On 5/14/2010 10:36 AM, Matthew Grooms wrote: > On 5/14/2010 10:33 AM, Luca Arzeni wrote: >> Hi Matthew, >> I tested with the last stable version: 2.1.5 >> >> then, after failure, I setup a vmware virtual machine and tested with >> 2.1.6-beta-4. >> >> I didn't use the debian default release (2.1.4) since I understood >> that it would not allow to connect to a checkpoint NGx R65. >> >> Do you think that I must attempt with a 2.2.x version? >> >> As additional info, I can say that I've tried also OpenSwan 2.6.25 but >> I reveived the same error... >> > > I'm not sure. I don't think the 2.2.x version will fair that much > better. Did you post any log output? Maybe I missed it in your thread. >
Luca, A malformed payload notification typically indicates that the gateway is incapable of reading the packet sent by the peer. In my opinion, it may suggest that the IKE implementations are incompatible using the feature set you have enabled. Looking at your log output, the packet being rejected appears to contain the following payloads ... >> : key exchange payload >> : nonce payload >> : cert request payload >> : nat discovery payload >> : nat discovery payload I have a hard time believing that the Shrew Soft client is incorrectly forming these payloads. More than likely, Checkpoint is choking on the payload content because its so fickle about vendor ID checks. I would suggest disabling the NAT-T option as it is listed as unsupported in our Checkpoint NGx document under the section entitled "Known Issues". -Matthew _______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
