[prev in list] [next in list] [prev in thread] [next in thread]
List: vpn
Subject: RE: [vpn] Checkpoint/Netscreen VPN IKE Error Messages
From: dparmer () dsscorp ! com
Date: 2002-01-22 20:33:53
[Download RAW message or body]
Thanks for all who have contributed advice. Unfortunately I still don't
have a working solution. I installed another
test NT server running CP 4.1 SP5 on the same networks, using the identical
Checkpoint policy and the same Netscreen
box and policy on the other end, and the VPN site-to-site came up fine with
both Phase 1 and Phase 2.
The MTU sizes on the NIC cards were set the same - only items different
from the production box were the IP addresses
on the interfaces and the NT 4.0 SP5 on the test box instead of NT SP6a.
The production box had an Accelerator card
(Broadcom card), and I removed that, and had the same problem. I even
reinstalled Checkpoint 4.1 from scratch on the
production server with the appropriate SPs and Hotfixes, copying over only
the rulebases.fws, objects.C, standard.W,
and the fwauth.NBD files, from the original install, and I got the same
results.
Since I also tried another CP firewall on a different ISP and got that one
working, it must be something specific with this
server. I discovered that a couple Securemote users on Ethernet
connections seem to be having connection timeout
problems, and I saw similiar Payload malformed messages for them in the log
viewer. However, the connections
do go through most of the time, another CP to CP site-to-site connection on
the production box is working fine.
Below is summary of the log viewer message sequence (CP Checkpoint, NS
Netscreen)
Action Source Destination Info
key install CP FW NS FW IKE Log: Phase 1 completion
3DES/SHA1/Pre-Shared secrets....
key install CP FW NS FW Combined ESP: 3DES+SHA1
(Phase 2 completion) for subnet: CP subnet & NS subnet
encrypt CP Internal PC NS Internal PC icmp-type 8 IKE Methods:
Combined ESP: 3DES+SHA1
key install CP FW NS FW IKE Log: Received
Notification from Peer: Payload Malformed...
key install CP FW NS FW IKE Log: Received Delete SA
from Peer: NS IP ....
=================
Dave Parmer
Senior Network Engineer
Distributed Systems Services
www.dsscorp.com
610-927-2026
dparmer@dsscorp.com
\
Tom McHugh \
<TomM@spectrum-sy To: "'dparmer@dsscorp.com'" \
<dparmer@dsscorp.com>,
stems.com> vpn@securityfocus.com \
cc: \
01/21/2002 04:00 Subject: RE: [vpn] \
Checkpoint/Netscreen VPN IKE Error Messages
PM \
\
\
I happened to run across this bug report in the release notes for the
latest
version of NetScreen's OS. The problem reported was that Checkpoint didn't
delete the SA for Phase 2 when the NetScreen sent a message to it to delete
*both* Phase 1 and Phase 2 SAs. This is still reported in the current
version of NetScreen's OS, but no mention is made about CheckPoint's
version
or any work-around.
Hope that helps,
Tom McHugh, Senior Systems Engineer
mailto:tomm@spectrum-systems.com
Spectrum Systems, Inc.
"Today's Technology--Solutions for Tomorrow"
11320 Random Hills Road, Suite 630
Fairfax, VA 22030-6001
703-591-7400 x218
703-591-9780 (Fax)
http://www.spectrum-systems.com/
Concerned about the security of your network? Spectrum Systems' Network
Security products and services can take the worry out of protecting your
network. Call us at 800-929-3781 or visit us at
http://www.spectrum-systems.com to learn more.
> -----Original Message-----
> From: dparmer@dsscorp.com [mailto:dparmer@dsscorp.com]
> Sent: Monday, January 14, 2002 9:17 AM
> To: vpn@securityfocus.com
> Subject: [vpn] Checkpoint/Netscreen VPN IKE Error Messages
>
>
> Hello,
>
> We are having trouble for the past few weeks trying to get a
> Netscreen 5 to
> an NT 4.0 Checkpoint 4.1 SP5 site to site VPN operational.
> Generally IKE
> Phase 1 completes between the firewalls, but only very
> infrequently does
> IKE Phase 2 compete between the firewalls, according to the
> Checkpoint and
> Netscreen logs. When Phase 2 does complete, outbound traffic
> is encrypted
> but the return decrypts do not come back. We have encryption schemes
> identical for Phase 1 & Phase 2 between the Checkpoint &
> Netscreen boxes.
> When Phase 2 does not complete, messages in the log viewer include
> "Received delete SA from Peer" and "Received Notification from Peer:
> payload malformed", with the source address being the
> Checkpoint firewall
> and the destination being the Netscreen.
>
> Just for kicks, we tried creating a VPN connection to two
> other Checkpoint
> 4.1 sites (one had NT 4.0 using 4.1 SP2 and another had W2K
> using 4.1 SP5)
> using the same Netscreen 5 box with identical encryption
> properties, and
> both Phase 1 & Phase 2 became operational, and traffic was
> being encrypted
> and decrypted in both directions. Thus I eliminated the
> possibility that
> the Netscreen may be the issue.
>
> I then compared a few files on the various firewalls (crypt.def,
> objects.C), and could not find anything except cosmetic items
> that were
> different. I also tried the various debugging tools (fw
> monitor, fw -d d,
> FWIKE_DEBUG), and have examined the resultant file output,
> and was not able
> to decipher anything enlightening from these files, although
> I must admit
> that I don't know exactly what kind of packet flow or
> sequencing I should
> be looking for.
>
> Thanks in advance for any assistance.
>
> ============================
> Dave Parmer
> Distributed Systems Services
> 610-927-2026
> dparmer@dsscorp.com
>
>
>
> VPN is sponsored by SecurityFocus.com
>
VPN is sponsored by SecurityFocus.com
VPN is sponsored by SecurityFocus.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic