Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] NG FP2 to SofaWare VPN

To: [email protected]
Subject: Re: [FW-1] NG FP2 to SofaWare VPN
From: Russell Washington <[email protected]>
Date: Sat, 18 Jan 2003 12:41:23 -0800
References: <6111FD9C30F8F344A3DAF3886A0CFE4D39DD96@coleridge.internal.kalana.com>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Quick guess-- maybe the key lifetimes don't match up on each end (shorter on
the SofaWare side).  In such a scenario the NG end would think the last
negotiated key was still good and the SofaWare box would have already killed
the SA.  Solution:  check the configs on both end for matching lifetimes (on
both phass 1/IKE and 2/IPSec, set separately).

Just a thought.  Hope it's this easy. :)
---
Russell Washington, CCSE, CCSA, NCSA
Too many doggoned letters after my name.../


----- Original Message -----
From: "Steven J. Surdock, PE" <[email protected]>
To: <[email protected]>
Sent: Saturday, January 18, 2003 10:20 AM
Subject: [FW-1] NG FP2 to SofaWare VPN


I recently set up a site-to-site VPN between our Linux NG FP2 and a SofaWare
Safe@Office (3.0) but am experiencing some problems.  It is set-up pretty
much as indicated in the SofaWare VPN config guide.  We're using shared
secrets with

Traffic/connections from SofaWare site --> NG site - appears to work well.
Traffic/connections from NG site --> SofaWare site - occasionally drop with
the following error:

16:14:18 drop   127.0.0.1  >eth1 product VPN-1 & FireWall-1 src 172.16.1.97
s_port 4046 dst 172.17.1.95 service ftp proto tcp rule 3 scheme: NA
encryption failure: Encryption/Decryption Failure

Sometimes the ftp will work, and sometime it won't.

The FW-1 LogViewer simply lists the "info" portion as, "encryption failure:
Encryption/Decryption Failure"

"Vpn debug on" and "vpn diag on" did not provide much insight.

FW-1 side has policy rules

Remote_net     Local_net    Any     Encrypt(3DES, SHA, None, Any)
Local_net      Remote_net   Any     Encrypt(3DES, SHA, None, Any)

FW-1 side has nat rules

Remote_net     Local_net    Any     Original   Original
Local_net      Remote_net   Any     Original   Original
Local_net      Local_net    Any     Original   Original
Local_net      Any          Any     Hide       Original



-Steve S.

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

References:
- [FW-1] NG FP2 to SofaWare VPN
  - From: "Steven J. Surdock, PE" <[email protected]>

Prev by Date: Re: [FW-1] anyone dhcp relay success?
Next by Date: Re: [FW-1] Stripping Mail Header
Previous by thread: [FW-1] NG FP2 to SofaWare VPN
Next by thread: [FW-1] Migrating to NG management - anti-spoofing problems
Index(es):
- Date
- Thread