Thanks Carmelo, it's nice to hear that someone was successfull at this! I'm using lenny, (kernel 2.6.26-2-amd64), but I hope that this is not a nett/kernel issue.
I've read your first mail (how to reverse the cert from userC.c), and I've already reversed the cert. I have a pkcs12 from the checkpint administrator, I followed the instructions from the debian guy and extracted ca.pem, my_key.pem and my_crt.pem. I can confirm that the ca.pem reversed from userc.c it's the same of the one obtained directly from the pkcs12. I didn't spotted your second mail until now, but I've realized the bug on ikea, so I set the asn1dn directly on the ~/.ike/ by hand and run ikec -r default. I've set ike to 3DES/SHA1/1024 (the same parameters are used for phase 2. If I' don't set 3des (using AES, for example), I receive a "peer unknown notification" Using 3des, it seems that phase1 was ok, but it cannot go with phase2. Am I missing something?I'have no "firewall certificate" but only the ca certificate. Aren't they the same thing? I spotted a message: "K! : recv X_SPDDUMP message failure ( errno = 2 )" it's something important? The error is on the line "ii : received peer PAYLOAD-MALFORMED notification". Do you have any hint? Your faithfully, Luca Arzeni === This is my site configuration === n:version:2 n:network-ike-port:500 n:network-mtu-size:1300 n:client-addr-auto:0 n:network-natt-port:4500 n:network-natt-rate:15 n:network-frag-size:540 n:network-dpd-enable:1 n:network-notify-enable:1 n:client-banner-enable:0 n:client-dns-used:0 n:phase1-dhgroup:2 n:phase1-keylen:192 n:phase1-life-secs:3600 n:phase1-life-kbytes:0 n:vendor-chkpt-enable:1 n:phase2-keylen:192 n:phase2-pfsgroup:2 n:phase2-life-secs:3600 n:phase2-life-kbytes:0 n:policy-nailed:1 n:policy-list-auto:0 s:client-ip-addr:192.168.144.4 s:client-ip-mask:255.255.255.255 s:network-host:x.y.z.t s:client-auto-mode:pull s:client-iface:direct s:network-natt-mode:enable s:network-frag-mode:enable s:auth-method:mutual-rsa s:ident-client-type:asn1dn s:ident-server-type:asn1dn s:auth-server-cert:/home/larzeni/.ike/certs/checkpoint-internal-ca.pem s:auth-client-cert:/home/larzeni/.ike/certs/larzeni-cert.pem s:auth-client-key:/home/larzeni/.ike/certs/larzeni-key.pem s:phase1-exchange:main s:phase1-cipher:3des s:phase1-hash:sha1 s:phase2-transform:3des s:phase2-hmac:sha1 s:ipcomp-transform:deflate s:policy-list-include:192.168.255.0 / 255.255.255.0 === and this is the output from the command "iked -F -d 6" === ii : created ike socket 0.0.0.0:500 ii : created natt socket 0.0.0.0:4500 ## : IKE Daemon, ver 2.1.5 ## : Copyright 2009 Shrew Soft Inc. ## : This product linked OpenSSL 0.9.8g 19 Oct 2007 ii : opened '/var/log/iked.log' ii : opened '/var/log/ike-encrypt.pcap' ii : opened '/var/log/ike-decrypt.pcap' ii : pfkey process thread begin ... ii : network process thread begin ... ii : ipc server process thread begin ... K< : recv pfkey REGISTER AH message K< : recv pfkey REGISTER ESP message K< : recv pfkey REGISTER IPCOMP message K! : recv X_SPDDUMP message failure ( errno = 2 ) ii : ipc client process thread begin ... <A : peer config add message DB : peer added ( obj count = 1 ) ii : local address 192.168.144.4 selected for peer DB : tunnel added ( obj count = 1 ) <A : proposal config message <A : proposal config message <A : proposal config message <A : client config message <A : remote cert '/home/larzeni/.ike/certs/checkpoint-internal-ca.pem' message ii : '/home/larzeni/.ike/certs/checkpoint-internal-ca.pem' loaded <A : local cert '/home/larzeni/.ike/certs/larzeni-cert.pem' message ii : '/home/larzeni/.ike/certs/larzeni-cert.pem' loaded <A : local key '/home/larzeni/.ike/certs/larzeni-key.pem' message !! : '/home/larzeni/.ike/certs/larzeni-key.pem' load failed, requesting password <A : file password <A : local key '/home/larzeni/.ike/certs/larzeni-key.pem' message ii : '/home/larzeni/.ike/certs/larzeni-key.pem' loaded <A : remote resource message <A : peer tunnel enable message ii : obtained x509 cert subject ( 73 bytes ) DB : new phase1 ( ISAKMP initiator ) DB : exchange type is identity protect DB : 192.168.144.4:500 <-> x.y.z.t:500 DB : d7bc5ca1ef159ea9:0000000000000000 DB : phase1 added ( obj count = 1 ) >> : security association payload >> : - proposal #1 payload >> : -- transform #1 payload >> : vendor id payload ii : local supports nat-t ( draft v00 ) >> : vendor id payload ii : local supports nat-t ( draft v01 ) >> : vendor id payload ii : local supports nat-t ( draft v02 ) >> : vendor id payload ii : local supports nat-t ( draft v03 ) >> : vendor id payload ii : local supports nat-t ( rfc ) >> : vendor id payload ii : local supports FRAGMENTATION >> : vendor id payload ii : local supports DPDv1 >> : vendor id payload ii : local is SHREW SOFT compatible >> : vendor id payload ii : local is NETSCREEN compatible >> : vendor id payload ii : local is SIDEWINDER compatible >> : vendor id payload ii : local is CISCO UNITY compatible >> : vendor id payload ii : local is CHECKPOINT compatible >= : cookies d7bc5ca1ef159ea9:0000000000000000 >= : message 00000000 -> : send IKE packet 192.168.144.4:500 -> x.y.z.t:500 ( 384 bytes ) DB : phase1 resend event scheduled ( ref count = 2 ) <- : recv IKE packet x.y.z.t:500 -> 192.168.144.4:500 ( 148 bytes ) DB : phase1 found ii : processing phase1 packet ( 148 bytes ) =< : cookies d7bc5ca1ef159ea9:d6f040907755cb6f =< : message 00000000 << : security association payload << : - propsal #1 payload << : -- transform #1 payload ii : matched isakmp proposal #1 transform #1 ii : - transform = ike ii : - cipher type = 3des ii : - key length = default ii : - hash type = sha1 ii : - dh group = modp-1024 ii : - auth type = sig-rsa ii : - life seconds = 3600 ii : - life kbytes = 0 << : vendor id payload ii : peer supports nat-t ( draft v02 ) << : vendor id payload ii : peer is CHECKPOINT compatible >> : key exchange payload >> : nonce payload >> : cert request payload >> : nat discovery payload >> : nat discovery payload >= : cookies d7bc5ca1ef159ea9:d6f040907755cb6f >= : message 00000000 DB : phase1 resend event canceled ( ref count = 1 ) -> : send IKE packet 192.168.144.4:500 -> x.y.z.t:500 ( 265 bytes ) DB : phase1 resend event scheduled ( ref count = 2 ) <- : recv IKE packet x.y.z.t:500 -> 192.168.144.4:500 ( 40 bytes ) DB : phase1 found ii : processing informational packet ( 40 bytes ) == : new informational iv ( 8 bytes ) =< : cookies d7bc5ca1ef159ea9:d6f040907755cb6f =< : message 776a44a4 << : notification payload ii : received peer PAYLOAD-MALFORMED notification ii : - x.y.z.t:500 -> 192.168.144.4:500 ii : - isakmp spi = none ii : - data size 0 -> : resend 1 phase1 packet(s) 192.168.144.4:500 -> x.y.z.t:500 -> : resend 1 phase1 packet(s) 192.168.144.4:500 -> x.y.z.t:500 -> : resend 1 phase1 packet(s) 192.168.144.4:500 -> x.y.z.t:500 -> : resend 1 phase1 packet(s) 192.168.144.4:500 -> x.y.z.t:500 -> : resend 1 phase1 packet(s) 192.168.144.4:500 -> x.y.z.t:500 -> : resend 1 phase1 packet(s) 192.168.144.4:500 -> x.y.z.t:500 ii : resend limit exceeded for phase1 exchange ii : phase1 removal before expire time DB : phase1 deleted ( obj count = 0 ) DB : policy not found DB : policy not found DB : tunnel stats event canceled ( ref count = 1 ) DB : removing tunnel config references DB : removing tunnel phase2 references DB : removing tunnel phase1 references DB : tunnel deleted ( obj count = 0 ) DB : removing all peer tunnel refrences DB : peer deleted ( obj count = 0 ) ii : ipc client process thread exit ... === thaks again, Luca === On Sun, May 2, 2010 at 9:08 PM, Carmelo Iannello <[email protected]>wrote: > Luca Arzeni ha scritto: > > Hi there, >> I'm trying to connect a client (debian lenny) with a checkpoint firewall >> NGX R65. >> I can connect with a securemote client from a window XP client to a >> network behind the firewall. >> The same connection fails under linux, using Shrew. >> >> I followed the instructions on the shred site, with one difference: I'm >> using a mutual RSA authentication (I have no password... anyway the >> administrator of the firewall says that he cannot set any password on the >> firewall, so this should be correct). >> I use the DN of the certificates as id of the client and of the firewall. >> >> The connection fails after phase1, complaining that peer received a >> MALFORMED-PAYLOAD. >> >> I must say that I have no firewall certificate, tha admin says that he has >> no knowledge of a FW certificate. In the securemote client, I extracted a >> certificate from the cert(:xxx) string but it's the certificate of the ca, >> and I'm using that one as certificate for the other endpoint. >> > > Did you reversed the certificate string? > If you have a pkcs12 client certificate you can extract a PEM version of > the CA certificate from it, using openssl. > > Check out this post: > http://lists.shrew.net/pipermail/vpn-help/2010-April/003254.html > for how to reverse the :cert() string > and this > http://lists.shrew.net/pipermail/vpn-help/2010-April/003274.html > for mutual RSA with Checkpoint > > > Is there anyone that has successfully connected from a linux client to a >> check point NGX R65? >> > > yes, from debian unstable to R65 and R55 > >
_______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
