I am not able to ping the router. It is the device LAN ip address that I've been pinging (I've attempted other internal addresses as well) on the various subnets - office mode ip space, DMZ, and LAN. The ruleset for the firewall allows ICMP from any. I also played with the legacy rule to allow any encrypted which shouldn't be necessary from what I've read as the office mode IP has a bypass firewall configuration.
The checkpoint SecureClient and Endpoint clients work without issue. On Sat, May 14, 2011 at 3:01 PM, Dale Marthaller <[email protected]> wrote: > Are you able to ping the actual router using it's LAN side IP address? It's > possible that the internal host you are pinging is set to not respond to a > ping or a firewall setting on one of the devices is blocking the ping. > > ----- Original Message ----- > From: Matthew Austin <[email protected]> > Date: Saturday, May 14, 2011 12:57 pm > Subject: Re: [vpn-help] Checkpoint NGX 8.2.39n - network access issue > To: [email protected] > >> I've kept plugging away at this and have gone so far as to download >> and work through some minor build issues with the head revision with >> no real delta. I'm getting through phase 1 and when I ping an >> internal host it initiates phase 2. The appliance reports >> in the log >> that phase 2 negotiation completes successfully but the ping >> does not >> return. Here is the iked.log debug output from when I >> initiate the >> ping forward. >> >> 11/05/14 12:46:53 K< : recv pfkey ACQUIRE ESP message >> 11/05/14 12:46:53 DB : policy found >> 11/05/14 12:46:53 DB : policy found >> 11/05/14 12:46:53 DB : tunnel found >> 11/05/14 12:46:53 DB : new phase2 ( IPSEC initiator ) >> 11/05/14 12:46:53 DB : phase2 added ( obj count = 1 ) >> 11/05/14 12:46:53 K> : send pfkey GETSPI ESP message >> 11/05/14 12:46:53 K< : recv pfkey GETSPI ESP message >> 11/05/14 12:46:53 DB : phase2 found >> 11/05/14 12:46:53 ii : updated spi for 1 ipsec-esp proposal >> 11/05/14 12:46:53 DB : phase1 found >> 11/05/14 12:46:53 >> : hash payload >> 11/05/14 12:46:53 >> : security association payload >> 11/05/14 12:46:53 >> : - proposal #1 payload >> 11/05/14 12:46:53 >> : -- transform #1 payload >> 11/05/14 12:46:53 >> : -- transform #2 payload >> 11/05/14 12:46:53 >> : -- transform #3 payload >> 11/05/14 12:46:53 >> : -- transform #4 payload >> 11/05/14 12:46:53 >> : -- transform #5 payload >> 11/05/14 12:46:53 >> : -- transform #6 payload >> 11/05/14 12:46:53 >> : -- transform #7 payload >> 11/05/14 12:46:53 >> : -- transform #8 payload >> 11/05/14 12:46:53 >> : -- transform #9 payload >> 11/05/14 12:46:53 >> : -- transform #10 payload >> 11/05/14 12:46:53 >> : -- transform #11 payload >> 11/05/14 12:46:53 >> : -- transform #12 payload >> 11/05/14 12:46:53 >> : -- transform #13 payload >> 11/05/14 12:46:53 >> : -- transform #14 payload >> 11/05/14 12:46:53 >> : -- transform #15 payload >> 11/05/14 12:46:53 >> : -- transform #16 payload >> 11/05/14 12:46:53 >> : -- transform #17 payload >> 11/05/14 12:46:53 >> : -- transform #18 payload >> 11/05/14 12:46:53 >> : -- transform #19 payload >> 11/05/14 12:46:53 >> : -- transform #20 payload >> 11/05/14 12:46:53 >> : -- transform #21 payload >> 11/05/14 12:46:53 >> : -- transform #22 payload >> 11/05/14 12:46:53 >> : -- transform #23 payload >> 11/05/14 12:46:53 >> : -- transform #24 payload >> 11/05/14 12:46:53 >> : -- transform #25 payload >> 11/05/14 12:46:53 >> : -- transform #26 payload >> 11/05/14 12:46:53 >> : -- transform #27 payload >> 11/05/14 12:46:53 >> : -- transform #28 payload >> 11/05/14 12:46:53 >> : -- transform #29 payload >> 11/05/14 12:46:53 >> : -- transform #30 payload >> 11/05/14 12:46:53 >> : -- transform #31 payload >> 11/05/14 12:46:53 >> : -- transform #32 payload >> 11/05/14 12:46:53 >> : -- transform #33 payload >> 11/05/14 12:46:53 >> : -- transform #34 payload >> 11/05/14 12:46:53 >> : -- transform #35 payload >> 11/05/14 12:46:53 >> : -- transform #36 payload >> 11/05/14 12:46:53 >> : -- transform #37 payload >> 11/05/14 12:46:53 >> : -- transform #38 payload >> 11/05/14 12:46:53 >> : -- transform #39 payload >> 11/05/14 12:46:53 >> : -- transform #40 payload >> 11/05/14 12:46:53 >> : -- transform #41 payload >> 11/05/14 12:46:53 >> : -- transform #42 payload >> 11/05/14 12:46:53 >> : -- transform #43 payload >> 11/05/14 12:46:53 >> : -- transform #44 payload >> 11/05/14 12:46:53 >> : -- transform #45 payload >> 11/05/14 12:46:53 >> : nonce payload >> 11/05/14 12:46:53 >> : identification payload >> 11/05/14 12:46:53 >> : identification payload >> 11/05/14 12:46:53 == : phase2 hash_i ( input ) ( 1460 bytes ) >> 11/05/14 12:46:53 == : phase2 hash_i ( computed ) ( 16 bytes ) >> 11/05/14 12:46:53 == : new phase2 iv ( 16 bytes ) >> 11/05/14 12:46:53 >= : cookies f8d338c27cbb826c:2881de11b69d9df3 >> 11/05/14 12:46:53 >= : message e75b342c >> 11/05/14 12:46:53 >= : encrypt iv ( 16 bytes ) >> 11/05/14 12:46:53 == : encrypt packet ( 1504 bytes ) >> 11/05/14 12:46:53 == : stored iv ( 16 bytes ) >> 11/05/14 12:46:53 -> : send IKE packet 192.168.0.161:500 -> >> 173.164.101.125:500 ( 1544 bytes ) >> 11/05/14 12:46:53 DB : phase2 resend event scheduled ( ref count >> = 2 ) >> 11/05/14 12:46:53 <- : recv IKE packet 173.164.101.125:500 -> >> 192.168.0.161:500 ( 172 bytes ) >> 11/05/14 12:46:53 DB : phase1 found >> 11/05/14 12:46:53 ii : processing phase2 packet ( 172 bytes ) >> 11/05/14 12:46:53 DB : phase2 found >> 11/05/14 12:46:53 =< : cookies f8d338c27cbb826c:2881de11b69d9df3 >> 11/05/14 12:46:53 =< : message e75b342c >> 11/05/14 12:46:53 =< : decrypt iv ( 16 bytes ) >> 11/05/14 12:46:53 == : decrypt packet ( 172 bytes ) >> 11/05/14 12:46:53 <= : trimmed packet padding ( 16 bytes ) >> 11/05/14 12:46:53 <= : stored iv ( 16 bytes ) >> 11/05/14 12:46:53 << : hash payload >> 11/05/14 12:46:53 << : security association payload >> 11/05/14 12:46:53 << : - propsal #1 payload >> 11/05/14 12:46:53 << : -- transform #1 payload >> 11/05/14 12:46:53 << : nonce payload >> 11/05/14 12:46:53 << : identification payload >> 11/05/14 12:46:53 << : identification payload >> 11/05/14 12:46:53 == : phase2 hash_r ( input ) ( 132 bytes ) >> 11/05/14 12:46:53 == : phase2 hash_r ( computed ) ( 16 bytes ) >> 11/05/14 12:46:53 == : phase2 hash_r ( received ) ( 16 bytes ) >> 11/05/14 12:46:53 ii : matched ipsec-esp proposal #1 transform #1 >> 11/05/14 12:46:53 ii : - transform = esp-aes >> 11/05/14 12:46:53 ii : - key length = 256 bits >> 11/05/14 12:46:53 ii : - encap mode = tunnel >> 11/05/14 12:46:53 ii : - msg auth = hmac-md5 >> 11/05/14 12:46:53 ii : - pfs dh group = none >> 11/05/14 12:46:53 ii : - life seconds = 3600 >> 11/05/14 12:46:53 ii : - life kbytes = 0 >> 11/05/14 12:46:53 DB : policy found >> 11/05/14 12:46:53 K> : send pfkey GETSPI ESP message >> 11/05/14 12:46:53 K< : recv pfkey GETSPI ESP message >> 11/05/14 12:46:53 DB : phase2 found >> 11/05/14 12:46:53 ii : phase2 ids accepted >> 11/05/14 12:46:53 ii : - loc ANY:192.168.254.162:* -> >> ANY:192.168.200.0/24:*11/05/14 12:46:53 ii : - rmt >> ANY:192.168.200.0/24:* -> ANY:192.168.254.162:* >> 11/05/14 12:46:53 ii : phase2 sa established >> 11/05/14 12:46:53 ii : 192.168.0.161:500 <-> 173.164.101.125:500 >> 11/05/14 12:46:53 == : phase2 hash_p ( input ) ( 45 bytes ) >> 11/05/14 12:46:53 == : phase2 hash_p ( computed ) ( 16 bytes ) >> 11/05/14 12:46:53 >> : hash payload >> 11/05/14 12:46:53 >= : cookies f8d338c27cbb826c:2881de11b69d9df3 >> 11/05/14 12:46:53 >= : message e75b342c >> 11/05/14 12:46:53 >= : encrypt iv ( 16 bytes ) >> 11/05/14 12:46:53 == : encrypt packet ( 48 bytes ) >> 11/05/14 12:46:53 == : stored iv ( 16 bytes ) >> 11/05/14 12:46:53 DB : phase2 resend event canceled ( ref count >> = 1 ) >> 11/05/14 12:46:53 -> : send IKE packet 192.168.0.161:500 -> >> 173.164.101.125:500 ( 88 bytes ) >> 11/05/14 12:46:53 == : spi cipher key data ( 32 bytes ) >> 11/05/14 12:46:53 == : spi hmac key data ( 16 bytes ) >> 11/05/14 12:46:53 K> : send pfkey UPDATE ESP message >> 11/05/14 12:46:53 K< : recv pfkey UPDATE ESP message >> 11/05/14 12:46:53 == : spi cipher key data ( 32 bytes ) >> 11/05/14 12:46:53 == : spi hmac key data ( 16 bytes ) >> 11/05/14 12:46:53 K> : send pfkey UPDATE ESP message >> 11/05/14 12:46:53 K< : recv pfkey UPDATE ESP message >> >> It feels like it is soooo close. >> >> On Wed, May 11, 2011 at 5:33 PM, Matthew Austin >> <[email protected]> wrote: >> > Just a quick update that I downloaded and built 2.1.7 on >> ubuntu 11.04 >> > with no change. We've tested this with ubuntu 10.10 and 11.04 with >> > the 2.1.5 packages. Let me know if you'd like to see some iked.log >> > output. >> > >> > On Tue, May 10, 2011 at 10:52 PM, Matthew Austin >> <[email protected]> wrote: >> >> Greetings, >> >> >> >> I followed the instructions at >> http://www.shrew.net/support/wiki/HowtoCheckpoint>> >> >> shrew reports: >> >> bringing up tunnel ... >> >> network device configured >> >> tunnel enabled >> >> >> >> so it would appear that I can connect to the device, >> authenticate, and >> >> it pulls down an IP and all of that, but I can't ping any internal >> >> network or even the gateway. >> >> >> >> I also applied the setting recommeded here >> >> http://lists.shrew.net/pipermail/vpn-help/2008-November/000950.html >> >> just in case. >> >> >> >> Any help would be appreciated. >> >> >> >> Matthew >> >> >> > >> _______________________________________________ >> vpn-help mailing list >> [email protected] >> http://lists.shrew.net/mailman/listinfo/vpn-help >> _______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
