RE: interoperability of VPN checkpoint FW1 to ISA

From: Stuart Fox (DSL AK) (StuartF@datacom.co.nz)
Date: 04/24/03

  • Next message: BELLMANN MARKUS: "RE: Files in system 32 directory" 
    From: "Stuart Fox (DSL AK)" <StuartF@datacom.co.nz>
To: "'Damien @ HammerheadTech.net'" <damien@hammerheadtech.net>, "'Pasikowski, Gary'" <gpasikowski@mimillers.com>, 'Mark Fagan' <Mark.Fagan@esat.com>, 'Security Focus Forum' <SecurityFocusForum@mimillers.com>, focus-ms@securityfocus.com
Date: Thu, 24 Apr 2003 10:39:00 +1200

    It's not actually a catch - it's part of the IKE RFC's. Check
    http://www.ietf.org/rfc/rfc2409.txt. Aggressive mode is listed as a SHOULD
    implement, but most vendors seem to support it, not just Checkpoint
    (including Cisco)

    Cheers

    Stu

    > -----Original Message-----
    > From: Damien @ HammerheadTech.net [mailto:damien@hammerheadtech.net]
    > Sent: Tuesday, 22 April 2003 8:56 a.m.
    > To: 'Pasikowski, Gary'; 'Mark Fagan'; 'Security Focus Forum';
    > focus-ms@securityfocus.com
    > Subject: RE: interoperability of VPN checkpoint FW1 to ISA
    >
    >
    > Mark,
    >
    > So long as all ends are matching on their encryption
    > configuration, like Gary said, things should be fine.
    > However, CheckPoint has one little "catch" to be aware of.
    > They have a setting on their systems for "aggressive"
    > negotiation of the VPN connection. Basically this tries to
    > get the communication kicked off in half as many packets as
    > your "industry standard" 6 packet handshake. So depending on
    > whether not the tunnel is made from ISA to CheckPoint or
    > CheckPoint to ISA, you could see a failure in the communications.
    >
    > We saw something similar where a tunnel was made from a Cisco
    > VPN device to a CheckPoint device. When the tunnel would
    > drop before the scheduled re-negotiation the CheckPoint
    > device would try it's "aggressive" mode and the reconnect
    > would fail until the Cisco device eventually got around to
    > its scheduled re-negotiation. Turning off the "aggressive"
    > mode (which is really only designed for CP to CP tunnels)
    > resolved that.
    >
    > The same thing could very well happen when going from CP to ISA.
    >
    > My 2c worth.
    >
    > Damien
    >
    >

    -----------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
    world's premier event for IT and network security experts. The two-day
    Training features 6 hand-on courses on May 12-13 taught by professionals.
    The two-day Briefings on May 14-15 features 24 top speakers with no vendor
    sales pitches. Deadline for the best rates is April 25. Register today to
    ensure your place. http://www.securityfocus.com/BlackHat-focus-ms
    ------------------------------------------------------------------------------

  • Next message: BELLMANN MARKUS: "RE: Files in system 32 directory"
    • Quantcast