RE: [fw-wiz] Symantec firewall/vpn & Nortel Contivity 2700 branch office tunnel
TSimons_at_Delphi-Tech.com
Date: 11/15/03
- Previous message: Chris de Vidal: "[fw-wiz] Re: IPTables logging target: show pid/program name?"
- Maybe in reply to: Scott Thomas: "[fw-wiz] Symantec firewall/vpn & Nortel Contivity 2700 branch office tunnel"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: SThomas@PRESIDIO.com Date: Sat, 15 Nov 2003 08:34:20 -0500
Looking at your last log line:
11/12/2003 14:35:35 0 ISAKMP [03] Unprotected Notify: Invalid SPI
in proposal in message from XX.XX.XX.X being dropped
...try going into the advanced settings on the 200R and adjusting the SPI
level.
Also, please post all the vpn settings (IKE and ISAKMP), and post the logs
replacing each firewalls IP with a unique string. IE Nortel = N.N.N.N;
SFVA200R = S.S.S.S
In my experience, the Nortel will have to throw out the renegotiation, so
all timeout values should be lower on the Nortel than the SFVA200R.
I just worked through symantec support with this (except with a global
tunnel to a VR1100) ...so I'm pretty versed in the 200r, and can try to
help with your nortel issues with more details.
Thanks,
~Todd
-----Original Message-----
From: Scott Thomas
To: firewall-wizards@honor.icsalabs.com
Sent: 11/14/2003 10:31 AM
Subject: [fw-wiz] Symantec firewall/vpn & Nortel Contivity 2700 branch
office tunnel
Does anyone have any advice on getting a Symantec firewall/vpn 200R
version V1.R5T to talk to a Nortel Contivity 2700. The IPsec settings
seem to be the same on both ends but it is producing this error:
11/12/2003 14:35:34 0 BoTest [01] ---------------Branch Office Test
Initiated: [XX.XX.XXX.XXX:XX.XX.X.XXX]---------------
11/12/2003 14:35:34 0 BoTest [01] o Initiating the first
connection
within the branch-office tunnel....
11/12/2003 14:35:34 0 Branch Office [01] IPSEC branch office
connection initiated to rem[XX.XX.XX.X-255.255.255.0]@[XX.XX.XX.X]
loc[XX.XX.XX.X-255.255.255.240]
11/12/2003 14:35:34 0 Security [11] Session: IPSEC[XX.XX.XX.X]
attempting login
11/12/2003 14:35:34 0 Security [01] Session: IPSEC[XX.XX.XX.X] has
no active sessions
11/12/2003 14:35:34 0 Security [01] Session: IPSECXX.XX.XX.X]
Optimal has no active accounts
11/12/2003 14:35:35 0 Security [01] Session:
IPSEC[XX.XX.XX.X]:213330 SHARED-SECRET authenticate attempt...
11/12/2003 14:35:35 0 Security [01] Session:
IPSEC[XX.XX.XX.X]:213330 attempting authentication using LOCAL
11/12/2003 14:35:35 0 Security [11] Session:
IPSEC[XX.XX.XX.X]:213330 authenticated using LOCAL
11/12/2003 14:35:35 0 Security [11] Session:
IPSEC[XX.XX.XX.X]:213330 bound to group
/Base/i2_3rd_party_Symantec/Optimal
11/12/2003 14:35:35 0 Security [01] Session:
IPSEC[XX.XX.XX.X]:213330 using group filter permit all
11/12/2003 14:35:35 0 Security [01] Session:
IPSEC[XX.XX.XX.X]:213330 LOCAL IN FILTER 1 permit UDP any any EQ
67
FILTER 1 permit UDP any any EQ 68
11/12/2003 14:35:35 0 Security [01] Session:
IPSEC[XX.XX.XX.X]:213330 LOCAL IN FILTER 1 permit UDP any any EQ
67
FILTER 1 permit UDP any any EQ 68
11/12/2003 14:35:35 0 Security [11] Session:
IPSEC[XX.XX.XX.X]:213330 authorized
11/12/2003 14:35:35 0 Security [11] Session: network
IPSEC[XX.XX.XX.X-255.255.255.0] attempting login
11/12/2003 14:35:35 0 Security [11] Session: network
IPSEC[XX.XX.XX.X-255.255.255.0] logged in from gateway
[XX.XX.XX.X]
11/12/2003 14:35:35 0 ISAKMP [02] ISAKMP SA established with
XX.XX.XX.X
11/12/2003 14:35:35 0 ISAKMP [03] Unprotected Notify: Invalid SPI
in proposal in message from XX.XX.XX.X being dropped
TIA
Scott
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Chris de Vidal: "[fw-wiz] Re: IPTables logging target: show pid/program name?"
- Maybe in reply to: Scott Thomas: "[fw-wiz] Symantec firewall/vpn & Nortel Contivity 2700 branch office tunnel"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
