Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Invalid Cookie

To: Gus Reyes <[email protected]>
Subject: Re: [FW1] Invalid Cookie
From: CryptoTech <[email protected]>
Date: Mon, 18 Dec 2000 11:00:22 -0500
Cc: "[email protected]" <[email protected]>
References: <[email protected]>
Reply-to: [email protected]
Sender: [email protected]

Gus,
The cookie that is off is the timeliness cookie, designed to validate that the vpn
connection is not a replay of a previous session.  Phase 2 stage 0 indicates that
alcatel is not holding the phase 1 cooking going into the SA establishment.  I've
seen this problem before where a unidirectional tunnel was possible because of
incompatibility in VPN code.  However, since Alcatel and Checkpoint are both IPSec
1.0a certified, I would be more inclined to suspect that the Alcatel side is using
perfect forward secrecy with a low re-key interval.  This would mean that check
point does not invalidate the session, but that the remote side initiates a SA
renewal request, using a completely different set of parameters upon each rekey,
whereas the check point is probably not configured for PFS, and thus reuses the old
Skey_id_r, id_e, and id_a.
The solution, I would look closely at the details of the alcatel side connection,
and then check the Policy->Properties->Encryption and look for the IPSEC
renegotiation interval.

Although suspicion has it that it will be a PFS issue.

Just a guess,
CryptoTech

Gus Reyes wrote:

> I set up VPN between Checkpoint and Alcatel systems using IKE, MD5, Shared
> Secret.  So far, only CP to Alcatel connections works, not vice versa.  Log
> viewer in CP shows successful key installs - phase 1 and phase 2.  I see
> encrypted packets going out and can even see a server behind the alcatel.
> Ten minutes after key exchange, I get the following: 'IKE Log: Sent
> Notification: invalid cookie <phase2 stage0>'. Remote end does not find my
> server.  Despite this error, I can still VPN connect with Alcatel.  Not the
> other way around.  Any ideas???
>
> Thanks
>
> Gus
>
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================

================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- [FW1] Invalid Cookie
  - From: "Gus Reyes" <[email protected]>

Prev by Date: [FW1] Nothing in Encryption Schemes Defined
Next by Date: [no subject]
Previous by thread: [FW1] Invalid Cookie
Next by thread: [FW1] Unix Client for VPN-1?
Index(es):
- Date
- Thread