'm putting in the ipsec.d/cacerts
> directory.
> - The CP admistrator says that he is not able to extract the firewall
> cert using the command:
> "fwm exportcert -obj checkpoint -cert defaultCert -pem -withroot -file
> checkpoint-cert.pkcs7"
> instead, he was able to extract the certificates using the gui, but at
> this point he sent me 2 certificates: One is what he called the
> "firewall" certificate and the other is what he called the
> "management" certificate.
> I don't understand exactly their purpose, anyway they are trusted from
> the same ca that I've extracted from my p12, so one of them shoud be
> the peer certificate and the other should be of no use.
> I attempted to connect at first using the "firewall" certificate, the
> using the "management"certificate, but in both cases I have the same
> That's all :-(
> thanks again for your help!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100513/8cca71ab/attachment.html 

More information about the Users mailing list