[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Testing IPSec

To: [email protected]
Subject: Re: [FW-1] Testing IPSec
From: Nico De Ranter <[email protected]>
Date: Wed, 27 Mar 2002 09:06:37 +0100
In-Reply-To: <[email protected]>; from [email protected] on Tue, Mar 26, 2002 at 06:07:05PM +0000
References: <[email protected]>
Reply-To: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>
User-Agent: Mutt/1.2.5i

On Tue, Mar 26, 2002 at 06:07:05PM +0000, James Schnack wrote:
> Nico,
>
> Did you try sniffing traffic on either end to confirm your suspicion ?
> Seeing them out of one box and not seeing them arrive at the other would be
> sufficint proof of your theory, I'd say.

The problem is I can only sniff on 1 end.  I can ssh to the firewall on the
other side but the Netscreen doesn't offer any sniffing capabilities by
itself and I don't have access to the physical network :-(

> You could use some kind of packet forger to "build" ESP packets that would
> travel from one end to the other (I've found a few at
> http://www.tlsecurity.org/unix/Assesement/PacketForging/)... but as for
> knowing *where* exactly they are dropped on their way... that sounds hard
> (assuming "their way" is through the Internet).

Well I guess I could play with the TTL field to check for ICMP packets.
Thanks I'll have a look at the URL!

Nico

>
> Just my thoughts. Don't know if they'll help you.
>
> J.
>
>
> >From: Nico De Ranter <[email protected]>
> >Reply-To: Mailing list for discussion of Firewall-1
> ><[email protected]>
> >To: [email protected]
> >Subject: [FW-1] Testing IPSec
> >Date: Tue, 26 Mar 2002 17:14:00 +0100
> >
> >Howdy,
> >
> >I'm trying to setup a VPN between a VPN-1 NG.FP1 and a Netscreen.
> >I tried it localy (with only a Cisco in between) and everything worked.
> >However after installing the Netscreen at the remote site I can't
> >get the VPN up again.  Now if I remember correctly IPSec/IKE uses
> >udp port 500 and ip protocol 50.  My guess is that protocol 50 gets
> >blocked somewhere but I can't prove it. Is there some way to do
> >traceroute using protocol 50 to see how far it goes? Does that
> >make sense at all? Anybody any experience with it?
> >
> >Thanks in advance,
> >
> >Nico
> >
> >---------------------------------------------------------
> >  "It has been said that there are only two businesses that
> >   refer to customers as users: illegal drug trade and
> >                the computer industry."
> >---------------------------------------------------------
> >Nico De Ranter
> >Sony Service Center (SDCE/VPE-B)
> >Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne)
> >1130 Brussel (Bruxelles), Belgium, Europe, Earth
> >Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86
> >e-mail: [email protected]
> >
> >=================================================
> >To set vacation, Out Of Office, or away messages,
> >send an email to [email protected]
> >in the BODY of the email add:
> >set fw-1-mailinglist nomail
> >=================================================
> >To unsubscribe from this mailing list,
> >please see the instructions at
> >http://www.checkpoint.com/services/mailing.html
> >=================================================
> >If you have any questions on how to change your
> >subscription options, email
> >[email protected]
> >=================================================
>
>
>
>
> _________________________________________________________________
> Send and receive Hotmail on your mobile device: http://mobile.msn.com
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
---------------------------------------------------------
 "It has been said that there are only two businesses that
  refer to customers as users: illegal drug trade and
               the computer industry."
---------------------------------------------------------
Nico De Ranter
Sony Service Center (SDCE/VPE-B)
Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne)
1130 Brussel (Bruxelles), Belgium, Europe, Earth
Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86
e-mail: [email protected]

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

References:
- Re: [FW-1] Testing IPSec
  - From: James Schnack <[email protected]>

Prev by Date: [FW-1] AW: [FW-1] High Availability
Next by Date: [FW-1] Manager locked out of Reporters Log Consolidator?
Prev by thread: Re: [FW-1] Testing IPSec
Next by thread: Re: [FW-1] Testing IPSec
Index(es):
- Date
- Thread