[FW-1] NG / VPN : cleartext packets within encrypted connection

["Mercier, Yannick (CA - Montreal)" <ymercier@FW1-NOSPAMDELOITTE.CA>]

Title: NG / VPN : cleartext packets within encrypted connection

Hi there,
  Im testing NG's wonderfull new features like 'one click vpn',
in fact, its not working very well.
When the IKE phase 1 negotiation takes place, the logViewer
( FP2 module running under Linux kernel 2.4 and management
FP2 running on a Solaris8 sparc ) reports that there is cleartext
packet within an encrypted connection ( because it is the other gateway
that initiates the IKE proposals ( OpenBSD 3.0's isakmpd ) ).

Yes I correctly defined my encryption domains for the 2 gateway objects
in my checkpoint policy, I created 2 net objects for the encryption domains
on the two sides of the VPN ( 10.1.2.0/24 and 192.168.0.0/24 ).

It is like if NG is considering the external IP's of the 2 gateway as part of
the encryption domain.

I have set IKE preshare secret between the two gateway object ( one is a checkpoint
firewall object, the OpenBSD box is define as an "Interoperable Device" ).

The OpenBSD box already have 3 VPN established with 1-A checkpoint 4.1 sp5 nokia box
                                                                    2-Another OpenBSD box
                                                                    3-A Stonesoft Stonagate box
These are working properly as expected.

Anyone have this problem with NG FP2 ?

  -------------------------------------------
  |Yannick Mercier, CISSP NSA CCSA MCSE     |   _     _
  |Work:ymercier@deloitte.ca | o' \,=./ `o
  |Samson Belair Deloitte & Touche          |    (o o)
  -------------------------------------------ooO--(_)--Ooo---