Re: [fw-wiz] netscreen 25 sofaware ipsec interop

Mark.Boltz_at_stonesoft.com
Date: 01/06/04

  • Next message: GChen_at_allianz.ca: "RE: [fw-wiz] RDP and security"
    To: firewall-wizards@honor.icsalabs.com
    Date: Tue, 6 Jan 2004 08:36:55 -0500
    
    

    Timo,

    I'm not really familiar with the CP Sofaware boxes, but you may want to
    check the interoperability guides for Check Point and NetScreen at the VPN
    Consortium's site at http://www.vpnc.org/. Assuming the SW box can do true
    IPsec, it may provide some insite as to what you need to get a tunnel
    established between the two devices.

    ---
    Mark Boltz
    Sr. Sales Consultant
    mark.boltz@stonesoft.com
    Tel:  1.703.744.1365
    Fax:  1.703.744.1001
    Cell: 1.571.218.2481
    1750 Tysons Blvd, 4th Floor
    McLean, VA 22102     USA
    http://www.stonesoft.com
    Real World Business Security (TM)
    |---------+----------------------------------------->
    |         |           Timo Proescholdt              |
    |         |           <proescho@informatik.uni-muenc|
    |         |           hen.de>                       |
    |         |           Sent by:                      |
    |         |           firewall-wizards-admin@honor.i|
    |         |           csalabs.com                   |
    |         |                                         |
    |         |                                         |
    |         |           01/05/2004 11:44 AM           |
    |         |                                         |
    |---------+----------------------------------------->
      >---------------------------------------------------------------------------------------------------------------------------|
      |                                                                                                                           |
      |        To:      firewall-wizards@honor.icsalabs.com                                                                       |
      |        cc:                                                                                                                |
      |        Subject: [fw-wiz] netscreen 25 sofaware ipsec interop                                                              |
      >---------------------------------------------------------------------------------------------------------------------------|
    Hi List,
    my first post to this list. The archive helped me
    a lot in the past, but i have come to a point where i dont know what to
    do.
    I try to setup a route based vpn between a netscreen NS25 and one of these
    Checkpoint SOFAWARE 4.0.41 appliances.
    I need the SOFAWARE box because of its PPTP internet access feature
    which i am missing at other vendors.
    The NS has a fixed ip, the SW a dynamic one.
    Authentication shall be done using certificates.
    First i created and signed two simple (no subjectAltname) certificates,
    with an openssl CA, and imported the local certificates and the cacert
    both into the devices.
    Then i configured the netscreen to use its DN for phase 1
    IKE ID. [local Id [DistinguishedName] ], and to expect the DN of the
    peer, as peer IKE ID. [use distinguished name for peer id].
    I mostly followed the configuration example "Route Based Site-to-Site
    VPN, dynamic peer) in the manual, enriched by the hints of David Klein
    given on this list.
    My problem is that i cannot pass phase 1 (IKE).
    My netscreen device shows the following error in its log.
    Rejected an initial Phase 1 packet from an unrecognized peer gateway.
    I double checked that there are no typos in de DN, the clocks are
    set up allright and that the certs are signed correctly.
    My problem is that i have absolutely no idea, what this SOFAWARE
    device expects as IKE ID, neighter what it sends as local IKE ID.
    Annother mirracle is the contents of the certificate for the SW box.
    In annother run, i tried to create a certificate containing an email
    address in the subjectAltName field. I used this as Peer ID in
    netscreens AutoKey->GateWay configuration dialog.
    Same errormessage.
    have anyone on the list experience whith the SW boxes?
    I am new to both of these devices, but i definitley prefer the NS.
    lots of documentation, nice cmdline.
    Exactley the things i miss at the SW box.
    i include a dbuf run of one (unsuccesfull IKE run) at the end of this
    mail. ( debug ike all )
    Best Regards
    and many thanks
    Timo
    dbuf shows:
    -- IKE<62.246.143.211> Receive 1st Phase 1 packet::
    -- 86 6f 5c e5 4e 99 22 78  00 00 00 01 00 00 0f a2
    [..]
    -- 00 00 00 00 00 00 00 00  18 40 00 00
    -- IKE<62.246.143.211> Getting IKE gateway entry for peer ip
    <62.246.143.211>, local ip <62.246.143.210>, vsys <none>, id type <0>.
    -- IKE<62.246.143.211> Getting peer_ent by peer IP/local IP.
    -- IKE<62.246.143.211> Failed to get peer_ent by peer IP/local IP.
    -- IKE<62.246.143.211> Getting the 1st peer_ent that is used, with no peer
    IP, and right local IP.
    -- IKE<62.246.143.211> Failed to get the 1st peer_ent that is used, with no
    peer IP, and right local IP.
    -- IKE<62.246.143.211> Rejected an initial Phase 1 packet from an
    unrecognized peer gateway.
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: GChen_at_allianz.ca: "RE: [fw-wiz] RDP and security"

    Relevant Pages