[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] VPN with OPSEC-PKI and IKE
Hello, I have setup an VPN between Firewall-1 (4.1SP5) and a VPN-Software called CryptoIP. If I used pre IKE with pre shared key´s it´s working fine in both direction. But if I used OPSEC-PKI (RSA-signatures) it will not work. On the CryptoIP side I can see the follow failure messages: --> Starting ISAKMP SA negotiation Received UDP packet from 192.168.1.1:500 Decoding proposal ----- Transform 1, protocol = 1 (IKE_KEY) ----- Encryption algorithm = 6 (cast128-cbc) Hash algorithm = 2 (sha1) Authentication method = 3 (RSA-signatures) Searched certificate was not found. didn't find public key for 192.168.1.1 <-- Here I do not get ahead, and have few questions : - CIP uses/assumes that Firewall-1 sends Distinguished Name (DN) field from its' certificate. Is it right or will Firewall-1 sending it´s fully qualified domain name (FQDN). - If I initiate a vpn connection to the firewall-1, from where know the Firewall-1 which certificates it should used ? (Is it bound to the external IP?) - Is it a possibility to increase the IKE debug level ? (e.g So I can see the ike-proposal und ike-transform messages) - How can I backup and recover the private/public key pair for my firewall-workstation-object ? Thank´s for your help, Frank =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|