| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] ike vpn question
I'm not sure whether this also works on 4.1 but on NG you can turn on vpn
debugging using the following procedure:
Windows NT or Windows 2000
For vpnd.elg and ike.elg logs written to the $FWDIR/log directory:
1. Go to Command Line Interface (CLI).
2. To turn on the environmental variable enter:
set vpn_debug=1
3. To start logging enter:
set vpn_debug on
set vpn_debug ikeon
4. To stop logging enter:
set vpn_debug off
set vpn_debug ikeoff
5. To turn off the environmental variable enter:
set vpn_debug=0
Solaris or Linux
For vpnd.elg and ike.elg logs written to the $FWDIR/log directory:
1. To turn on the environmental variable enter (csh):
setenv vpn_debug 1 (I do not believe this realy does anything
but it was in the original instructions I got)
2. To start logging enter:
set vpn debug on
set vpn_debug ikeon
4. To stop logging enter:
set vpn debug off
set vpn_debug ikeoff
5. To turn off the environmental variable enter:
setenv vpn_debug 0
Nico
On Tue, Mar 19, 2002 at 01:40:01PM -0800, Russell Washington wrote:
> It seems that some lower-level debugging would be in order. Unfortunately,
> that area isn't my strong suit on the Checkpoint product. If someone knows
> how to get a more detailed error condition, it would probably be fairly
> simple from there to determine what specific issue it's unhappy about,
> whether configuration-borne or software malfunction (definitely a
> possibility).
>
> -Russ
>
> -----Original Message-----
> From: Christopher Ferraro [mailto:[email protected]]
> Sent: Tuesday, March 19, 2002 1:01 PM
> To: [email protected]
> Subject: Re: [FW-1] ike vpn question
>
>
> yes. I verified license versions last night, prior to my email.
>
> this config was working previously. the firewall was rebuilt and since then
> the problem has existed.
>
>
>
> -----Original Message-----
> From: Patrick Coomans [mailto:[email protected]]
> Sent: Tuesday, March 19, 2002 2:40 PM
> To: [email protected]
> Subject: Re: [FW-1] ike vpn question
>
>
> Just a hunch, but are you sure both your CP licenses support the encryption
> proposal chosen?
>
> e.g. you choose to use 3DES but you only have a license for FWZ.
>
> >>> [email protected] 19/03/02 21:22 >>>
>
> Obviously, the most likely scenario is a difference in encryption settings
> between the endpoints of the VPN.
>
> Could be an indication of the VPN module itself not processing the
> encryption request of the opposite end properly ? in other words <gasp>
> could this be a failure of the software on one end ?
>
> CF
>
> -----Original Message-----
> From: Russell Washington [mailto:[email protected]]
> Sent: Tuesday, March 19, 2002 1:04 PM
> To: [email protected]
> Subject: Re: [FW-1] ike vpn question
>
>
> Ok, dug this up in RFC2408:
>
> Proposal: A proposal is a list, in decreasing order of preference, of
> the protection suites that a system considers acceptable to protect
> traffic under a given situation.
>
> This translates to me as "encryption settings" on an IPSec-compliant
> platform. Shouldn't involve the source/target if "no proposal chosen" is
> the specific error being reported.
>
> -----Original Message-----
> From: Russell Washington [mailto:[email protected]]
> Sent: Tuesday, March 19, 2002 10:23 AM
> To: [email protected]
> Subject: Re: [FW-1] ike vpn question
>
>
> Could well be, but my recollection is that target/destination stuff in Phase
> 2 negotiation is a source proxy ID/dest proxy ID issue, not a proposal
> issue. On the devices where I've seen 'no proposal chosen' and subnet
> issues, they've turned up with different errors for each condition (or in
> the case of a Checkpoint to PIX with a subnet issue, the PIX just didn't
> answer at all).
>
> Doesn't mean he shouldn't check the encryption domains tho. Really curious
> over here to hear what he finds.
>
> -----Original Message-----
> From: Shah, Nishith [mailto:[email protected]]
> Sent: Tuesday, March 19, 2002 9:09 AM
> To: [email protected]
> Subject: Re: [FW-1] ike vpn question
>
>
> Most likely your encryption domains (subnets defined on firewall) are not
> identical on both sides.
>
> It has to exactly match on both sides.
>
> -----Original Message-----
> From: Russell Washington [mailto:[email protected]]
> Sent: Tuesday, March 19, 2002 11:23 AM
> To: [email protected]
> Subject: Re: [FW-1] ike vpn question
>
>
> "No proposal chosen" means that the encryption settings on each end are not
> in sync. Yes, I know you said they're identical, but that's what the error
> means and I believe it's defined in an RFC somewhere. As cryptic as it
> sounds, it's being as precise as it will get without saying something
> verbose like "it says use DES on this side and 3DES on the other side and so
> we don't agree."
>
> Here's the rundown of settings (cross-platform) that I know will tangle this
> up:
>
> - preshared key vs RSA key vs certificates
> - DES vs 3DES vs (who knows what else)
> - ESP vs AH vs ESP+AH at the same time
> - Perfect forward secrecy (PFS) on vs off
> - Diffie-Hellman group for PFS (Group 1? Group 2? Group 3?)
>
> What I've most often seen overlooked is the PFS/DH stuff. One side has it
> on, the other has it off, or the two sides are using different DH groups.
>
> Good luck. I haven't seen one of these yet that didn't boil down to a
> mismatched setting between the two sides, and that includes the Checkpoint,
> NetScreen, and Cisco platforms.
>
> -----Original Message-----
> From: Christopher Ferraro [mailto:[email protected]]
> Sent: Tuesday, March 19, 2002 6:51 AM
> To: [email protected]
> Subject: [FW-1] ike vpn question
>
>
> Gentlemen:
>
> I have a question for you regarding a VPN a client of mine is attempting to
> set up.
>
> Both VPNs have identical hardware (nokia 650's), identical software
> (checkpoint 4.1, sp4). All encryption settings are identical.
>
> However, when the VPN ruleset is built, an error is seen in the log on one
> end of the VPN that says "IKE log: received notification from peer, no
> proposal chosen."
>
> what is the root of errors of this nature ?
>
> I will provide more relevant information as necessary.
>
> CF
>
> Christopher A. Ferraro
> Senior Systems Engineer
> Hubbard One
>> mobile:> www.hubbardone.com
>
---------------------------------------------------------
"It has been said that there are only two businesses that
refer to customers as users: illegal drug trade and
the computer industry."
---------------------------------------------------------
Nico De Ranter
Sony Service Center (SDCE/VPE-B)
Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne)
1130 Brussel (Bruxelles), Belgium, Europe, Earth
Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86
e-mail: [email protected]
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
|
|
