Re: [FW1] Invalid Cookie

Mon, 18 Dec 2000 07:56:44 -0800 


Gus,
The cookie that is off is the timeliness cookie, designed to validate that the vpn
connection is not a replay of a previous session.  Phase 2 stage 0 indicates that
alcatel is not holding the phase 1 cooking going into the SA establishment.  I've
seen this problem before where a unidirectional tunnel was possible because of
incompatibility in VPN code.  However, since Alcatel and Checkpoint are both IPSec
1.0a certified, I would be more inclined to suspect that the Alcatel side is using
perfect forward secrecy with a low re-key interval.  This would mean that check
point does not invalidate the session, but that the remote side initiates a SA
renewal request, using a completely different set of parameters upon each rekey,
whereas the check point is probably not configured for PFS, and thus reuses the old
Skey_id_r, id_e, and id_a.
The solution, I would look closely at the details of the alcatel side connection,
and then check the Policy->Properties->Encryption and look for the IPSEC
renegotiation interval.

Although suspicion has it that it will be a PFS issue.

Just a guess,
CryptoTech

Gus Reyes wrote:

> I set up VPN between Checkpoint and Alcatel systems using IKE, MD5, Shared
> Secret.  So far, only CP to Alcatel connections works, not vice versa.  Log
> viewer in CP shows successful key installs - phase 1 and phase 2.  I see
> encrypted packets going out and can even see a server behind the alcatel.
> Ten minutes after key exchange, I get the following: 'IKE Log: Sent
> Notification: invalid cookie <phase2 stage0>'. Remote end does not find my
> server.  Despite this error, I can still VPN connect with Alcatel.  Not the
> other way around.  Any ideas???
>
> Thanks
>
> Gus
>
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to