NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] NG FP4 VPN does not work bi-directionally



A no valid SA can be either in Phase 1 or Phase 2 using either IKE or IPSec. When you upgraded, the security key(s) you use were likely broken due to the fact that the SPIs (Security Parameter Index) need to ensure that nothing changes during the VPN sessions. The SPI is provided to map the incoming packet to an SA. During Security negotiations within IKE, initiators present an offer, in the form of protection suites to the responders. The SA payload within IKE is used to negotiate security associations in both Phase 1 and Phase 2 exchanges.

I am wondering if there weren?t some functionaliy changes during the change from FP3 to FP4 that may have caused the VPN problems. This is why you are seeing one way traffic. It is therefore my calculation that the only way to fix this problem is to reconfigure the VPN and re-installing the keys again. What type of encryption and auth are you using?

Packet is drop (dropped) because there is now (no) valid SA.


Brendan Laws <[email protected]> wrote:Hi people,

I have been looking at this for a while now and I can't see anything out
of the obvious.

I had a FP3 install that had a VPN running between a Nokia+FP3 and a
little Linksys router, it worked fine for many months.

I have recently upgraded to FP4 and since then the VPN tunnel only works
when the Linksys contacts my internal networks, I can not contact the
internal network behind the Linksys router now that I have upgraded to
FP4.

Looking at the log viewer I can see that if I pass of a connection it
matches the vpn community rule but then I see in the logs a reject under
rule 0 with "encryption failure: error occurred" then directly after
that message comes the log

Mypc --> pc-behind-linksys DROP --> Packet is drop because there is now
valid SA.

Now if the PC behind the Linksys can bring up the tunnel with no
problems, I can't see anything obvious that should be stopping my pc
from bringing uo the tunnel.

Added to that it all worked in FP3 its only died since the upgrade to
FP4.

Can anyone recommend anything out of the ordinary to review?

Cheers,
Brendan




=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



Christopher J. Dias - CCSA, CCSE (Checkpoint), MCP + I,MCSE, (Microsoft),  CCNA, CCNP (Cisco). CSE (Novell)
Cím:1121 Budapest
Fülemile út 12-18 4.ép.3/11.
Telefon: 36 1 275-4008 Mobil:06-20/803 9687
[email protected]


---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.