NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Testing IPSec



Title: RE: [FW-1] Testing IPSec

Off topic (Netscreen)

Netscreen does indeed provide "sniffing" via the snoop command.  It is a bit clunky, but not too bad.  Here's what to do:

- set a buffer size using "set dbuf size x" (largest allowed is 4096)
- start a snoop using the "snoop" command (use ? to see available subcommands)
- use the "get dbuf stream" command to view what your snoop has captured.

HTH

Dan Hitchcock
CCNP, CCSE, MCSE
Security Operations Technical Lead
Breakwater Security Associates, Inc.
"Safe Harbor for E-Business"
dhitchcock (at) breakwatersecurity (dot) com
http://www.breakwatersecurity.com
work

The information contained in this email message may be privileged, confidential and protected from disclosure.  If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited.  If you think you have received this email message in error, please email the sender at [email protected]


-----Original Message-----
From: Nico De Ranter [mailto:[email protected]]
Sent: Wednesday, March 27, 2002 12:07 AM
To: [email protected]
Subject: Re: [FW-1] Testing IPSec


On Tue, Mar 26, 2002 at 06:07:05PM +0000, James Schnack wrote:
> Nico,
>
> Did you try sniffing traffic on either end to confirm your suspicion ?
> Seeing them out of one box and not seeing them arrive at the other would be
> sufficint proof of your theory, I'd say.

The problem is I can only sniff on 1 end.  I can ssh to the firewall on the
other side but the Netscreen doesn't offer any sniffing capabilities by
itself and I don't have access to the physical network :-(

> You could use some kind of packet forger to "build" ESP packets that would
> travel from one end to the other (I've found a few at
> http://www.tlsecurity.org/unix/Assesement/PacketForging/)... but as for
> knowing *where* exactly they are dropped on their way... that sounds hard
> (assuming "their way" is through the Internet).

Well I guess I could play with the TTL field to check for ICMP packets.
Thanks I'll have a look at the URL!

Nico

>
> Just my thoughts. Don't know if they'll help you.
>
> J.
>
>
> >From: Nico De Ranter <[email protected]>
> >Reply-To: Mailing list for discussion of Firewall-1
> ><[email protected]>
> >To: [email protected]
> >Subject: [FW-1] Testing IPSec
> >Date: Tue, 26 Mar 2002 17:14:00 +0100
> >
> >Howdy,
> >
> >I'm trying to setup a VPN between a VPN-1 NG.FP1 and a Netscreen.
> >I tried it localy (with only a Cisco in between) and everything worked.
> >However after installing the Netscreen at the remote site I can't
> >get the VPN up again.  Now if I remember correctly IPSec/IKE uses
> >udp port 500 and ip protocol 50.  My guess is that protocol 50 gets
> >blocked somewhere but I can't prove it. Is there some way to do
> >traceroute using protocol 50 to see how far it goes? Does that
> >make sense at all? Anybody any experience with it?
> >
> >Thanks in advance,
> >
> >Nico
> >
> >---------------------------------------------------------
> >  "It has been said that there are only two businesses that
> >   refer to customers as users: illegal drug trade and
> >                the computer industry."
> >---------------------------------------------------------
> >Nico De Ranter
> >Sony Service Center (SDCE/VPE-B)
> >Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne)
> >1130 Brussel (Bruxelles), Belgium, Europe, Earth
> >Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86
> >e-mail: [email protected]
> >
> >=================================================
> >To set vacation, Out Of Office, or away messages,
> >send an email to [email protected]
> >in the BODY of the email add:
> >set fw-1-mailinglist nomail
> >=================================================
> >To unsubscribe from this mailing list,
> >please see the instructions at
> >http://www.checkpoint.com/services/mailing.html
> >=================================================
> >If you have any questions on how to change your
> >subscription options, email
> >[email protected]
> >=================================================
>
>
>
>
> _________________________________________________________________
> Send and receive Hotmail on your mobile device: http://mobile.msn.com
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
---------------------------------------------------------
 "It has been said that there are only two businesses that
  refer to customers as users: illegal drug trade and
               the computer industry."
---------------------------------------------------------
Nico De Ranter
Sony Service Center (SDCE/VPE-B)
Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne)
1130 Brussel (Bruxelles), Belgium, Europe, Earth
Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86
e-mail: [email protected]

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.