[Openswan Users] Linux (debian lenny) client to Checkpoint Firewall NGx R65 using certificates - secureclient ok, openswan ko - PAYLOAD_MALFORMED

[Luca Arzeni]

Hi Ondrej,
I know that in the past they were using SecurID clients (and may be
they are still using them). This would explain the problems that I'm
facing.
However I can connect with cp SecureRemote using my certificate,
without securID, so I think that there should be a way to circumvent
this problems.

Anyway, I really appreciate your help and I will report to the cp
administrator to have at least an idea of the possible source of the
error.

Thanks again, Luca



On Thu, May 13, 2010 at 2:44 PM, Ondrej Valousek <webserv at s3group.cz> wrote:
> Hi Luca,
>
> I have compared your logs with mine and it really looks like there is some
> problem with your Checkpoint configuration.
> My wild guess is that the your Checkpoint only accepts SecurID clients and
> not authentication using certificates.
> Note that SecurID is Checkpoint speciality and nonstandard.
> You definitely need access to the Dashboard to find out (make sure
> authentication via certificates is allowed and see logs).
>
> If you do not have such an access, your only chance is SSL-Extender as there
> is a linux client from Checkpoint that is using SSL-Extender.
>
> Regards,
> Ondrej
>
>
> On 13.05.2010 13:44, Luca Arzeni wrote:
>
> Hi Ondrej,
> here are the answers to your questions:
>
>
>
> As I said, it has nothing to do with the kernel so at least the IKE stage
> should work on your debian, too - no need to install CentOS.
>
>
> You are right, but I am really hitting my head against the wall and I
> was trying to reduce noise by removing any difference between my tests
> and yours.
>
>
>
> Please do:
> 1) plutodebug="control parsing controlmore" ,restart ipsec and send me the
> whole logs from the daemon start
>
>
> Logs are attached to this mail
>
>
>
> 2) Launch Dashboard monitor and check for any messages here (the attempt for
> the IKE connection from your Debian should be listed). If not, enable
> logging for this connection.
>
>
> Sadly, I've no access to the Checkpoint machine, so I cannot activate
> dashboard monitor or logs.
>
>
>
> 3) consider installing the latest HFA for your Checkpoint firewall, mine is
> running HFA 4.
>
>
>  The checkpoint administrator says that he has installed HFA_01 (and
> he cannot install other HFA).
>
> Some other infos:
> - I've tested also with shrew VPN but I have the same problem.
>  - my p12 cert cointains a ca.cert (which is the same that
> secureremote retrieves during it's connection and places in its
> userC.c file). This is the ca that I'm putting in the ipsec.d/cacerts
> directory.
>
> - The CP admistrator says that he is not able to extract the firewall
> cert using the command:
>
> "fwm exportcert -obj checkpoint -cert defaultCert -pem -withroot -file
> checkpoint-cert.pkcs7"
>
> instead, he was able to extract the certificates using the gui, but at
> this point he sent me 2 certificates: One is what he called the
> "firewall" certificate and the other is what he called the
> "management" certificate.
>
> I don't understand exactly their purpose, anyway they are trusted from
> the same ca that I've extracted from my p12, so one of them shoud be
> the peer certificate and the other should be of no use.
>
> I attempted to connect at first using the "firewall" certificate, the
> using the "management"certificate, but in both cases I have the same
> MALFORMED_PAYLOAD error.
>
> That's all :-(
>
> thanks again for your help!
>
>