[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] AW: [FW-1] Netscreen & Checkpoint VPN
And FYI, the NS version of "encryption domain" would be the address book entries, which is why I asked whether "Inside Any" or "Outside Any" were in use on the NS end. Those two NS address book entries translate as "0.0.0.0/0", which won't match up with anything on the CP side particularly well. One side or the other will be mildly unhappy. -----Original Message----- From: moll [mailto:[email protected]] Sent: Friday, July 19, 2002 12:03 AM To: [email protected] Subject: [FW-1] AW: [FW-1] Netscreen & Checkpoint VPN Hi, the error message "no proxy id found" typically indicates that either the encryption domains are not defined properly or the enccrpytion rules. Most of the time the definitons of the encryption domains do not match. :-)Horst -----Ursprüngliche Nachricht----- Von: Mailing list for discussion of Firewall-1 [mailto:[email protected]]Im Auftrag von Russell Washington Gesendet: Freitag, 19. Juli 2002 00:17 An: [email protected] Betreff: Re: [FW-1] Netscreen & Checkpoint VPN Yuck. I've slogged through these NS debug traces before. Yours aren't telling me much other than that you're not doing proxy id checking. I'm not so sure that having this disabled helps your situation much, at least not in terms of debugging. Let me throw out some basic questions: - Are all the boxes you care about VPN-ing to at the SOHO site on the same subnet? - Is that subnet using real or private IPs? - Are you using "Inside Any" or "Outside Any" on any of the relevant policies on the NS? - Is the NS at the SOHO site VPN-ing to you and you alone or is it talking to other VPN targets? - Do you have any asymmetric routing in the mix, i.e., the VPN gateway and the default gateway are *not* one and the same at one (or both) of the locations? This ought to work as a base... Yeah, there are Checkpoint to NS docs out there, but there's no substitute for knowing the product and I know the NS product. Yes, they can work together, pretty well in fact. -----Original Message----- From: Kant Narcisse [mailto:[email protected]] Sent: Thursday, July 18, 2002 11:52 AM To: [email protected] Subject: Re: [FW-1] Netscreen & Checkpoint VPN I have been reviewing Checkpoints documentation regarding IKE VPN Setup and I don't know what I am missing on the Netscreen side. I ran a debug on my Netscreen Firewall and maybe someone knows how to read this better them me. Please let me know what you think. IKE(root,i,lcl208.61.44.106->rmt64.253.194.132,6/102f+,i): Rcv if num<1> root sys. Msg, len 260, nxp 8, exch 32, flag 01 E phase 1 sa for root sys. create conn entry...*done(df51f520) Phase 2 (64.253.194.132) msg_iddf51f520 start (responder). Resonder not set commit bit on 2nd QM. Decrypt(232) validate(232): 8/20 1/76 10/100 4/200 5/212 5/228 Payload: Hash Security_Assoc Nonce Key_Exchange Identification Identification extract(232): Matching policy: gw ip <64.253.194.132> peer entry id<0>. root system. Either no proxy or id check disabled for peer 64.253.194.132. Rcv'd P2 ID: type<0> local addr<0.0.0.0> mask<0.0.0.0> prot<0> port<0>. Rcv'd P2 ID: type<0> remote addr<0.0.0.0> mask<0.0.0.0> prot<0> port<0>. [0] aa b c Multiple SA for multiple policy mode, skipping base sa 1 when searching for sa. [1] aa b c d>Policy checking disabled in IKE session. --- more --- locate p2 satable ID<25>. Proc sa: check_proposal-> group description for PFS is 1 SA life type in seconds SA life duration >00>00>0e>10 Phase 2 received: atts<03030111> proto(3)<ESP>, esp(3)<ESP_3DES>, auth(1)<MD5>, encap(1)<TUNNEL>, group(1) atts[0] selected. add sa list for msg id <df51f520> dh group 1 Proc non: IKE, processing a NONCE. Proc ke: IKE, processing ISA_KE for PFS in phase 2. Proc id: Proc id: , exp pak Msg header built (next payload 8)IKE, constructing SA payload for ipsec. , exp pak --- more --- Set IPSEC SA attrs tunnel(1) MD5 grp1 lifetime(3600/0) IKE, constructing ISA_KE for PFS in phase 2 , exp pak Phase 2 not send proxy ids. ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|