NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Nokia (Network Alchemy) CC 500 (Crypto Cluster) and FW1 SP2 on NT



Hi,
 
I  am also Nokia product. How can you obtain such detail log in particular to the IPSEC information. How can I obtain this kind of data from CP.
 
Please indicate.
 
Thanks in advance.
 
 
Best regards,
 
maritn
-----Original Message-----
From: [email protected] [mailto:[email protected]]On Behalf Of Scott Hunter
Sent: Thursday, February 15, 2001 11:40 PM
To: Fw-1-Mailinglist (E-mail)
Subject: [FW1] Nokia (Network Alchemy) CC 500 (Crypto Cluster) and FW1 SP2 on NT

    I am trying to set up a VPN using a Nokia CC 500 and FW1.  I'm using IKE and pre-shared secrets.  The tunnel works in one direction, from the network behind the Nokia to the network behind the FW1 machine, but when I attempt to access the network behind the Nokia CC 500 from the network behind the FW1, it fails and I get the following on the CC 500 console (some IPs changed to protect the innocent):
 
Thu Feb 15 15:16:18 2001 (IPSEC)-ERR: key_find_responder_policy: matching outbound selector not found
Thu Feb 15 15:16:18 2001 (IKE)-ERR: receive: failed to locate QM responder policy
 
then:
 
Thu Feb 15 15:16:43 2001 (IKE)-AUDIT: IKE SA deleted for 123.123.123.66 (123.123.123.66)
Thu Feb 15 15:16:43 2001 (IKE)-NOTICE: process_sa: no proposal chosen
 
Then the tunnel goes down and does not come back up until traffic goes from the network behind the Nokia CC 500 to the network behind the FW1 box.
 
When it is up, IPSEC looks like this:
IPSec Security Associations:
 
  spi:                     ffff3c00 <- ffff1d87
  source address:          123.123.123.66
  destination address:     123.123.123.80
  client identity:         10.10/24
  type:                    esp
  integrity algorithm:     md5 (128 bits)
  secrecy algorithm:       3des (192 bits)
  flags:                   inbound,initiator,tunnel
  lifetime:                60 minutes
  time-to-live:            59 minutes
  traffic:                 848 bytes
 
  spi:                     ffff1d87 -> ffff3c00 (1)
  source address:          123.123.123.80
  destination address:     123.123.123.66
  client identity:         10/24
  type:                    esp
  integrity algorithm:     md5 (128 bits)
  secrecy algorithm:       3des (192 bits)
  flags:                   outbound,initiator,tunnel
  lifetime:                60 minutes
  time-to-live:            59 minutes
  traffic:                 632 bytes
 
and IKE looks like this:
 
IKE Security Associations:
 
  sequence:                2b
  state:                   MM_IDLE
  flags:                   outbound,valid
  source:                  123.123.123.80
  destination:             123.123.123.66
  peer identity:           fqdn.domain.com
  oakley group:            modp-768
  encryption algorithm:    3des
  hash algorithm:          md5
  authentication method:   pre-shared key
  associations:            2
  lifetime:                8 hours
  time-to-live:            7 hours
 
 
 
It's also really slow.  Anyone out there have any experience with the Nokia CC 500 that they would like to share?
 
Scott
 


 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.