Hi Scott,
We experienced exactly the same behaviour when trying to connect a VPN-1
to a Cisco PIX with IKE and pre-shared secrets some months ago.
That is, the VPN worked when going from behind the PIX, but when trying
to go from beind the VPN-1 to the PIX, we got exactly the same errors as
you describe here Scott, that is they don't seem to be able to agree on
SA!!!
We wrote it off as being a Cisco problem and got ourselfs anoter small
pix (yeah I know, its a bad bad thing ;-) ) to terminate this particular
VPN.
But seeing this I'm beginning to wonder if this might be a VPN-1
problem, anyone else seen this??
Arnor Arnason
[EMAIL PROTECTED]
EJS
Iceland
Date: Thu, 15 Feb 2001 10:39:46 -0500
From: Scott Hunter <[EMAIL PROTECTED]>
Subject: [FW1] Nokia (Network Alchemy) CC 500 (Crypto Cluster) and FW1
SP2 on NT
I am trying to set up a VPN using a Nokia CC 500 and FW1. I'm using
IKE
and pre-shared secrets. The tunnel works in one direction, from the
network
behind the Nokia to the network behind the FW1 machine, but when I
attempt
to access the network behind the Nokia CC 500 from the network behind
the
FW1, it fails and I get the following on the CC 500 console (some IPs
changed to protect the innocent):
Thu Feb 15 15:16:18 2001 (IPSEC)-ERR: key_find_responder_policy:
matching
outbound selector not found
Thu Feb 15 15:16:18 2001 (IKE)-ERR: receive: failed to locate QM
responder
policy
then:
Thu Feb 15 15:16:43 2001 (IKE)-AUDIT: IKE SA deleted for 123.123.123.66
(123.123.123.66)
Thu Feb 15 15:16:43 2001 (IKE)-NOTICE: process_sa: no proposal chosen
Then the tunnel goes down and does not come back up until traffic goes
from
the network behind the Nokia CC 500 to the network behind the FW1 box.
When it is up, IPSEC looks like this:
IPSec Security Associations:
spi: ffff3c00 <- ffff1d87
source address: 123.123.123.66
destination address: 123.123.123.80
client identity: 10.10/24
type: esp
integrity algorithm: md5 (128 bits)
secrecy algorithm: 3des (192 bits)
flags: inbound,initiator,tunnel
lifetime: 60 minutes
time-to-live: 59 minutes
traffic: 848 bytes
spi: ffff1d87 -> ffff3c00 (1)
source address: 123.123.123.80
destination address: 123.123.123.66
client identity: 10/24
type: esp
integrity algorithm: md5 (128 bits)
secrecy algorithm: 3des (192 bits)
flags: outbound,initiator,tunnel
lifetime: 60 minutes
time-to-live: 59 minutes
traffic: 632 bytes
and IKE looks like this:
IKE Security Associations:
sequence: 2b
state: MM_IDLE
flags: outbound,valid
source: 123.123.123.80
destination: 123.123.123.66
peer identity: fqdn.domain.com
oakley group: modp-768
encryption algorithm: 3des
hash algorithm: md5
authentication method: pre-shared key
associations: 2
lifetime: 8 hours
time-to-live: 7 hours
It's also really slow. Anyone out there have any experience with the
Nokia
CC 500 that they would like to share?
Scott
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
