[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] NG FP2 to SofaWare VPN
Quick guess-- maybe the key lifetimes don't match up on each end (shorter on the SofaWare side). In such a scenario the NG end would think the last negotiated key was still good and the SofaWare box would have already killed the SA. Solution: check the configs on both end for matching lifetimes (on both phass 1/IKE and 2/IPSec, set separately). Just a thought. Hope it's this easy. :) --- Russell Washington, CCSE, CCSA, NCSA Too many doggoned letters after my name.../ ----- Original Message ----- From: "Steven J. Surdock, PE" <[email protected]> To: <[email protected]> Sent: Saturday, January 18, 2003 10:20 AM Subject: [FW-1] NG FP2 to SofaWare VPN I recently set up a site-to-site VPN between our Linux NG FP2 and a SofaWare Safe@Office (3.0) but am experiencing some problems. It is set-up pretty much as indicated in the SofaWare VPN config guide. We're using shared secrets with Traffic/connections from SofaWare site --> NG site - appears to work well. Traffic/connections from NG site --> SofaWare site - occasionally drop with the following error: 16:14:18 drop 127.0.0.1 >eth1 product VPN-1 & FireWall-1 src 172.16.1.97 s_port 4046 dst 172.17.1.95 service ftp proto tcp rule 3 scheme: NA encryption failure: Encryption/Decryption Failure Sometimes the ftp will work, and sometime it won't. The FW-1 LogViewer simply lists the "info" portion as, "encryption failure: Encryption/Decryption Failure" "Vpn debug on" and "vpn diag on" did not provide much insight. FW-1 side has policy rules Remote_net Local_net Any Encrypt(3DES, SHA, None, Any) Local_net Remote_net Any Encrypt(3DES, SHA, None, Any) FW-1 side has nat rules Remote_net Local_net Any Original Original Local_net Remote_net Any Original Original Local_net Local_net Any Original Original Local_net Any Any Hide Original -Steve S. ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|