NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Amend the DH Group in VPN-1 ver.4.1



Hi Dallas,

According to the Checkpoint knowledge base, the new version NG (stand for No
Good?? I don't like this name very unlucky) will allow the user to specify
either using DH-1 or DH-2. I think it may be the final solutions.

Regards,
Mark

-----Original Message-----
From: Dallas Bishoff [mailto:[email protected]]
Sent: Thursday, August 02, 2001 7:48 PM
To: [email protected]
Subject: RE: [FW1] Amend the DH Group in VPN-1 ver.4.1


Mark:

I assume that you had the VPN working with SP2, but it broke when you went
to SP3.  This happened with a number of products, including SonicWall and
Check Point.  There was a change in the DH process in SP3, which I can't
explain.

Regards!!!

Dallas



From: "Mark Lai" <[email protected]>
Reply-To: <[email protected]>
To: "Dallas Bishoff" <[email protected]>
CC: "Fw-1-Mailinglist" <[email protected]>
Subject: RE: [FW1] Amend the DH Group in VPN-1 ver.4.1
Date: Thu, 2 Aug 2001 14:29:07 +0800

Hi Dallas,

It is so kind for you to explain in such details to me and I think I need
sometime to digest and apply it into my own envirnoments and be honest my
problem is actually happended between Checkpoint VPN1 & WatchGuard Firebox.
I've contacted the support before and they said it is not possible to fix at
this moment unless roll back the Checkpoint VPN1 back to SP2. Anyway I have
no solution at this moment but I would like to thank you for your kind
attention.

Best Regards,
Mark
ECOMPmerce.com

-----Original Message-----
From: Dallas Bishoff [mailto:[email protected]]
Sent: Thursday, August 02, 2001 12:39 PM
To: [email protected]
Subject: RE: [FW1] Amend the DH Group in VPN-1 ver.4.1


Mark:

Perhaps I can help you understand this better...again, the RFC requires an
IPSec product to support DH1.  Vendors "may" implement other DH group
levels, but they aren't required.

In the IPSec process, there are two phases, and both can require DH.  Phase
1, in main mode takes 6 packets.  Phase 2 takes either 3 or 4 packets, 4 if
the "commit" bit is set.  Phase 1 also has an "aggressive mode", but I'll
assume you don't want to do this --- however, FW-1 does aggressive mode.
Regardless of main vs aggressive, there is an "initiator" and a "responder".
   The "initiator" is the VPN device starting the negotiation.  In the first
packet, the "initiator" will identify what settings it supports.  The
"respondor" looks at it's own configuration, generally will go to the
highest level offerred by the "initiator" and responds back with an
identification of DES or 3DES, DH settings, and so forth.  If the
"respondor" determines that the "initiator" proposal doesn't include
settings that are at the minimum level the "respondor" is configured to
negotiate, the VPN tunnel cannot be created, and generally results in a
"proposal not chosen" message.

I suspect that you're having an issue with one of the following: Check Point
is set for aggressive mode, and the Cisco won't take that, followed by the
Cisco is configured to only do DH2, followed by an offer for DES, when the
Cisco won't take anything lower than 3DES.

What happens if you change the initator and respondor roles???  It is very
possible to get a successful VPN tunnel one direction, but have it fail
going the other direction depending on which system was the "initiator" in
the process.

Regards!!!

Dallas N. Bishoff
CISSP,
MCSE+I, MCT, CCA, ICE, CCSE,
Nokia Security Administrator (NSA),
Nokia VPN Gateway Administrator,
Nokia Security Instructor,
RSA Certified Systems Engineer - SecurID (RSA/CSE)
RSA Certified Instructor - SecurID (RSA/CI)



-----Original Message-----
From: Dallas Bishoff [mailto:[email protected]]
Sent: Thursday, August 02, 2001 11:42 AM
To: [email protected]
Subject: Re: [FW1] Amend the DH Group in VPN-1 ver.4.1


Mark:

As a minimum, all IPSec implementations must support DH 1.  DH2 may be
possible.  DH3 and DH4 are based on elliptic curve, and probably not
supported.  DH5 offers the best security, but is probably not supported, and
is not required by the RFC.

Regards!!!

Dallas


From: "Mark Lai" <[email protected]>
Reply-To: <[email protected]>
To: "Fw-1-Mailinglist" <[email protected]>
Subject: [FW1] Amend the DH Group in VPN-1 ver.4.1
Date: Wed, 1 Aug 2001 16:42:11 +0800


Hello,

Is there anyone knows that how to change the "Diffie-Hellman Group" in VPN-1
ver.4.1 SP4?

or

Can anyone tell me that what "DH Group" is being used in the VPN-1 ver.4.1
SP4? Thanks.

Regards,
Mark
ECOMPmerce.com





============================================================================
====
        To unsubscribe from this mailing list, please see the instructions
at
                  http://www.checkpoint.com/services/mailing.html
============================================================================
====


_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp




_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp




_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.