[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] NG FP4 VPN does not work bi-directionally
A no valid SA can be either in Phase 1 or Phase 2 using either IKE or IPSec. When you upgraded, the security key(s) you use were likely broken due to the fact that the SPIs (Security Parameter Index) need to ensure that nothing changes during the VPN sessions. The SPI is provided to map the incoming packet to an SA. During Security negotiations within IKE, initiators present an offer, in the form of protection suites to the responders. The SA payload within IKE is used to negotiate security associations in both Phase 1 and Phase 2 exchanges. I am wondering if there weren?t some functionaliy changes during the change from FP3 to FP4 that may have caused the VPN problems. This is why you are seeing one way traffic. It is therefore my calculation that the only way to fix this problem is to reconfigure the VPN and re-installing the keys again. What type of encryption and auth are you using? Packet is drop (dropped) because there is now (no) valid SA. Brendan Laws <[email protected]> wrote:Hi people, I have been looking at this for a while now and I can't see anything out of the obvious. I had a FP3 install that had a VPN running between a Nokia+FP3 and a little Linksys router, it worked fine for many months. I have recently upgraded to FP4 and since then the VPN tunnel only works when the Linksys contacts my internal networks, I can not contact the internal network behind the Linksys router now that I have upgraded to FP4. Looking at the log viewer I can see that if I pass of a connection it matches the vpn community rule but then I see in the logs a reject under rule 0 with "encryption failure: error occurred" then directly after that message comes the log Mypc --> pc-behind-linksys DROP --> Packet is drop because there is now valid SA. Now if the PC behind the Linksys can bring up the tunnel with no problems, I can't see anything obvious that should be stopping my pc from bringing uo the tunnel. Added to that it all worked in FP3 its only died since the upgrade to FP4. Can anyone recommend anything out of the ordinary to review? Cheers, Brendan ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= Christopher J. Dias - CCSA, CCSE (Checkpoint), MCP + I,MCSE, (Microsoft), CCNA, CCNP (Cisco). CSE (Novell) Cím:1121 Budapest Fülemile út 12-18 4.ép.3/11. Telefon: 36 1 275-4008 Mobil:06-20/803 9687 [email protected] --------------------------------- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|