NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] AW: [FW-1] Netscreen & Checkpoint VPN



And FYI, the NS version of "encryption domain" would be the address book
entries, which is why I asked whether "Inside Any" or "Outside Any" were in
use on the NS end.  Those two NS address book entries translate as
"0.0.0.0/0", which won't match up with anything on the CP side particularly
well.  One side or the other will be mildly unhappy.

-----Original Message-----
From: moll [mailto:[email protected]]
Sent: Friday, July 19, 2002 12:03 AM
To: [email protected]
Subject: [FW-1] AW: [FW-1] Netscreen & Checkpoint VPN


Hi,

the error message "no proxy id found" typically indicates that either the
encryption domains are not defined properly or the enccrpytion rules. Most
of the time the definitons of the encryption domains do not match. :-)Horst

-----Ursprüngliche Nachricht-----
Von: Mailing list for discussion of Firewall-1
[mailto:[email protected]]Im Auftrag von Russell
Washington
Gesendet: Freitag, 19. Juli 2002 00:17
An: [email protected]
Betreff: Re: [FW-1] Netscreen & Checkpoint VPN


Yuck.  I've slogged through these NS debug traces before.  Yours aren't
telling me much other than that you're not doing proxy id checking.  I'm not
so sure that having this disabled helps your situation much, at least not in
terms of debugging.

Let me throw out some basic questions:

- Are all the boxes you care about VPN-ing to at the SOHO site on the same
subnet?
- Is that subnet using real or private IPs?
- Are you using "Inside Any" or "Outside Any" on any of the relevant
policies on the NS?
- Is the NS at the SOHO site VPN-ing to you and you alone or is it talking
to other VPN targets?
- Do you have any asymmetric routing in the mix, i.e., the VPN gateway and
the default gateway are *not* one and the same at one (or both) of the
locations?

This ought to work as a base... Yeah, there are Checkpoint to NS docs out
there, but there's no substitute for knowing the product and I know the NS
product.  Yes, they can work together, pretty well in fact.

-----Original Message-----
From: Kant Narcisse [mailto:[email protected]]
Sent: Thursday, July 18, 2002 11:52 AM
To: [email protected]
Subject: Re: [FW-1] Netscreen & Checkpoint VPN


I have been reviewing Checkpoints documentation regarding IKE VPN Setup and
I don't know what I am missing on the Netscreen side. I ran a debug on my
Netscreen Firewall and maybe someone knows how to read this better them me.
Please let me know what you think.

IKE(root,i,lcl208.61.44.106->rmt64.253.194.132,6/102f+,i): Rcv if num<1>
root sys. Msg, len 260, nxp 8, exch 32, flag 01  E phase 1 sa for root sys.
  create conn entry...*done(df51f520)
Phase 2 (64.253.194.132) msg_iddf51f520 start (responder). Resonder not set
commit bit on 2nd QM.
  Decrypt(232)  validate(232): 8/20 1/76 10/100 4/200 5/212 5/228
Payload:  Hash  Security_Assoc  Nonce  Key_Exchange  Identification
Identification
extract(232):
Matching policy: gw ip <64.253.194.132> peer entry id<0>.
root system.
Either no proxy or id check disabled for peer 64.253.194.132. Rcv'd P2 ID:
type<0> local addr<0.0.0.0> mask<0.0.0.0> prot<0> port<0>. Rcv'd P2 ID:
type<0> remote addr<0.0.0.0> mask<0.0.0.0> prot<0> port<0>.

[0] aa b c

Multiple SA for multiple policy mode, skipping base sa 1 when searching for
sa.

[1] aa b c d>Policy checking disabled in IKE session.
--- more ---
locate p2 satable ID<25>.
  Proc sa:
check_proposal->
        group description for PFS is 1
SA life type in seconds
SA life duration
>00>00>0e>10
Phase 2 received:
atts<03030111>
proto(3)<ESP>, esp(3)<ESP_3DES>, auth(1)<MD5>, encap(1)<TUNNEL>, group(1)
atts[0] selected.
  add sa list for msg id <df51f520>
  dh group 1
  Proc non:
IKE, processing a NONCE.
  Proc ke:
IKE, processing ISA_KE for PFS in phase 2.
  Proc id:
  Proc id:
, exp pak
  Msg header built (next payload 8)IKE, constructing SA payload for ipsec. ,
exp pak
--- more ---
Set IPSEC SA attrs tunnel(1) MD5 grp1 lifetime(3600/0)
IKE, constructing ISA_KE for PFS in phase 2
, exp pak
Phase 2 not send proxy ids.

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.