[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] VPN FW1->PIX, IKE Phase1 Stage2 Problem
Cedric, IKE consists of two official phases, Phase one is a three or six packet handshake that negotiates 4 keys skey_id, skey_id_r, skeyid_a, and skeyid_e. In phase one stage one, assuming aggressive mode (you did not specify, but unless you disabled it on fw1 it is probably what you are using.) Station A sends a proposal, as well as a dh key, along with a time sensitive cookie to the remote host. The proposal contains suggestions for the transform to be used in subsequent ike negotiations, ie 3des/sha1,des/md5,etc Station B responds to A with a dh key, the originating cookie, along with a new cookie initiated by station b. The transform reponse is encrypted using a derivative of the dh key exchange producing the 4 keys mentioned earlier. Skey_id is the root key for subsequent ike negotiation, skeyid_r is a root key to be used for SA negotiations (phase 2), skeyid_a for header authentication, and skeyid_e for the actual ike packet encryption. Station A will then send an ACK packet using both cookies and encrypting the ack using the negotiated skeyid. Some places to look: check out the encrypt rule on the firewall to make sure that the actual rule properties lock you into des (if that is your transform of choice.) Also, you may consider forcing the use of Main mode, as I have heard of problems with the cookie time format between check point and cisco. This one sounds intriguing, Let me know if I can be of further help, CryptoTech Cedric wrote: > Hello > > We have a problem with setting up a VPN between FW1 (4.1 SP3 on > Solaris) and a Cisco PIX firewall. > > We see such entries in the logs > "IKE Log: Sent Notification: no proposal chosen <phase1 stage2> > Negotiation Id: 6t3zd51f68z41a5f-cba186ade992a71f" > > I can see two related mails in the archives, one suggest to add > "3DES" in the objects for both entries (we use DES), wthis > completely screwed up the VPN (which might indicate a problem) > We didn't "send" such messages anymore, but the remote > host did (that's what the logs say) > > Anyone know what this "phase1 stage2" actually is ? > How can I solve this problem ? > We have idea how the PIX is set up, but it has been set up > according the CKP pdf documents. > > Thanks in advance for any pointer. > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|