Hi,
I tried to use sec client from checkpoint from a windows machine
to a checkpoint fw remotely. On my side pf is running.
The sec client machine is having 10.1.1.12 as ip.
Packets to 10.1.1.12 have an incorrect checksum because i enabled
checksum offloading on the pf machine.
I didnt capture packets back from the remote site, but phase 1 is
completing, at phase two it's going wrong. The windows client machine
10.1.1.12 is sending fragments. One of these fragments isnt good enough
and the pf machine sends an icmp type 3 code 1 back.
(btw i have in my pf.conf:
scrub on $ext_if all fragment reassemble reassemble tcp random-id)
18:46:54.582596 10.1.1.1 > 10.1.1.12: icmp: host
213.133.51.82 unreachable for 10.1.1.12.1043 > 213.133.51.82.500:
[|isakmp] (frag 2105:[EMAIL PROTECTED]) (ttl 127, len 1500, bad cksum f8f3)
I have the complete trace attached.
Is the problem an incorrect packet from 10.1.1.12?
Bye,
Mipam.
18:46:54.422934 10.1.1.12.1043 > 213.133.51.82.500: [udp sum ok] isakmp 1.0 msgid
00000000 cookie ff4b138f02d5925e->0000000000000000: phase 1 I ident:
(sa: doi=ipsec situation=identity
(p: #1 protoid=isakmp transform=6
(t: #1 id=ike (type=enc value=aes)(type=keylen value=0100)(type=hash
value=sha1)(type=auth value=rsa sig)(type=group desc value=modp1024)(type=lifetype
value=sec)(type=lifeduration len=4 value=00015180))
(t: #2 id=ike (type=enc value=aes)(type=keylen value=0100)(type=hash
value=md5)(type=auth value=rsa sig)(type=group desc value=modp1024)(type=lifetype
value=sec)(type=lifeduration len=4 value=00015180))
(t: #3 id=ike (type=enc value=3des)(type=hash value=sha1)(type=auth
value=rsa sig)(type=group desc value=modp1024)(type=lifetype
value=sec)(type=lifeduration len=4 value=00015180))
(t: #4 id=ike (type=enc value=3des)(type=hash value=md5)(type=auth
value=rsa sig)(type=group desc value=modp1024)(type=lifetype
value=sec)(type=lifeduration len=4 value=00015180))
(t: #5 id=ike (type=enc value=1des)(type=hash value=sha1)(type=auth
value=rsa sig)(type=group desc value=modp1024)(type=lifetype
value=sec)(type=lifeduration len=4 value=00015180))
(t: #6 id=ike (type=enc value=1des)(type=hash value=md5)(type=auth
value=rsa sig)(type=group desc value=modp1024)(type=lifetype
value=sec)(type=lifeduration len=4 value=00015180))))
(vid: len=40
f4ed19e0c114eb516faaac0ee37daf2807b4381f000000020000138e000000000000000018200000) (ttl
128, id 2091, len 344)
18:46:54.507072 10.1.1.12.1043 > 213.133.51.82.500: [udp sum ok] isakmp 1.0 msgid
00000000 cookie ff4b138f02d5925e->1a9ab49847382ea6: phase 1 I ident:
(ke: key len=128
e7ec4d1d0e67dab497555dc0ee820f29f4bc3f3c1461683c09d55cf08090b170b77e622102c8620fba6ff8d1c74d350037fbd2ab43d638151374d76e8ad8bd536e25ad89583b7878ad748852b641027cd151cabd2fe22f45ed84ac86b2d0ac939d3143b5055497514cef01628a3998774185d048610ce44429c6aaef5746615a)
(nonce: n len=20 7c55cef4cb5a7f76d60094757eb99e5d16979eec)
(cr: len=29 type=x509sign
04301a31183016060355040a130f726c64667730312e2e6f3270756771)
(cr: len=1 type=x509sign 04) (ttl 128, id 2100, len 250)
18:46:54.582540 10.1.1.12.1043 > 213.133.51.82.500: [bad udp cksum 9951!] isakmp 1.0
msgid 00000000 cookie ff4b138f02d5925e->1a9ab49847382ea6: phase 1 I ident[E]:
[encrypted id] (len mismatch: isakmp 1740/ip 1472) (frag 2105:[EMAIL PROTECTED]) (ttl
128, len 1500)
18:46:54.582551 10.1.1.12 > 213.133.51.82: udp (frag 2105:[EMAIL PROTECTED]) (ttl 128,
len 288)
18:46:54.582596 10.1.1.1 > 10.1.1.12: icmp: host 213.133.51.82 unreachable for
10.1.1.12.1043 > 213.133.51.82.500: [|isakmp] (frag 2105:[EMAIL PROTECTED]) (ttl 127,
len 1500, bad cksum f8f3 (->f8f2)!) (ttl 255, id 10280, len 56, bad cksum 0
(->ffff7183)!)
0x0000 4500 0038 2828 0000 ff01 0000 0a01 0101 E..8((..........
0x0010 0a01 010c 0301 781f 0000 0000 4500 05dc ......x.....E...
0x0020 0839 2000 7f11 f8f3 0a01 010c d585 3352 .9............3R
0x0030 0413 01f4 06d4 7904 ......y.
