[Openswan Users] Linux (debian lenny) client to Checkpoint Firewall NGx R65 using certificates - secureclient ok, openswan ko - PAYLOAD_MALFORMED
Ondrej Valousek
webserv at s3group.cz
Thu May 13 16:55:29 EDT 2010
Luca,
It does not prove anything as you are still using CP-provided client
right? CP-client will always understand CP firewall. I think it might
still use SecurID with secrificates. I do not know.
Once you are able to connect with non-CP client, I will say yes, there
could be something wrong with openswan, but now....
Cheers,
Ondrej
On 13.05.2010 18:16, Luca Arzeni wrote:
> Alas,
> administrator said that all people is now using certificates, and no
> one is using securID, so I'm the (un)lucky guy.
>
> I goggled around a little about ISAKMP_NEXT_N and found that
>
> ISAKMP_NEXT_N is an always-welcome payload_type (Notification)
> ISAKMP_NEXT_D is an always-welcome payload_type (Delete)
>
> Now, I recall that I've read that, after a successfull connection, CP
> sends some packets to see if connection is properly established. If I
> could ignore them, and go ahead, probably the connection would
> succeed...
> What do you think about this? Do I need to patch openswan to reach this goal?
> Thanks, Luca
>
>
> On Thu, May 13, 2010 at 3:04 PM, Ondrej Valousek<webserv at s3group.cz> wrote:
>
>>> My wild guess is that the your Checkpoint only accepts SecurID clients and
>>> not authentication using certificates.
>>>
>> Yes, that's probably it. At main mode, your CP responds with ISAKMP_NEXT_N
>> (which I do not know what it is) whereas it should respond with
>> ISAKMP_NEXT_KE (which is most likely Key Exchange request -Paul to
>> clarify...)
>>
>> O.
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100513/99348980/attachment.html
More information about the Users
mailing list