Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Nokia (Network Alchemy) CC 500 (Crypto Cluster) and FW1 SP2 on NT

To: "'[email protected]'" <[email protected]>, [email protected], [email protected]
Subject: RE: [FW1] Nokia (Network Alchemy) CC 500 (Crypto Cluster) and FW1 SP2 on NT
From: Jim Sweeting <[email protected]>
Date: Mon, 19 Feb 2001 10:45:00 +1300
Sender: [email protected]

The problem is indeed with key lifetime differences.

FW-1 typically sets the expiry time for an IKE negotiation to 1 week whereas
a Cisco can't go that high !! IPSEC is usually 3600 seconds by default on
both.

Change the setting in the policy encryption properties from 10800 minutes
for IKE to something like 1440 minutes (1 day) and check the Cisco (PIX or
Router ) is the same.

The checkpoint website has a couple of useful documents in the public
configuration docs section for doing this type of VPN but I can't remember
if they mention these settings explicitly or not

Jim

==================================================================
Jim Sweeting		
Consultant
Optimation NZ Ltd
43 College Hill Road
PO Box 106104
Auckland		

d.	+64 9 307 5566
p.	+64 9 309 7918
f.	+64 9 309 7919
m.	+64 25 582047
e.	[email protected]

This e-mail contains proprietary information some or all of which may be
legally privileged. It is for the intended recipient only. If you receive
this email in error, please notify the sender immediately and permanently
delete this email. If you are not the intended recipient you must not use,
disclose, distribute, copy or print this e-mail.

 -----Original Message-----
From: 	Byoung Sun Yu [mailto:[email protected]] 
Sent:	Friday, 16 February 2001 7:08 p.m.
To:	[email protected]; [email protected]
Subject:	RE: [FW1] Nokia (Network Alchemy) CC 500 (Crypto Cluster)
and FW1 SP2 on NT


What typically causes the problem is Key lifetime difference. If it works
one way from Cisco to FW-1, then most of IKE/IPSec options are agreeable
between them. Problem is when FW-1 initiates the tunnel, Cisco is very picky
so that it does not accept the proposal if Key Lifetime is different than
its own setting. But this is not the case to the opposite direction. CP FW-1
does not care if there is a difference and can accept it.

HTH,

Sun Yu, CISSP, CCSE
Lucent Worldwide Services


> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]]On Behalf Of
> [email protected]
> Sent: Thursday, February 15, 2001 4:04 PM
> To: [email protected]
> Subject: RE: [FW1] Nokia (Network Alchemy) CC 500 (Crypto Cluster) and
> FW1 SP2 on NT
>
>
>
> Hi Scott,
>
> We experienced exactly the same behaviour when trying to
> connect a VPN-1
> to a Cisco PIX with IKE and pre-shared secrets some months ago.
> That is, the VPN worked when going from behind the PIX, but
> when trying
> to go from beind the VPN-1 to the PIX, we got exactly the
> same errors as
> you describe here Scott, that is they don't seem to be able
> to agree on
> SA!!!
> We wrote it off as being a Cisco problem and got ourselfs anoter small
> pix (yeah I know, its a bad bad thing ;-) ) to terminate this
> particular
> VPN.
>
> But seeing this I'm beginning to wonder if this might be a VPN-1
> problem, anyone else seen this??
>
> Arnor Arnason
> [email protected]
> EJS
> Iceland
>
>
> Date: Thu, 15 Feb 2001 10:39:46 -0500
> From: Scott Hunter <[email protected]>
> Subject: [FW1] Nokia (Network Alchemy) CC 500 (Crypto Cluster) and FW1
> SP2 on NT
>
>     I am trying to set up a VPN using a Nokia CC 500 and FW1.
>  I'm using
> IKE
> and pre-shared secrets.  The tunnel works in one direction, from the
> network
> behind the Nokia to the network behind the FW1 machine, but when I
> attempt
> to access the network behind the Nokia CC 500 from the network behind
> the
> FW1, it fails and I get the following on the CC 500 console (some IPs
> changed to protect the innocent):
>
> Thu Feb 15 15:16:18 2001 (IPSEC)-ERR: key_find_responder_policy:
> matching
> outbound selector not found
> Thu Feb 15 15:16:18 2001 (IKE)-ERR: receive: failed to locate QM
> responder
> policy
>
> then:
>
> Thu Feb 15 15:16:43 2001 (IKE)-AUDIT: IKE SA deleted for
> 123.123.123.66
> (123.123.123.66)
> Thu Feb 15 15:16:43 2001 (IKE)-NOTICE: process_sa: no proposal chosen
>
> Then the tunnel goes down and does not come back up until traffic goes
> from
> the network behind the Nokia CC 500 to the network behind the FW1 box.
>
> When it is up, IPSEC looks like this:
>
> IPSec Security Associations:
>
>   spi:                     ffff3c00 <- ffff1d87
>   source address:          123.123.123.66
>   destination address:     123.123.123.80
>   client identity:         10.10/24
>   type:                    esp
>   integrity algorithm:     md5 (128 bits)
>   secrecy algorithm:       3des (192 bits)
>   flags:                   inbound,initiator,tunnel
>   lifetime:                60 minutes
>   time-to-live:            59 minutes
>   traffic:                 848 bytes
>
>   spi:                     ffff1d87 -> ffff3c00 (1)
>   source address:          123.123.123.80
>   destination address:     123.123.123.66
>   client identity:         10/24
>   type:                    esp
>   integrity algorithm:     md5 (128 bits)
>   secrecy algorithm:       3des (192 bits)
>   flags:                   outbound,initiator,tunnel
>   lifetime:                60 minutes
>   time-to-live:            59 minutes
>   traffic:                 632 bytes
>
> and IKE looks like this:
>
> IKE Security Associations:
>
>   sequence:                2b
>   state:                   MM_IDLE
>   flags:                   outbound,valid
>   source:                  123.123.123.80
>   destination:             123.123.123.66
>   peer identity:           fqdn.domain.com
>   oakley group:            modp-768
>   encryption algorithm:    3des
>   hash algorithm:          md5
>   authentication method:   pre-shared key
>   associations:            2
>   lifetime:                8 hours
>   time-to-live:            7 hours
>
>
>
> It's also really slow.  Anyone out there have any experience with the
> Nokia
> CC 500 that they would like to share?
>
> Scott
>
>
>
>
> ==============================================================
> ==================
>      To unsubscribe from this mailing list, please see the
> instructions at
>                http://www.checkpoint.com/services/mailing.html
> ==============================================================
> ==================



============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] 4.1-SP2 Management Server problem
Next by Date: RE: [FW1] 4.1-SP2 Management Server problem
Previous by thread: RE: [FW1] 4.1-SP2 Management Server problem
Next by thread: RE: [FW1] Nokia (Network Alchemy) CC 500 (Crypto Cluster) and FW1 SP2 on NT
Index(es):
- Date
- Thread