NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] VPN FW1->PIX, IKE Phase1 Stage2 Problem



Cedric,
IKE consists of two official phases,
Phase one is a three or six packet handshake that negotiates 4 keys skey_id,
skey_id_r, skeyid_a, and skeyid_e.

In phase one stage one, assuming aggressive mode (you did not specify, but unless
you disabled it on fw1 it is probably what you are using.)
Station A sends a proposal, as well as a dh key, along with a time sensitive cookie
to the remote host.
        The proposal contains suggestions for the transform to be used in subsequent
ike negotiations, ie 3des/sha1,des/md5,etc

Station B responds to A with a dh key, the originating cookie, along with a new
cookie initiated by station b.  The transform reponse is encrypted using a
derivative of the dh key exchange producing the 4 keys mentioned earlier.  Skey_id
is the root key for subsequent ike negotiation, skeyid_r  is a root key to be used
for SA negotiations (phase 2), skeyid_a for header authentication, and skeyid_e for
the actual ike packet encryption.

Station A will then send an ACK packet using both cookies and encrypting the ack
using the negotiated skeyid.

Some places to look:  check out the encrypt rule on the firewall to make sure that
the actual rule properties lock you into des (if that is your transform of choice.)
Also, you may consider forcing the use of Main mode, as I have heard of problems
with the cookie time format between check point and cisco.

This one sounds intriguing,
Let me know if I can be of further help,
CryptoTech

Cedric wrote:

> Hello
>
>      We have a problem with setting up a VPN between FW1 (4.1 SP3 on
>      Solaris) and a Cisco PIX firewall.
>
>      We see such entries in the logs
>      "IKE Log: Sent Notification: no proposal chosen <phase1 stage2>
>       Negotiation Id: 6t3zd51f68z41a5f-cba186ade992a71f"
>
>      I can see two related mails in the archives, one suggest to add
>      "3DES" in the objects for both entries (we use DES), wthis
>      completely screwed up the VPN (which might indicate a problem)
>           We didn't "send" such messages anymore, but the remote
>           host did (that's what the logs say)
>
>      Anyone know what this "phase1 stage2" actually is ?
>      How can I solve this problem ?
>      We have idea how the PIX is set up, but it has been set up
>      according the CKP pdf documents.
>
>      Thanks in advance for any pointer.
>
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.