I'm going to answer my own post here; it seems that it was necessary to do a kill -1 on all vpn process in order to get the debug working again.
If anyone has had any similar experience with this, I'd like to hear, as it still puzzles me how the tunnels were up, while this was, somehow malfunctioning. BTW, this happened on a R60 Secureplatform deployment, on to of a Dell 1750 server. Regards, Raúl -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Millan, Raul Sent: Tuesday, July 10, 2007 17:58 PM To: [email protected] Subject: Re: [FW-1] VPN with Huawei Firewall Well I don't have access to the IKEVIEW tool, seems that only Checkpoint CSP have it; and on top of that I'm trying to at least generate de debug file, and I get this error: [EMAIL PROTECTED] vpn debug ikeon Cannot signal vpnd: No such process I have found a couple of post in the Internet about this, with no conclusion. I don't know if it's just me or what, but I really have a hard time looking things up in Checkpoint's SK. So far I haven't found anything related to this problem, if anyone has an idea on how to get the vpn debug working, I'll appreciated it. Regards, Raúl -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Ali Husen Sumantoro Sent: Tuesday, July 10, 2007 5:17 AM To: [email protected] Subject: Re: [FW-1] VPN with Huawei Firewall > It seems that at some point the Huawei firewall renegotiates the phase 2 SAs > way before it even expires (default 3600 seconds); this only happens on > outbound traffic (my side), the inbound SA (again my side) is correct and I > can receive echo request packets from the LAN behind the Huawei firewall. I've experienced this situations in the past, either with Eudemon or with other vpn gateway (sonicwall, watchguard). After analyzing the packets with IKEVIEW, I found out that the domain encryptions reading did not match. For NGAI R55, my solution is to disable "support key exchange for subnets". For NGXR60, my solution is to ask my partner to change the domain encryption as read by Check Point in IKEVIEW. rgds, Ali HS On 7/10/07, Millan, Raul <[EMAIL PROTECTED]> wrote: > Hi everybody. > > > > I need to establish an IPSEC tunnel with a Huawei firewall model Eudemon 200. > Everything seems to work fine for some minutes, then the outgoing traffic > from my end to the Huawei's end is dropped at the destination; according to > Huawei the firewall complains that the SA is invalid. > > > > It seems that at some point the Huawei firewall renegotiates the phase 2 SAs > way before it even expires (default 3600 seconds); this only happens on > outbound traffic (my side), the inbound SA (again my side) is correct and I > can receive echo request packets from the LAN behind the Huawei firewall. > > > > We've check the SAs using vpn -u on our side, and my outbound SA is different > than their inbound SA, this is strange since this usually happens way before > the 3600 seconds are up (phase 2). > > > > I'm using a cluster of secureplatform servers running R60, with a single VPN > community for all my other customers VPNs; this is the only one giving me a > hard time. > > > > Any ideas would be of great help, since we've been at this for a number of > weeks now, and we're really starting to run out of good ideas. > > > > Thanks, > > > > Raúl ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
