Are you able to ping the actual router using it's LAN side IP address? It's possible that the internal host you are pinging is set to not respond to a ping or a firewall setting on one of the devices is blocking the ping.
----- Original Message ----- From: Matthew Austin <[email protected]> Date: Saturday, May 14, 2011 12:57 pm Subject: Re: [vpn-help] Checkpoint NGX 8.2.39n - network access issue To: [email protected] > I've kept plugging away at this and have gone so far as to download > and work through some minor build issues with the head revision with > no real delta. I'm getting through phase 1 and when I ping an > internal host it initiates phase 2. The appliance reports > in the log > that phase 2 negotiation completes successfully but the ping > does not > return. Here is the iked.log debug output from when I > initiate the > ping forward. > > 11/05/14 12:46:53 K< : recv pfkey ACQUIRE ESP message > 11/05/14 12:46:53 DB : policy found > 11/05/14 12:46:53 DB : policy found > 11/05/14 12:46:53 DB : tunnel found > 11/05/14 12:46:53 DB : new phase2 ( IPSEC initiator ) > 11/05/14 12:46:53 DB : phase2 added ( obj count = 1 ) > 11/05/14 12:46:53 K> : send pfkey GETSPI ESP message > 11/05/14 12:46:53 K< : recv pfkey GETSPI ESP message > 11/05/14 12:46:53 DB : phase2 found > 11/05/14 12:46:53 ii : updated spi for 1 ipsec-esp proposal > 11/05/14 12:46:53 DB : phase1 found > 11/05/14 12:46:53 >> : hash payload > 11/05/14 12:46:53 >> : security association payload > 11/05/14 12:46:53 >> : - proposal #1 payload > 11/05/14 12:46:53 >> : -- transform #1 payload > 11/05/14 12:46:53 >> : -- transform #2 payload > 11/05/14 12:46:53 >> : -- transform #3 payload > 11/05/14 12:46:53 >> : -- transform #4 payload > 11/05/14 12:46:53 >> : -- transform #5 payload > 11/05/14 12:46:53 >> : -- transform #6 payload > 11/05/14 12:46:53 >> : -- transform #7 payload > 11/05/14 12:46:53 >> : -- transform #8 payload > 11/05/14 12:46:53 >> : -- transform #9 payload > 11/05/14 12:46:53 >> : -- transform #10 payload > 11/05/14 12:46:53 >> : -- transform #11 payload > 11/05/14 12:46:53 >> : -- transform #12 payload > 11/05/14 12:46:53 >> : -- transform #13 payload > 11/05/14 12:46:53 >> : -- transform #14 payload > 11/05/14 12:46:53 >> : -- transform #15 payload > 11/05/14 12:46:53 >> : -- transform #16 payload > 11/05/14 12:46:53 >> : -- transform #17 payload > 11/05/14 12:46:53 >> : -- transform #18 payload > 11/05/14 12:46:53 >> : -- transform #19 payload > 11/05/14 12:46:53 >> : -- transform #20 payload > 11/05/14 12:46:53 >> : -- transform #21 payload > 11/05/14 12:46:53 >> : -- transform #22 payload > 11/05/14 12:46:53 >> : -- transform #23 payload > 11/05/14 12:46:53 >> : -- transform #24 payload > 11/05/14 12:46:53 >> : -- transform #25 payload > 11/05/14 12:46:53 >> : -- transform #26 payload > 11/05/14 12:46:53 >> : -- transform #27 payload > 11/05/14 12:46:53 >> : -- transform #28 payload > 11/05/14 12:46:53 >> : -- transform #29 payload > 11/05/14 12:46:53 >> : -- transform #30 payload > 11/05/14 12:46:53 >> : -- transform #31 payload > 11/05/14 12:46:53 >> : -- transform #32 payload > 11/05/14 12:46:53 >> : -- transform #33 payload > 11/05/14 12:46:53 >> : -- transform #34 payload > 11/05/14 12:46:53 >> : -- transform #35 payload > 11/05/14 12:46:53 >> : -- transform #36 payload > 11/05/14 12:46:53 >> : -- transform #37 payload > 11/05/14 12:46:53 >> : -- transform #38 payload > 11/05/14 12:46:53 >> : -- transform #39 payload > 11/05/14 12:46:53 >> : -- transform #40 payload > 11/05/14 12:46:53 >> : -- transform #41 payload > 11/05/14 12:46:53 >> : -- transform #42 payload > 11/05/14 12:46:53 >> : -- transform #43 payload > 11/05/14 12:46:53 >> : -- transform #44 payload > 11/05/14 12:46:53 >> : -- transform #45 payload > 11/05/14 12:46:53 >> : nonce payload > 11/05/14 12:46:53 >> : identification payload > 11/05/14 12:46:53 >> : identification payload > 11/05/14 12:46:53 == : phase2 hash_i ( input ) ( 1460 bytes ) > 11/05/14 12:46:53 == : phase2 hash_i ( computed ) ( 16 bytes ) > 11/05/14 12:46:53 == : new phase2 iv ( 16 bytes ) > 11/05/14 12:46:53 >= : cookies f8d338c27cbb826c:2881de11b69d9df3 > 11/05/14 12:46:53 >= : message e75b342c > 11/05/14 12:46:53 >= : encrypt iv ( 16 bytes ) > 11/05/14 12:46:53 == : encrypt packet ( 1504 bytes ) > 11/05/14 12:46:53 == : stored iv ( 16 bytes ) > 11/05/14 12:46:53 -> : send IKE packet 192.168.0.161:500 -> > 173.164.101.125:500 ( 1544 bytes ) > 11/05/14 12:46:53 DB : phase2 resend event scheduled ( ref count > = 2 ) > 11/05/14 12:46:53 <- : recv IKE packet 173.164.101.125:500 -> > 192.168.0.161:500 ( 172 bytes ) > 11/05/14 12:46:53 DB : phase1 found > 11/05/14 12:46:53 ii : processing phase2 packet ( 172 bytes ) > 11/05/14 12:46:53 DB : phase2 found > 11/05/14 12:46:53 =< : cookies f8d338c27cbb826c:2881de11b69d9df3 > 11/05/14 12:46:53 =< : message e75b342c > 11/05/14 12:46:53 =< : decrypt iv ( 16 bytes ) > 11/05/14 12:46:53 == : decrypt packet ( 172 bytes ) > 11/05/14 12:46:53 <= : trimmed packet padding ( 16 bytes ) > 11/05/14 12:46:53 <= : stored iv ( 16 bytes ) > 11/05/14 12:46:53 << : hash payload > 11/05/14 12:46:53 << : security association payload > 11/05/14 12:46:53 << : - propsal #1 payload > 11/05/14 12:46:53 << : -- transform #1 payload > 11/05/14 12:46:53 << : nonce payload > 11/05/14 12:46:53 << : identification payload > 11/05/14 12:46:53 << : identification payload > 11/05/14 12:46:53 == : phase2 hash_r ( input ) ( 132 bytes ) > 11/05/14 12:46:53 == : phase2 hash_r ( computed ) ( 16 bytes ) > 11/05/14 12:46:53 == : phase2 hash_r ( received ) ( 16 bytes ) > 11/05/14 12:46:53 ii : matched ipsec-esp proposal #1 transform #1 > 11/05/14 12:46:53 ii : - transform = esp-aes > 11/05/14 12:46:53 ii : - key length = 256 bits > 11/05/14 12:46:53 ii : - encap mode = tunnel > 11/05/14 12:46:53 ii : - msg auth = hmac-md5 > 11/05/14 12:46:53 ii : - pfs dh group = none > 11/05/14 12:46:53 ii : - life seconds = 3600 > 11/05/14 12:46:53 ii : - life kbytes = 0 > 11/05/14 12:46:53 DB : policy found > 11/05/14 12:46:53 K> : send pfkey GETSPI ESP message > 11/05/14 12:46:53 K< : recv pfkey GETSPI ESP message > 11/05/14 12:46:53 DB : phase2 found > 11/05/14 12:46:53 ii : phase2 ids accepted > 11/05/14 12:46:53 ii : - loc ANY:192.168.254.162:* -> > ANY:192.168.200.0/24:*11/05/14 12:46:53 ii : - rmt > ANY:192.168.200.0/24:* -> ANY:192.168.254.162:* > 11/05/14 12:46:53 ii : phase2 sa established > 11/05/14 12:46:53 ii : 192.168.0.161:500 <-> 173.164.101.125:500 > 11/05/14 12:46:53 == : phase2 hash_p ( input ) ( 45 bytes ) > 11/05/14 12:46:53 == : phase2 hash_p ( computed ) ( 16 bytes ) > 11/05/14 12:46:53 >> : hash payload > 11/05/14 12:46:53 >= : cookies f8d338c27cbb826c:2881de11b69d9df3 > 11/05/14 12:46:53 >= : message e75b342c > 11/05/14 12:46:53 >= : encrypt iv ( 16 bytes ) > 11/05/14 12:46:53 == : encrypt packet ( 48 bytes ) > 11/05/14 12:46:53 == : stored iv ( 16 bytes ) > 11/05/14 12:46:53 DB : phase2 resend event canceled ( ref count > = 1 ) > 11/05/14 12:46:53 -> : send IKE packet 192.168.0.161:500 -> > 173.164.101.125:500 ( 88 bytes ) > 11/05/14 12:46:53 == : spi cipher key data ( 32 bytes ) > 11/05/14 12:46:53 == : spi hmac key data ( 16 bytes ) > 11/05/14 12:46:53 K> : send pfkey UPDATE ESP message > 11/05/14 12:46:53 K< : recv pfkey UPDATE ESP message > 11/05/14 12:46:53 == : spi cipher key data ( 32 bytes ) > 11/05/14 12:46:53 == : spi hmac key data ( 16 bytes ) > 11/05/14 12:46:53 K> : send pfkey UPDATE ESP message > 11/05/14 12:46:53 K< : recv pfkey UPDATE ESP message > > It feels like it is soooo close. > > On Wed, May 11, 2011 at 5:33 PM, Matthew Austin > <[email protected]> wrote: > > Just a quick update that I downloaded and built 2.1.7 on > ubuntu 11.04 > > with no change. We've tested this with ubuntu 10.10 and 11.04 with > > the 2.1.5 packages. Let me know if you'd like to see some iked.log > > output. > > > > On Tue, May 10, 2011 at 10:52 PM, Matthew Austin > <[email protected]> wrote: > >> Greetings, > >> > >> I followed the instructions at > http://www.shrew.net/support/wiki/HowtoCheckpoint>> > >> shrew reports: > >> bringing up tunnel ... > >> network device configured > >> tunnel enabled > >> > >> so it would appear that I can connect to the device, > authenticate, and > >> it pulls down an IP and all of that, but I can't ping any internal > >> network or even the gateway. > >> > >> I also applied the setting recommeded here > >> http://lists.shrew.net/pipermail/vpn-help/2008-November/000950.html > >> just in case. > >> > >> Any help would be appreciated. > >> > >> Matthew > >> > > > _______________________________________________ > vpn-help mailing list > [email protected] > http://lists.shrew.net/mailman/listinfo/vpn-help >
_______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
