NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] VPN FW1->PIX, IKE Phase1 Stage2 Problem



When  I had the same problem, there was something that you have to set  "nat
0" on PIX and "static" for each inside host you want to participate in
VPN... of course you have to set the same timeouts on PIX and FW1 - on FW1
it is on one of the tabs in security policy properties. Also there should be
the same encryption algorithm and authentication should be set to MD5 (not
SHA - I do not know why, but it did not work with SHA). Basically all the
settings should be absolutely the same on FW1 and PIX. Running "fwd -d" for
debud messages is also helpful - you will get the exact message about why
the connection was not established.

regards,
Vitaly.


----- Original Message -----
From: <[email protected]>
To: <[email protected]>; "'Cedric'" <[email protected]>
Cc: <[email protected]>; <[email protected]>
Sent: Tuesday, February 20, 2001 1:39 PM
Subject: RE: [FW1] VPN FW1->PIX, IKE Phase1 Stage2 Problem


>
> Hi,
>
> Please kindly tell me where i can check the cookie time.
>
> Thanks,
>
> Regards,
>
> martin
>
> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]]On Behalf Of
> CryptoTech
> Sent: Tuesday, 20 February 2001 12:34
> To: Cedric
> Cc: [email protected]
> Subject: Re: [FW1] VPN FW1->PIX, IKE Phase1 Stage2 Problem
>
>
>
> Cedric,
> IKE consists of two official phases,
> Phase one is a three or six packet handshake that negotiates 4 keys
skey_id,
> skey_id_r, skeyid_a, and skeyid_e.
>
> In phase one stage one, assuming aggressive mode (you did not specify, but
> unless
> you disabled it on fw1 it is probably what you are using.)
> Station A sends a proposal, as well as a dh key, along with a time
sensitive
> cookie
> to the remote host.
>         The proposal contains suggestions for the transform to be used in
> subsequent
> ike negotiations, ie 3des/sha1,des/md5,etc
>
> Station B responds to A with a dh key, the originating cookie, along with
a
> new
> cookie initiated by station b.  The transform reponse is encrypted using a
> derivative of the dh key exchange producing the 4 keys mentioned earlier.
> Skey_id
> is the root key for subsequent ike negotiation, skeyid_r  is a root key to
> be used
> for SA negotiations (phase 2), skeyid_a for header authentication, and
> skeyid_e for
> the actual ike packet encryption.
>
> Station A will then send an ACK packet using both cookies and encrypting
the
> ack
> using the negotiated skeyid.
>
> Some places to look:  check out the encrypt rule on the firewall to make
> sure that
> the actual rule properties lock you into des (if that is your transform of
> choice.)
> Also, you may consider forcing the use of Main mode, as I have heard of
> problems
> with the cookie time format between check point and cisco.
>
> This one sounds intriguing,
> Let me know if I can be of further help,
> CryptoTech
>
> Cedric wrote:
>
> > Hello
> >
> >      We have a problem with setting up a VPN between FW1 (4.1 SP3 on
> >      Solaris) and a Cisco PIX firewall.
> >
> >      We see such entries in the logs
> >      "IKE Log: Sent Notification: no proposal chosen <phase1 stage2>
> >       Negotiation Id: 6t3zd51f68z41a5f-cba186ade992a71f"
> >
> >      I can see two related mails in the archives, one suggest to add
> >      "3DES" in the objects for both entries (we use DES), wthis
> >      completely screwed up the VPN (which might indicate a problem)
> >           We didn't "send" such messages anymore, but the remote
> >           host did (that's what the logs say)
> >
> >      Anyone know what this "phase1 stage2" actually is ?
> >      How can I solve this problem ?
> >      We have idea how the PIX is set up, but it has been set up
> >      according the CKP pdf documents.
> >
> >      Thanks in advance for any pointer.
> >
> >
>
============================================================================

> ====
> >      To unsubscribe from this mailing list, please see the instructions
at
> >                http://www.checkpoint.com/services/mailing.html
> >
>
============================================================================
> ====
>
>
>
>
============================================================================
> ====
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
>
============================================================================
> ====
>
>
>
>
============================================================================
====
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
>
============================================================================
====



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.