[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Invalid Cookie
Gus, The cookie that is off is the timeliness cookie, designed to validate that the vpn connection is not a replay of a previous session. Phase 2 stage 0 indicates that alcatel is not holding the phase 1 cooking going into the SA establishment. I've seen this problem before where a unidirectional tunnel was possible because of incompatibility in VPN code. However, since Alcatel and Checkpoint are both IPSec 1.0a certified, I would be more inclined to suspect that the Alcatel side is using perfect forward secrecy with a low re-key interval. This would mean that check point does not invalidate the session, but that the remote side initiates a SA renewal request, using a completely different set of parameters upon each rekey, whereas the check point is probably not configured for PFS, and thus reuses the old Skey_id_r, id_e, and id_a. The solution, I would look closely at the details of the alcatel side connection, and then check the Policy->Properties->Encryption and look for the IPSEC renegotiation interval. Although suspicion has it that it will be a PFS issue. Just a guess, CryptoTech Gus Reyes wrote: > I set up VPN between Checkpoint and Alcatel systems using IKE, MD5, Shared > Secret. So far, only CP to Alcatel connections works, not vice versa. Log > viewer in CP shows successful key installs - phase 1 and phase 2. I see > encrypted packets going out and can even see a server behind the alcatel. > Ten minutes after key exchange, I get the following: 'IKE Log: Sent > Notification: invalid cookie <phase2 stage0>'. Remote end does not find my > server. Despite this error, I can still VPN connect with Alcatel. Not the > other way around. Any ideas??? > > Thanks > > Gus > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|