Re: netscreen 25 sofaware ipsec interop

[Mark.Boltz () stonesoft com]

Timo,

I'm not really familiar with the CP Sofaware boxes, but you may want to
check the interoperability guides for Check Point and NetScreen at the VPN
Consortium's site at http://www.vpnc.org/. Assuming the SW box can do true
IPsec, it may provide some insite as to what you need to get a tunnel
established between the two devices.

---
Mark Boltz
Sr. Sales Consultant
mark.boltz () stonesoft com
Tel:  1.703.744.1365
Fax:  1.703.744.1001
Cell: 1.571.218.2481

1750 Tysons Blvd, 4th Floor
McLean, VA 22102     USA

http://www.stonesoft.com
Real World Business Security (TM)


|---------+----------------------------------------->
|         |           Timo Proescholdt              |
|         |           <proescho () informatik uni-muenc|
|         |           hen.de>                       |
|         |           Sent by:                      |
|         |           firewall-wizards-admin@honor.i|
|         |           csalabs.com                   |
|         |                                         |
|         |                                         |
|         |           01/05/2004 11:44 AM           |
|         |                                         |
|---------+----------------------------------------->
  
> ---------------------------------------------------------------------------------------------------------------------------|
  |                                                                                                                     
      |
  |        To:      firewall-wizards () honor icsalabs com                                                              
         |
  |        cc:                                                                                                          
      |
  |        Subject: [fw-wiz] netscreen 25 sofaware ipsec interop                                                        
      |
  
> ---------------------------------------------------------------------------------------------------------------------------|





Hi List,

my first post to this list. The archive helped me
a lot in the past, but i have come to a point where i dont know what to
do.

I try to setup a route based vpn between a netscreen NS25 and one of these
Checkpoint SOFAWARE 4.0.41 appliances.

I need the SOFAWARE box because of its PPTP internet access feature
which i am missing at other vendors.

The NS has a fixed ip, the SW a dynamic one.
Authentication shall be done using certificates.

First i created and signed two simple (no subjectAltname) certificates,
with an openssl CA, and imported the local certificates and the cacert
both into the devices.

Then i configured the netscreen to use its DN for phase 1
IKE ID. [local Id [DistinguishedName] ], and to expect the DN of the
peer, as peer IKE ID. [use distinguished name for peer id].

I mostly followed the configuration example "Route Based Site-to-Site
VPN, dynamic peer) in the manual, enriched by the hints of David Klein
given on this list.

My problem is that i cannot pass phase 1 (IKE).
My netscreen device shows the following error in its log.

Rejected an initial Phase 1 packet from an unrecognized peer gateway.

I double checked that there are no typos in de DN, the clocks are
set up allright and that the certs are signed correctly.


My problem is that i have absolutely no idea, what this SOFAWARE
device expects as IKE ID, neighter what it sends as local IKE ID.

Annother mirracle is the contents of the certificate for the SW box.

In annother run, i tried to create a certificate containing an email
address in the subjectAltName field. I used this as Peer ID in
netscreens AutoKey->GateWay configuration dialog.

Same errormessage.

have anyone on the list experience whith the SW boxes?
I am new to both of these devices, but i definitley prefer the NS.
lots of documentation, nice cmdline.
Exactley the things i miss at the SW box.

i include a dbuf run of one (unsuccesfull IKE run) at the end of this
mail. ( debug ike all )

Best Regards
and many thanks
Timo



dbuf shows:

-- IKE<62.246.143.211> Receive 1st Phase 1 packet::
-- 86 6f 5c e5 4e 99 22 78  00 00 00 01 00 00 0f a2
[..]
-- 00 00 00 00 00 00 00 00  18 40 00 00
-- IKE<62.246.143.211> Getting IKE gateway entry for peer ip
<62.246.143.211>, local ip <62.246.143.210>, vsys <none>, id type <0>.
-- IKE<62.246.143.211> Getting peer_ent by peer IP/local IP.
-- IKE<62.246.143.211> Failed to get peer_ent by peer IP/local IP.
-- IKE<62.246.143.211> Getting the 1st peer_ent that is used, with no peer
IP, and right local IP.
-- IKE<62.246.143.211> Failed to get the 1st peer_ent that is used, with no
peer IP, and right local IP.
-- IKE<62.246.143.211> Rejected an initial Phase 1 packet from an
unrecognized peer gateway.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards





_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards