Trying to set up an IKE vpn between FreeBSD and Checkpoint FW-1

From: Jeremy Karteczka (jerkart@mw.mediaone.net)
Date: 03/24/01 

From: "Jeremy Karteczka" <jerkart@mw.mediaone.net>
To: <freebsd-security@freebsd.org>
Date: Fri, 23 Mar 2001 23:51:38 -0500

Greetings,
I am trying to get an IKE vpn going between a 4.2-RELEASE machine (using racoon
for key exchange) and a Checkpoint firewall (v4.1 SP3). I have tried both sha1
and md5. Every time I try to establish a connection phase 1 negotiation
succeeds and phase 2 says it succeeds in the racoon log file, but then I get
this message at the bottom of /var/log/messages:

When using md5:
key_mature: invalid AH key length 128 (160-160 allowed)

with sha1:
key_mature: invalid AH key length 160 (128-128 allowed)

I was able to speak with Checkpoint Tech support on this and they did confirm
that Firewall-1 uses a 128-bit key for md5 and a 160-bit key for sha1.

I have looked for RFCs to find out which is the accepted standard but could not
find one that specifically states how long the key should be for each hash
method.

Can anyone point me to the proper RFCs and/or tell me if there is a way I can
reverse the expected key lenght on the FreeBSD side? The Checkpoint tech I
spoke with stated that Firewall-1 is compliant with RFCs 2408 and 2409 but I see
no mention of AH key length for hash methods.

I have attached a copy of the racoon log (the external IPs have been cleansed)
and the conf used for an attempt to connect while using sha1.

Thanks in advance,
Jeremy

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Trying to set up an IKE vpn between FreeBSD and Checkpoint FW-1
    ... I am trying to get an IKE vpn going between a 4.2-RELEASE machine (using racoon ... for key exchange) and a Checkpoint firewall. ... I was able to speak with Checkpoint Tech support on this and they did confirm ... I have looked for RFCs to find out which is the accepted standard but could not ...
    (FreeBSD-Security)
  • Re: VPN Symantec Gateway Security - Checkpoint Firewall
    ... Only some Client's behind the SGS should be able ... to connect to the Checkpoint firewall per Checkpoint Client Software. ... The Checkpoint Client Software tell me, ...
    (comp.security.firewalls)
  • SUMMARY: Checkpoint Blocking Solaris
    ... Subject: Update: Checkpoint Blocking Solaris ... from the DNS server. ... the DNS servers are inside the Checkpoint firewall ...
    (SunManagers)
  • RE: [fw-wiz] Checkpoint
    ... I recall we had similar problems, and eventually, Checkpoint ... and management station at another site. ... > I have query that i have Checkpoint firewall NG software. ... > DO it will wrk or i have to do the necessary change in site also ...
    (Firewall-Wizards)