[FW-1] SecurePlateform FP3 + ClusterXL = VPN doesnt work

Tue, 07 Jan 2003 08:05:33 -0800

Further details about the problem happening when Checkpoint try
to bring up the VPN with Netscreen :
 
Checkpoint log
 
"Number" "Date"      "Time"    "Interface" "Origin"   "Type"    "Action" "Service"          "Source"            "Destination"     "Protocol" "Rule" "Source Port" "Information"
"59410"  "30Aug2002" "9:17:52" "eth1"      "Cluster1" "Log"     "Accept" "FW1_log"          "cp2"               "management"      "tcp"      "15"   "34545" ""
"59412"  "30Aug2002" "9:17:56" "eth1"      "Cluster1" "Log"     "Accept" "CPD_amon"         "management"        "cp2"             "tcp"      "4"    "39699" ""
"59414"  "30Aug2002" "9:31:47" "eth0"      "Cluster1" "Log"     "Accept" "CPMI"             "yanLab"            "NAT_Management"  "tcp"      "14"   "3029" ""
"59415"  "30Aug2002" "9:36:28" "eth1"      "Cluster1" "Log"     "Accept" "CPD"              "management"        "cp2"             "tcp"      "4"    "41200" ""
"59417"  "30Aug2002" "9:36:29" "daemon"    "Cluster1" "Control" " " "" "" "" "" "" "" "sys_message: The eth2 interface is not protected by the anti-spoofing feature. Your network may be at risk; "
"59418"  "30Aug2002" "9:36:29" "daemon"    "Cluster1" "Control" " " "" "" "" "" "" "" "sys_message: installed 3Jan2003-9h27; "
"59424"  "30Aug2002" "9:36:31" "eth1"      "Cluster1" "Log"     "Accept" "FW1_ica_services" "cp2"               "management"      "tcp"      "15"   "34563" ""
"59425"  "30Aug2002" "9:36:32" "eth1"      "Cluster1" "Log"     "Accept" "FW1_ica_services" "cp2"               "management"      "tcp"      "15"   "34564" ""
"59426"  "30Aug2002" "9:36:32" "eth1"      "Cluster1" "Log"     "Accept" "FW1_ica_services" "cp2"               "management"      "tcp"      "15"   "34565" ""
"59427"  "30Aug2002" "9:41:17" "eth0"      "Cluster1" "Log"     "Accept" "ssh"              "yanLab"            "NAT_Management"  "tcp"      "14"   "3051" ""
"59431"  "30Aug2002" "9:43:06" "eth1"      "Cluster1" "Log"     "Accept" "CPD"              "management"        "cp2"             "tcp"      "4"    "41743" ""
"59435"  "30Aug2002" "9:43:07" "daemon"    "Cluster1" "Control" " " "" "" "" "" "" "" "sys_message: The eth2 interface is not protected by the anti-spoofing feature. Your network may be at risk; "
"59436"  "30Aug2002" "9:43:07" "daemon"    "Cluster1" "Control" " " "" "" "" "" "" "" "sys_message: installed 3Jan2003-9h27; "
"59441"  "30Aug2002" "9:43:09" "eth1"      "Cluster1" "Log"     "Accept" "FW1_ica_services" "cp2"               "management"      "tcp"      "15"   "34567" ""
"59442"  "30Aug2002" "9:43:10" "eth1"      "Cluster1" "Log"     "Accept" "FW1_ica_services" "cp2"               "management"      "tcp"      "15"   "34568" ""
"59443"  "30Aug2002" "9:43:10" "eth1"      "Cluster1" "Log"     "Accept" "FW1_ica_services" "cp2"               "management"      "tcp"      "15"   "34569" ""
"59446"  "30Aug2002" "8:48:03" "daemon"    "Cluster1" "Log"     "Key Install" ""            "Cluster1"          "Netscreen5xpLAB" "" "" "" "IKE: Main Mode completion.; "
"59447"  "30Aug2002" "8:48:08" "daemon"    "Cluster1" "Log"     "Key Install" ""            "Netscreen5xpLAB"   "Cluster1" "" "" "" "IKE: Quick Mode completion; IKE IDs: subnet: 10.0.0.0 (mask= 255.255.255.0) and subnet: 192.168.33.0 (mask= 255.255.255.0); "
"59448"  "30Aug2002" "8:48:18" "eth0"      "Cluster1" "Log"     "Accept" ""                 "Netscreen5xpLAB"   "Cluster1"        "icmp"     "9" "" "icmp-type: 8; icmp-code: 0; "
"59449"  "30Aug2002" "8:48:20" "eth0"      "Cluster1" "Log"     "Drop" ""                   "management"        "192.168.33.20"   "icmp" "" "" "icmp-type: 8; icmp-code: 0; encryption fail reason: Packet is dropped as there is no valid SA; "
"59450"  "30Aug2002" "8:48:20" "eth1"      "Cluster1" "Log"     "Drop" ""                   "management"        "192.168.33.20"   "icmp"     "11" "" "icmp-type: 8; icmp-code: 0; encryption fail reason: Packet is dropped as there is no valid SA; "
"59451"  "30Aug2002" "8:48:39" "daemon"    "Cluster1" "Log"     "Drop" "" "" "" "ip" "0" "" "encryption failure: no response from peer.; "
"59452"  "30Aug2002" "8:52:52" "eth0"      "Cluster1" "Log"     "Accept" "IKE"              "Cluster1"          "Netscreen5xpLAB" "udp"      "8" "IKE" ""
"59453"  "30Aug2002" "8:53:28" "daemon"    "Cluster1" "Log"     "Key Install" ""            "Cluster1"          "Netscreen5xpLAB" "" "" "" "IKE: Main Mode completion.; "
"59454"  "30Aug2002" "8:53:52" "eth1"      "Cluster1" "Log"     "Drop" ""                   "management"        "192.168.33.20"   "icmp"     "11" "" "icmp-type: 8; icmp-code: 0; encryption fail reason: Packet is dropped as there is no valid SA; "
"59455"  "30Aug2002" "8:54:04" "daemon"    "Cluster1" "Log"     "Drop" "" "" "" "ip" "0" "" "encryption failure: no response from peer.; "
"59456"  "30Aug2002" "8:54:23" "daemon"    "Cluster1" "Log"     "Key Install" ""            "Netscreen5xpLAB"   "Cluster1" "" "" "" "IKE: Informational Exchange Received Delete IKE-SA from Peer: c0a85065; Cookies: 49e4b48ebe4de9a0-e5d0f8e35265b6d9 ; "
"59457"  "30Aug2002" "8:54:35" "daemon"    "Cluster1" "Log"     "Key Install" ""            "Cluster1"          "Netscreen5xpLAB" "" "" "" "IKE: Informational Exchange Send Delete IPSEC-SA to Peer: c0a85065; SPI: f274ae2e; "
"59458"  "30Aug2002" "8:54:43" "daemon"    "Cluster1" "Log"     "Key Install" ""            "Netscreen5xpLAB"   "Cluster1" "" "" "" "IKE: Informational Exchange Received Delete IPSEC-SA from Peer: c0a85065; SPIs: f54827cd ; "
"59459"  "30Aug2002" "8:54:44" "daemon"    "Cluster1" "Log"     "Key Install" ""            "Netscreen5xpLAB"   "Cluster1" "" "" "" "IKE: Quick Mode completion; IKE IDs: subnet: 10.0.0.0 (mask= 255.255.255.0) and subnet: 192.168.33.0 (mask= 255.255.255.0); "
"59460"  "30Aug2002" "9:52:07" "eth0"      "Cluster1" "Log"     "Accept" ""                 "Netscreen5xpLAB"   "Cluster1"          "icmp"   "9" "" "icmp-type: 8; icmp-code: 0; "
"59461"  "30Aug2002" "8:56:02" "eth0"      "Cluster1" "Log"     "Drop" ""                   "Netscreen5xpLAB"   "Cluster1"          "ipv6-crypt" "" "" "encryption fail reason: Packet is dropped as there is no valid SA; "
"59462"  "30Aug2002" "9:54:12" "eth0"      "Cluster1" "Log"     "Accept" "IKE"              "Cluster1"          "Netscreen5xpLAB"   "udp"    "8" "IKE" ""
"59463"  "30Aug2002" "9:54:12" "daemon"    "Cluster1" "Log"     "Key Install" ""            "Cluster1"          "Netscreen5xpLAB" "" "" "" "IKE: Quick Mode completion; IKE IDs: subnet: 10.0.0.0 (mask= 255.255.255.0) and subnet: 192.168.33.0 (mask= 255.255.255.0); "
"59464"  "30Aug2002" "8:56:59" "daemon"    "Cluster1" "Log"     "Key Install" ""            "Netscreen5xpLAB"   "Cluster1" "" "" "" "IKE: Informational Exchange Received Delete IPSEC-SA from Peer: c0a85065; SPIs: f54827ce ; "
"59465"  "30Aug2002" "8:57:17" "daemon"    "Cluster1" "Log"     "Key Install" ""            "Netscreen5xpLAB"   "Cluster1" "" "" "" "IKE: Informational Exchange Received Delete IPSEC-SA from Peer: c0a85065; SPIs: f54827ce ; "
 

Netscreen side ( debug ike detail output )
 

##2003-01-07 08:57:09 system-debugging: IKE<172.16.0.3> Matching policy: gw ip <172.16.0.3> peer entry id<2>
##2003-01-07 08:57:09 system-debugging: IKE<172.16.0.3>
                Rcv'd P2 ID: type<4> local addr<192.168.33.0> mask<255.255.255.0> prot<0> port<0>.
                Rcv'd P2 ID: type<1> remote addr<10.0.0.6> mask<255.255.255.255> prot<0> port<0>.
##2003-01-07 08:57:09 system-debugging: IKE<0.0.0.0> protocol matched expected<0>.
##2003-01-07 08:57:09 system-debugging: IKE<0.0.0.0> port matched expect<0>.
##2003-01-07 08:57:09 system-debugging: IKE<172.16.0.3> Peer dial<-1> user<-1>.
##2003-01-07 08:57:09 system-debugging: IKE<10.0.0.6> local address matched.
##2003-01-07 08:57:09 system-debugging: IKE<10.0.0.6> remote address NOT matched.
##2003-01-07 08:57:09 system-debugging:
Multiple SA for multiple policy mode, skipping base sa 5 when searching for sa.
##2003-01-07 08:57:09 system-debugging: IKE<172.16.0.3> Phase 2: No policy exists for the proxy ID received: local ID (<192.168.33.0>/<255.255.255.0>,<0>,<0>) remote ID (<10.0.0.6>/<255.255.255.255>,<0>,<0>)
##2003-01-07 08:57:09 system-debugging: IKE<172.16.0.3> oakley_process_quick_mode():exit
##2003-01-07 08:57:09 system-debugging: IKE<172.16.0.3> Phase 2 msg-id <05338af5>: Negotiations have failed.
##2003-01-07 08:57:09 system-debugging: IKE<0.0.0.0>   Delete conn entry...
 
 
 
-------------------
 
 
This is the setup :
 
                                                                                                      Netscreen
                                           _fw1_                                                         |
Management--------Hub1-----<_   |   _ >Hub2------------CiscoRouter-------------Switch
                                           fw2                                                             |
                                                                                                 Laptop+SecuremoteNG
 
 
Classic Setup, everything works well, load balancing, failover, but when it comes
to VPN's nothing works.
 
I tried a policy in the new mode ( the VPN community thing )
And a policy in classic mode like in the good old 4.1
 
I am trying to establish the VPN from the Netscreen box and from the Securemote Client
to the Shared Virtual Cluster IP. For the Netscreen, the Phase1 using 3des/md5/preshareKey/dhg2 works.
Then the Phase2 using 3des/sha1/dhg2 nearly finishes but the NG box sends the wrong encryption domain
to the netscreen, it sends the IP of the machine ( Management ) trying to ping the Netscreen's encryption domain
as its encryption domain. Of course the netscreen refuses to bring up the vpn cuz it expects to receive the subnet
as encryption domain of the NG box, as define in the NG policy cluster topology.
 
For the VPN client, I am able to create the site within securemote and authenticate using fw-1 password.
But then when the vpn is UP I cant ping in the encryption domain... basic
 
 
ANy help will be appreciated,
 
Yannick

Reply via email to