|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] NG FP4 VPN does not work bi-directionally
In other words, the SA offer from the Initiator does not correspond with the SA offer of the Receiver. Unless there is now some incompatibility problems due to the upgrade, you must remove the keys and start over - is what I would do. Even if there were, you still need to delete the keys, which will send a delete signal to the SADs (Security Association Databases). Start over, and problem fixed. ------- A no valid SA can be either in Phase 1 or Phase 2 using either IKE or IPSec. When you upgraded, the security key(s) you use were likely broken due to the fact that the SPIs (Security Parameter Index) need to ensure that nothing changes during the VPN sessions. The SPI is provided to map the incoming packet to an SA. During Security negotiations within IKE, initiators present an offer, in the form of protection suites to the responders. The SA payload within IKE is used to negotiate security associations in both Phase 1 and Phase 2 exchanges.I am wondering if there weren?t some functionaliy changes during the change from FP3 to FP4 that may have caused the VPN problems. This is why you are seeing one way traffic. It is therefore my calculation that the only way to fix this problem is to reconfigure the VPN and re-installing the keys again. What type of encryption and auth are you using?Packet is drop (dropped) because there is now (no) valid SA.Brendan Laws <Blaws@CONTENTWISE! .COM.AU> wrote:Hi people,I have been looking at this for a while now and I can't see anything outof the obvious.I had a FP3 install that had a VPN running between a Nokia+FP3 and alittle Linksys router, it worked fine for many months.I have recently upgraded to FP4 and since then the VPN tunnel only workswhen the Linksys contacts my internal networks, I can not contact theinternal network behind the Linksys router now that I have upgraded toFP4.Looking at the log viewer I can see that if I pass of a connection itmatches the vpn community rule but then I see in the logs a reject underrule 0 with "encryption failure: error occurred" then directly afterthat message comes the logMypc --> pc-behind-linksys DROP --> Packet is drop because there is nowvalid SA.Now if the PC behind the Linksys can bring up the tunnel with noproblems, I can't see anything obvious that should be stopping my pcfrom bringing uo the tunnel.Added to that it all worked in FP3 its only died since the upgrade toFP4.! Can anyone recommend anything out of the ordinary to review?Cheers,Brendan Christopher J. Dias - CCSA, CCSE (Checkpoint), MCP + I,MCSE, (Microsoft), CCNA, CCNP (Cisco). CSE (Novell) Cím:1121 Budapest Fülemile út 12-18 4.ép.3/11. Telefon: 36 1 275-4008 Mobil:06-20/803 9687 [email protected] --------------------------------- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
