Hi Matthew, here they are... *** This is my site configuration ***
n:version:2 n:network-ike-port:500 n:network-mtu-size:1300 n:client-addr-auto:0 n:network-natt-port:4500 n:network-natt-rate:15 n:network-frag-size:540 n:network-dpd-enable:1 n:network-notify-enable:1 n:client-banner-enable:0 n:client-dns-used:0 n:phase1-dhgroup:2 n:phase1-keylen:192 n:phase1-life-secs:3600 n:phase1-life-kbytes:0 n:vendor-chkpt-enable:1 n:phase2-keylen:192 n:phase2-pfsgroup:2 n:phase2-life-secs:3600 n:phase2-life-kbytes:0 n:policy-nailed:1 n:policy-list-auto:0 s:client-ip-addr:192.168.144.4 s:client-ip-mask:255.255.255.255 s:network-host:x.y.z.t s:client-auto-mode:pull s:client-iface:direct s:network-natt-mode:enable s:network-frag-mode:enable s:auth-method:mutual-rsa s:ident-client-type:asn1dn s:ident-server-type:asn1dn s:auth-server-cert:/home/larzeni/.ike/certs/checkpoint-internal-ca.pem s:auth-client-cert:/home/larzeni/.ike/certs/larzeni-cert.pem s:auth-client-key:/home/larzeni/.ike/certs/larzeni-key.pem s:phase1-exchange:main s:phase1-cipher:3des s:phase1-hash:sha1 s:phase2-transform:3des s:phase2-hmac:sha1 s:ipcomp-transform:deflate s:policy-list-include:192.168.255.0 / 255.255.255.0 *** and this is the output from the command "iked -F -d 6" *** ii : created ike socket 0.0.0.0:500 ii : created natt socket 0.0.0.0:4500 ## : IKE Daemon, ver 2.1.5 ## : Copyright 2009 Shrew Soft Inc. ## : This product linked OpenSSL 0.9.8g 19 Oct 2007 ii : opened '/var/log/iked.log' ii : opened '/var/log/ike-encrypt.pcap' ii : opened '/var/log/ike-decrypt.pcap' ii : pfkey process thread begin ... ii : network process thread begin ... ii : ipc server process thread begin ... K< : recv pfkey REGISTER AH message K< : recv pfkey REGISTER ESP message K< : recv pfkey REGISTER IPCOMP message K! : recv X_SPDDUMP message failure ( errno = 2 ) ii : ipc client process thread begin ... <A : peer config add message DB : peer added ( obj count = 1 ) ii : local address 192.168.144.4 selected for peer DB : tunnel added ( obj count = 1 ) <A : proposal config message <A : proposal config message <A : proposal config message <A : client config message <A : remote cert '/home/larzeni/.ike/certs/checkpoint-internal-ca.pem' message ii : '/home/larzeni/.ike/certs/checkpoint-internal-ca.pem' loaded <A : local cert '/home/larzeni/.ike/certs/larzeni-cert.pem' message ii : '/home/larzeni/.ike/certs/larzeni-cert.pem' loaded <A : local key '/home/larzeni/.ike/certs/larzeni-key.pem' message !! : '/home/larzeni/.ike/certs/larzeni-key.pem' load failed, requesting password <A : file password <A : local key '/home/larzeni/.ike/certs/larzeni-key.pem' message ii : '/home/larzeni/.ike/certs/larzeni-key.pem' loaded <A : remote resource message <A : peer tunnel enable message ii : obtained x509 cert subject ( 73 bytes ) DB : new phase1 ( ISAKMP initiator ) DB : exchange type is identity protect DB : 192.168.144.4:500 <-> x.y.z.t:500 DB : d7bc5ca1ef159ea9:0000000000000000 DB : phase1 added ( obj count = 1 ) >> : security association payload >> : - proposal #1 payload >> : -- transform #1 payload >> : vendor id payload ii : local supports nat-t ( draft v00 ) >> : vendor id payload ii : local supports nat-t ( draft v01 ) >> : vendor id payload ii : local supports nat-t ( draft v02 ) >> : vendor id payload ii : local supports nat-t ( draft v03 ) >> : vendor id payload ii : local supports nat-t ( rfc ) >> : vendor id payload ii : local supports FRAGMENTATION >> : vendor id payload ii : local supports DPDv1 >> : vendor id payload ii : local is SHREW SOFT compatible >> : vendor id payload ii : local is NETSCREEN compatible >> : vendor id payload ii : local is SIDEWINDER compatible >> : vendor id payload ii : local is CISCO UNITY compatible >> : vendor id payload ii : local is CHECKPOINT compatible >= : cookies d7bc5ca1ef159ea9:0000000000000000 >= : message 00000000 -> : send IKE packet 192.168.144.4:500 -> x.y.z.t:500 ( 384 bytes ) DB : phase1 resend event scheduled ( ref count = 2 ) <- : recv IKE packet x.y.z.t:500 -> 192.168.144.4:500 ( 148 bytes ) DB : phase1 found ii : processing phase1 packet ( 148 bytes ) =< : cookies d7bc5ca1ef159ea9:d6f040907755cb6f =< : message 00000000 << : security association payload << : - propsal #1 payload << : -- transform #1 payload ii : matched isakmp proposal #1 transform #1 ii : - transform = ike ii : - cipher type = 3des ii : - key length = default ii : - hash type = sha1 ii : - dh group = modp-1024 ii : - auth type = sig-rsa ii : - life seconds = 3600 ii : - life kbytes = 0 << : vendor id payload ii : peer supports nat-t ( draft v02 ) << : vendor id payload ii : peer is CHECKPOINT compatible >> : key exchange payload >> : nonce payload >> : cert request payload >> : nat discovery payload >> : nat discovery payload >= : cookies d7bc5ca1ef159ea9:d6f040907755cb6f >= : message 00000000 DB : phase1 resend event canceled ( ref count = 1 ) -> : send IKE packet 192.168.144.4:500 -> x.y.z.t:500 ( 265 bytes ) DB : phase1 resend event scheduled ( ref count = 2 ) <- : recv IKE packet x.y.z.t:500 -> 192.168.144.4:500 ( 40 bytes ) DB : phase1 found ii : processing informational packet ( 40 bytes ) == : new informational iv ( 8 bytes ) =< : cookies d7bc5ca1ef159ea9:d6f040907755cb6f =< : message 776a44a4 << : notification payload ii : received peer PAYLOAD-MALFORMED notification ii : - x.y.z.t:500 -> 192.168.144.4:500 ii : - isakmp spi = none ii : - data size 0 -> : resend 1 phase1 packet(s) 192.168.144.4:500 -> x.y.z.t:500 -> : resend 1 phase1 packet(s) 192.168.144.4:500 -> x.y.z.t:500 -> : resend 1 phase1 packet(s) 192.168.144.4:500 -> x.y.z.t:500 -> : resend 1 phase1 packet(s) 192.168.144.4:500 -> x.y.z.t:500 -> : resend 1 phase1 packet(s) 192.168.144.4:500 -> x.y.z.t:500 -> : resend 1 phase1 packet(s) 192.168.144.4:500 -> x.y.z.t:500 ii : resend limit exceeded for phase1 exchange ii : phase1 removal before expire time DB : phase1 deleted ( obj count = 0 ) DB : policy not found DB : policy not found DB : tunnel stats event canceled ( ref count = 1 ) DB : removing tunnel config references DB : removing tunnel phase2 references DB : removing tunnel phase1 references DB : tunnel deleted ( obj count = 0 ) DB : removing all peer tunnel refrences DB : peer deleted ( obj count = 0 ) ii : ipc client process thread exit ... Thanks for your help, Luca On Fri, May 14, 2010 at 5:36 PM, Matthew Grooms <[email protected]> wrote: > On 5/14/2010 10:33 AM, Luca Arzeni wrote: >> >> Hi Matthew, >> I tested with the last stable version: 2.1.5 >> >> then, after failure, I setup a vmware virtual machine and tested with >> 2.1.6-beta-4. >> >> I didn't use the debian default release (2.1.4) since I understood >> that it would not allow to connect to a checkpoint NGx R65. >> >> Do you think that I must attempt with a 2.2.x version? >> >> As additional info, I can say that I've tried also OpenSwan 2.6.25 but >> I reveived the same error... >> > > I'm not sure. I don't think the 2.2.x version will fair that much better. > Did you post any log output? Maybe I missed it in your thread. > > -Matthew > _______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
