[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] ike vpn question
I'm not sure whether this also works on 4.1 but on NG you can turn on vpn debugging using the following procedure: Windows NT or Windows 2000 For vpnd.elg and ike.elg logs written to the $FWDIR/log directory: 1. Go to Command Line Interface (CLI). 2. To turn on the environmental variable enter: set vpn_debug=1 3. To start logging enter: set vpn_debug on set vpn_debug ikeon 4. To stop logging enter: set vpn_debug off set vpn_debug ikeoff 5. To turn off the environmental variable enter: set vpn_debug=0 Solaris or Linux For vpnd.elg and ike.elg logs written to the $FWDIR/log directory: 1. To turn on the environmental variable enter (csh): setenv vpn_debug 1 (I do not believe this realy does anything but it was in the original instructions I got) 2. To start logging enter: set vpn debug on set vpn_debug ikeon 4. To stop logging enter: set vpn debug off set vpn_debug ikeoff 5. To turn off the environmental variable enter: setenv vpn_debug 0 Nico On Tue, Mar 19, 2002 at 01:40:01PM -0800, Russell Washington wrote: > It seems that some lower-level debugging would be in order. Unfortunately, > that area isn't my strong suit on the Checkpoint product. If someone knows > how to get a more detailed error condition, it would probably be fairly > simple from there to determine what specific issue it's unhappy about, > whether configuration-borne or software malfunction (definitely a > possibility). > > -Russ > > -----Original Message----- > From: Christopher Ferraro [mailto:[email protected]] > Sent: Tuesday, March 19, 2002 1:01 PM > To: [email protected] > Subject: Re: [FW-1] ike vpn question > > > yes. I verified license versions last night, prior to my email. > > this config was working previously. the firewall was rebuilt and since then > the problem has existed. > > > > -----Original Message----- > From: Patrick Coomans [mailto:[email protected]] > Sent: Tuesday, March 19, 2002 2:40 PM > To: [email protected] > Subject: Re: [FW-1] ike vpn question > > > Just a hunch, but are you sure both your CP licenses support the encryption > proposal chosen? > > e.g. you choose to use 3DES but you only have a license for FWZ. > > >>> [email protected] 19/03/02 21:22 >>> > > Obviously, the most likely scenario is a difference in encryption settings > between the endpoints of the VPN. > > Could be an indication of the VPN module itself not processing the > encryption request of the opposite end properly ? in other words <gasp> > could this be a failure of the software on one end ? > > CF > > -----Original Message----- > From: Russell Washington [mailto:[email protected]] > Sent: Tuesday, March 19, 2002 1:04 PM > To: [email protected] > Subject: Re: [FW-1] ike vpn question > > > Ok, dug this up in RFC2408: > > Proposal: A proposal is a list, in decreasing order of preference, of > the protection suites that a system considers acceptable to protect > traffic under a given situation. > > This translates to me as "encryption settings" on an IPSec-compliant > platform. Shouldn't involve the source/target if "no proposal chosen" is > the specific error being reported. > > -----Original Message----- > From: Russell Washington [mailto:[email protected]] > Sent: Tuesday, March 19, 2002 10:23 AM > To: [email protected] > Subject: Re: [FW-1] ike vpn question > > > Could well be, but my recollection is that target/destination stuff in Phase > 2 negotiation is a source proxy ID/dest proxy ID issue, not a proposal > issue. On the devices where I've seen 'no proposal chosen' and subnet > issues, they've turned up with different errors for each condition (or in > the case of a Checkpoint to PIX with a subnet issue, the PIX just didn't > answer at all). > > Doesn't mean he shouldn't check the encryption domains tho. Really curious > over here to hear what he finds. > > -----Original Message----- > From: Shah, Nishith [mailto:[email protected]] > Sent: Tuesday, March 19, 2002 9:09 AM > To: [email protected] > Subject: Re: [FW-1] ike vpn question > > > Most likely your encryption domains (subnets defined on firewall) are not > identical on both sides. > > It has to exactly match on both sides. > > -----Original Message----- > From: Russell Washington [mailto:[email protected]] > Sent: Tuesday, March 19, 2002 11:23 AM > To: [email protected] > Subject: Re: [FW-1] ike vpn question > > > "No proposal chosen" means that the encryption settings on each end are not > in sync. Yes, I know you said they're identical, but that's what the error > means and I believe it's defined in an RFC somewhere. As cryptic as it > sounds, it's being as precise as it will get without saying something > verbose like "it says use DES on this side and 3DES on the other side and so > we don't agree." > > Here's the rundown of settings (cross-platform) that I know will tangle this > up: > > - preshared key vs RSA key vs certificates > - DES vs 3DES vs (who knows what else) > - ESP vs AH vs ESP+AH at the same time > - Perfect forward secrecy (PFS) on vs off > - Diffie-Hellman group for PFS (Group 1? Group 2? Group 3?) > > What I've most often seen overlooked is the PFS/DH stuff. One side has it > on, the other has it off, or the two sides are using different DH groups. > > Good luck. I haven't seen one of these yet that didn't boil down to a > mismatched setting between the two sides, and that includes the Checkpoint, > NetScreen, and Cisco platforms. > > -----Original Message----- > From: Christopher Ferraro [mailto:[email protected]] > Sent: Tuesday, March 19, 2002 6:51 AM > To: [email protected] > Subject: [FW-1] ike vpn question > > > Gentlemen: > > I have a question for you regarding a VPN a client of mine is attempting to > set up. > > Both VPNs have identical hardware (nokia 650's), identical software > (checkpoint 4.1, sp4). All encryption settings are identical. > > However, when the VPN ruleset is built, an error is seen in the log on one > end of the VPN that says "IKE log: received notification from peer, no > proposal chosen." > > what is the root of errors of this nature ? > > I will provide more relevant information as necessary. > > CF > > Christopher A. Ferraro > Senior Systems Engineer > Hubbard One >> mobile:> www.hubbardone.com > --------------------------------------------------------- "It has been said that there are only two businesses that refer to customers as users: illegal drug trade and the computer industry." --------------------------------------------------------- Nico De Ranter Sony Service Center (SDCE/VPE-B) Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne) 1130 Brussel (Bruxelles), Belgium, Europe, Earth Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86 e-mail: [email protected] ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|