NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Checkpoint/Netscreen VPN IKE Error Messages



Dave,

What Netscreen OS are you using?

Lloyd J.Rochon III
Avantcom Network, Inc
Network Engineering Manager
CCIE, CCSE, CISSP, MSCE + I, MCT, CNE, NETWORK +, A+, ASEOfficeCell
www.avantcom.net





-----Original Message-----
From: [email protected] [mailto:[email protected]]
Sent: Tuesday, January 15, 2002 10:12 AM
To: [email protected]
Subject: [FW-1] Checkpoint/Netscreen VPN IKE Error Messages


Hello,

We are having trouble for the past few weeks trying to get a Netscreen 5 to
an NT 4.0 Checkpoint 4.1 SP5 site to site VPN operational.  Generally IKE
Phase 1 completes between the firewalls, but only very infrequently does
IKE Phase 2 compete between the firewalls, according to the Checkpoint and
Netscreen logs.  When Phase 2 does complete, outbound traffic is encrypted
but the return decrypts do not come back.  We have encryption schemes
identical for Phase 1 & Phase 2 between the Checkpoint & Netscreen boxes.
When Phase 2 does not complete, messages in the log viewer include
"Received delete SA from Peer" and  "Received Notification from Peer:
payload malformed", with the source address being the Checkpoint firewall
and the destination being the Netscreen.

Just for kicks, we tried creating a VPN connection to two other Checkpoint
4.1 sites (one had NT 4.0 using 4.1 SP2 and another had W2K using 4.1 SP5)
using the same Netscreen 5 box with identical encryption properties, and
both Phase 1 & Phase 2 became operational, and traffic was being encrypted
and decrypted in both directions.  Thus I eliminated the possibility that
the Netscreen may be the issue.

I then compared a few files on the various firewalls (crypt.def,
objects.C), and could not find anything except cosmetic items that were
different. I also tried the various debugging tools (fw monitor, fw -d d,
FWIKE_DEBUG), and have examined the resultant file output, and was not able
to decipher anything enlightening from these files, although I must admit
that I don't know exactly what kind of packet flow or sequencing I should
be looking for.

Thanks in advance for any assistance.


============================
Dave Parmer
Senior Network Engineer
Distributed Systems Services
[email protected]

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.