[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Nokia (Network Alchemy) CC 500 (Crypto Cluster) and FW1 SP2 on NT
Hi Scott, We experienced exactly the same behaviour when trying to connect a VPN-1 to a Cisco PIX with IKE and pre-shared secrets some months ago. That is, the VPN worked when going from behind the PIX, but when trying to go from beind the VPN-1 to the PIX, we got exactly the same errors as you describe here Scott, that is they don't seem to be able to agree on SA!!! We wrote it off as being a Cisco problem and got ourselfs anoter small pix (yeah I know, its a bad bad thing ;-) ) to terminate this particular VPN. But seeing this I'm beginning to wonder if this might be a VPN-1 problem, anyone else seen this?? Arnor Arnason [email protected] EJS Iceland Date: Thu, 15 Feb 2001 10:39:46 -0500 From: Scott Hunter <[email protected]> Subject: [FW1] Nokia (Network Alchemy) CC 500 (Crypto Cluster) and FW1 SP2 on NT I am trying to set up a VPN using a Nokia CC 500 and FW1. I'm using IKE and pre-shared secrets. The tunnel works in one direction, from the network behind the Nokia to the network behind the FW1 machine, but when I attempt to access the network behind the Nokia CC 500 from the network behind the FW1, it fails and I get the following on the CC 500 console (some IPs changed to protect the innocent): Thu Feb 15 15:16:18 2001 (IPSEC)-ERR: key_find_responder_policy: matching outbound selector not found Thu Feb 15 15:16:18 2001 (IKE)-ERR: receive: failed to locate QM responder policy then: Thu Feb 15 15:16:43 2001 (IKE)-AUDIT: IKE SA deleted for 123.123.123.66 (123.123.123.66) Thu Feb 15 15:16:43 2001 (IKE)-NOTICE: process_sa: no proposal chosen Then the tunnel goes down and does not come back up until traffic goes from the network behind the Nokia CC 500 to the network behind the FW1 box. When it is up, IPSEC looks like this: IPSec Security Associations: spi: ffff3c00 <- ffff1d87 source address: 123.123.123.66 destination address: 123.123.123.80 client identity: 10.10/24 type: esp integrity algorithm: md5 (128 bits) secrecy algorithm: 3des (192 bits) flags: inbound,initiator,tunnel lifetime: 60 minutes time-to-live: 59 minutes traffic: 848 bytes spi: ffff1d87 -> ffff3c00 (1) source address: 123.123.123.80 destination address: 123.123.123.66 client identity: 10/24 type: esp integrity algorithm: md5 (128 bits) secrecy algorithm: 3des (192 bits) flags: outbound,initiator,tunnel lifetime: 60 minutes time-to-live: 59 minutes traffic: 632 bytes and IKE looks like this: IKE Security Associations: sequence: 2b state: MM_IDLE flags: outbound,valid source: 123.123.123.80 destination: 123.123.123.66 peer identity: fqdn.domain.com oakley group: modp-768 encryption algorithm: 3des hash algorithm: md5 authentication method: pre-shared key associations: 2 lifetime: 8 hours time-to-live: 7 hours It's also really slow. Anyone out there have any experience with the Nokia CC 500 that they would like to share? Scott ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|