[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Amend the DH Group in VPN-1 ver.4.1
Hi Dallas, According to the Checkpoint knowledge base, the new version NG (stand for No Good?? I don't like this name very unlucky) will allow the user to specify either using DH-1 or DH-2. I think it may be the final solutions. Regards, Mark -----Original Message----- From: Dallas Bishoff [mailto:[email protected]] Sent: Thursday, August 02, 2001 7:48 PM To: [email protected] Subject: RE: [FW1] Amend the DH Group in VPN-1 ver.4.1 Mark: I assume that you had the VPN working with SP2, but it broke when you went to SP3. This happened with a number of products, including SonicWall and Check Point. There was a change in the DH process in SP3, which I can't explain. Regards!!! Dallas From: "Mark Lai" <[email protected]> Reply-To: <[email protected]> To: "Dallas Bishoff" <[email protected]> CC: "Fw-1-Mailinglist" <[email protected]> Subject: RE: [FW1] Amend the DH Group in VPN-1 ver.4.1 Date: Thu, 2 Aug 2001 14:29:07 +0800 Hi Dallas, It is so kind for you to explain in such details to me and I think I need sometime to digest and apply it into my own envirnoments and be honest my problem is actually happended between Checkpoint VPN1 & WatchGuard Firebox. I've contacted the support before and they said it is not possible to fix at this moment unless roll back the Checkpoint VPN1 back to SP2. Anyway I have no solution at this moment but I would like to thank you for your kind attention. Best Regards, Mark ECOMPmerce.com -----Original Message----- From: Dallas Bishoff [mailto:[email protected]] Sent: Thursday, August 02, 2001 12:39 PM To: [email protected] Subject: RE: [FW1] Amend the DH Group in VPN-1 ver.4.1 Mark: Perhaps I can help you understand this better...again, the RFC requires an IPSec product to support DH1. Vendors "may" implement other DH group levels, but they aren't required. In the IPSec process, there are two phases, and both can require DH. Phase 1, in main mode takes 6 packets. Phase 2 takes either 3 or 4 packets, 4 if the "commit" bit is set. Phase 1 also has an "aggressive mode", but I'll assume you don't want to do this --- however, FW-1 does aggressive mode. Regardless of main vs aggressive, there is an "initiator" and a "responder". The "initiator" is the VPN device starting the negotiation. In the first packet, the "initiator" will identify what settings it supports. The "respondor" looks at it's own configuration, generally will go to the highest level offerred by the "initiator" and responds back with an identification of DES or 3DES, DH settings, and so forth. If the "respondor" determines that the "initiator" proposal doesn't include settings that are at the minimum level the "respondor" is configured to negotiate, the VPN tunnel cannot be created, and generally results in a "proposal not chosen" message. I suspect that you're having an issue with one of the following: Check Point is set for aggressive mode, and the Cisco won't take that, followed by the Cisco is configured to only do DH2, followed by an offer for DES, when the Cisco won't take anything lower than 3DES. What happens if you change the initator and respondor roles??? It is very possible to get a successful VPN tunnel one direction, but have it fail going the other direction depending on which system was the "initiator" in the process. Regards!!! Dallas N. Bishoff CISSP, MCSE+I, MCT, CCA, ICE, CCSE, Nokia Security Administrator (NSA), Nokia VPN Gateway Administrator, Nokia Security Instructor, RSA Certified Systems Engineer - SecurID (RSA/CSE) RSA Certified Instructor - SecurID (RSA/CI) -----Original Message----- From: Dallas Bishoff [mailto:[email protected]] Sent: Thursday, August 02, 2001 11:42 AM To: [email protected] Subject: Re: [FW1] Amend the DH Group in VPN-1 ver.4.1 Mark: As a minimum, all IPSec implementations must support DH 1. DH2 may be possible. DH3 and DH4 are based on elliptic curve, and probably not supported. DH5 offers the best security, but is probably not supported, and is not required by the RFC. Regards!!! Dallas From: "Mark Lai" <[email protected]> Reply-To: <[email protected]> To: "Fw-1-Mailinglist" <[email protected]> Subject: [FW1] Amend the DH Group in VPN-1 ver.4.1 Date: Wed, 1 Aug 2001 16:42:11 +0800 Hello, Is there anyone knows that how to change the "Diffie-Hellman Group" in VPN-1 ver.4.1 SP4? or Can anyone tell me that what "DH Group" is being used in the VPN-1 ver.4.1 SP4? Thanks. Regards, Mark ECOMPmerce.com ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|