Re: interoperability of VPN checkpoint FW1 to ISA

From: Barry Irwin (bvi@itouchlabs.com)
Date: 04/23/03

  • Next message: Marc Fossi: "Article Announcement: Anti-Virus Defence In Depth" 
    From: "Barry Irwin" <bvi@itouchlabs.com>
To: "'Security Focus Forum'" <SecurityFocusForum@mimillers.com>, <focus-ms@securityfocus.com>
Date: Wed, 23 Apr 2003 08:06:09 +0200

    The two types of IKE/ISKAMP Negotiation are MAIN and AGRESSIVE
    Main uses 6 packets to cook up the session keys for, whereas agressive uses
    only 3. On all the firewall/VPN Devices I have delt with this has been
    configurable.

    Each of the modes has their own strenghts and weaknesses. I speak under
    correction, but my understanding is if the one endpoint of a vpn is unknown
    (eg a roaming user) then aggressive mode must be used in order to present an
    identity.

    Regards,

    Barry 

    --
Barry Irwin         bvi@itouchlabs.com                    Tel:
+27214875178
Systems Administrator: Networks And Security
iTouch Technology
iTouch TAS      http://www.itouchlabs.com         Mobile: +27824457210
----- Original Message -----
From: "Damien @ HammerheadTech.net" <damien@hammerheadtech.net>
To: "'Pasikowski, Gary'" <gpasikowski@mimillers.com>; "'Mark Fagan'"
<Mark.Fagan@esat.com>; "'Security Focus Forum'"
<SecurityFocusForum@mimillers.com>; <focus-ms@securityfocus.com>
Sent: Monday, April 21, 2003 10:55 PM
Subject: RE: interoperability of VPN checkpoint FW1 to ISA
Mark,
So long as all ends are matching on their encryption configuration, like
Gary said, things should be fine.  However, CheckPoint has one little
"catch" to be aware of.  They have a setting on their systems for
"aggressive" negotiation of the VPN connection.  Basically this tries to get
the communication kicked off in half as many packets as your "industry
standard" 6 packet handshake.  So depending on whether not the tunnel is
made from ISA to CheckPoint or CheckPoint to ISA, you could see a failure in
the communications.
We saw something similar where a tunnel was made from a Cisco VPN device to
a CheckPoint device.  When the tunnel would drop before the scheduled
re-negotiation the CheckPoint device would try it's "aggressive" mode and
the reconnect would fail until the Cisco device eventually got around to its
scheduled re-negotiation.  Turning off the "aggressive" mode (which is
really only designed for CP to CP tunnels) resolved that.
The same thing could very well happen when going from CP to ISA.
My 2c worth.
Damien
-----Original Message-----
From: Pasikowski, Gary [mailto:gpasikowski@mimillers.com]
Sent: Monday, April 21, 2003 9:53 AM
To: 'Mark Fagan'; Security Focus Forum; focus-ms@securityfocus.com
I assume you are talking about an IPSEC VPN and not a PPTP?  As long as both
ends match you should be fine. (IPSEC, 3DES, AES, MD5, etc..) That is the
key; the Check Point will not care what equipment is on the other end.  In
"theory" you can make any two IPSEC VPN devices talk to each other as long
as each is using the industry standard and has not implemented their own
proprietary settings.
Gary
-----Original Message-----
From: Mark Fagan [mailto:Mark.Fagan@esat.com]
Sent: Friday, April 18, 2003 3:58 AM
To: 'Security Focus Forum'; focus-ms@securityfocus.com
Subject: RE: interoperability of VPN checkpoint FW1 to ISA
But what about shared secrets, encryption types and timeouts : any known
issues ?
-----Original Message-----
From: Security Focus Forum [mailto:SecurityFocusForum@mimillers.com]
Sent: 17 April 2003 21:07
To: Mark Fagan; focus-ms@securityfocus.com
Subject: RE: interoperability of VPN checkpoint FW1 to ISA
I don't see why not as long as ISA talks standard IPSEC.  I sit on the Check
Point end, so I cannot tell you how ISA works, but I can tell you this, I
have created multiple IPSEC VPNs between Check Point (both NG and 4.x) and
WatchGuard firewalls.
...Gary
-----Original Message-----
From: Mark Fagan [mailto:Mark.Fagan@esat.com]
Sent: Thursday, April 17, 2003 12:23 PM
To: focus-ms@securityfocus.com
Subject: interoperability of VPN checkpoint FW1 to ISA
All,
Have searched high and low, any one know if a VPN can be created between ISA
and FW-1 ?
Mark Fagan
TDA
Esat BT Application Hosting
E mark.fagan@esat.com
T + 353 1 4326914
M + 353 86 6013397
www.esatbt.com
Esat Telecommunications Limited
is a wholly owned subsidiary of BT Group plc
Registered in Ireland, Registration No. 141524
Grand Canal Plaza, Upper Grand Canal Street, Dublin, Ireland
This electronic message contains information (and may contain files) from
Esat Telecommunications Limited which may be privileged or confidential. The
information is intended to be for the sole use of the individual(s) or
entity named above. If you are not the intended recipient be aware that any
disclosure, copying, distribution or use of the contents of this information
and or files is prohibited. If you have received this electronic message in
error, please notify us by telephone or email (to the numbers or address
above) immediately. http://www.esatbt.com
Win EUR100,000 worth of eBusiness solutions from Esat BT.
Click http://www.esatbt.com/ie/competition/labyrinth/index.html to enter!
----------------------------------------------------------------------------
-
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts.  The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches.  Deadline for the best rates is April 25.  Register today to
ensure your place. http://www.securityfocus.com/BlackHat-focus-ms
----------------------------------------------------------------------------
--
Esat Telecommunications Limited
is a wholly owned subsidiary of BT Group plc
Registered in Ireland, Registration No. 141524
Grand Canal Plaza, Upper Grand Canal Street, Dublin, Ireland
This electronic message contains information (and may contain files) from
Esat Telecommunications Limited which may be privileged or confidential. The
information is intended to be for the sole use of the individual(s) or
entity named above. If you are not the intended recipient be aware that any
disclosure, copying, distribution or use of the contents of this information
and or files is prohibited. If you have received this electronic message in
error, please notify us by telephone or email (to the numbers or address
above) immediately. http://www.esatbt.com
Win EUR100,000 worth of eBusiness solutions from Esat BT.
Click http://www.esatbt.com/ie/competition/labyrinth/index.html to enter!
----------------------------------------------------------------------------
-
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts.  The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches.  Deadline for the best rates is April 25.  Register today to
ensure your place. http://www.securityfocus.com/BlackHat-focus-ms
----------------------------------------------------------------------------
--
----------------------------------------------------------------------------
-
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts.  The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches.  Deadline for the best rates is April 25.  Register today to
ensure your place. http://www.securityfocus.com/BlackHat-focus-ms
----------------------------------------------------------------------------
--
----------------------------------------------------------------------------
-
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts.  The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches.  Deadline for the best rates is April 25.  Register today to
ensure your place. http://www.securityfocus.com/BlackHat-focus-ms
----------------------------------------------------------------------------
--
-----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-focus-ms
------------------------------------------------------------------------------
  • Next message: Marc Fossi: "Article Announcement: Anti-Virus Defence In Depth"
    • Quantcast