Firewall Wizards mailing list archives

netscreen 25 sofaware ipsec interop

From: Timo Proescholdt <proescho () informatik uni-muenchen de>
Date: Mon, 5 Jan 2004 17:44:04 +0100

Hi List,

my first post to this list. The archive helped me
a lot in the past, but i have come to a point where i dont know what to
do.

I try to setup a route based vpn between a netscreen NS25 and one of these
Checkpoint SOFAWARE 4.0.41 appliances.

I need the SOFAWARE box because of its PPTP internet access feature
which i am missing at other vendors.

The NS has a fixed ip, the SW a dynamic one.
Authentication shall be done using certificates.

First i created and signed two simple (no subjectAltname) certificates,
with an openssl CA, and imported the local certificates and the cacert
both into the devices.

Then i configured the netscreen to use its DN for phase 1
IKE ID. [local Id [DistinguishedName] ], and to expect the DN of the
peer, as peer IKE ID. [use distinguished name for peer id].

I mostly followed the configuration example "Route Based Site-to-Site
VPN, dynamic peer) in the manual, enriched by the hints of David Klein
given on this list.

My problem is that i cannot pass phase 1 (IKE).
My netscreen device shows the following error in its log.

Rejected an initial Phase 1 packet from an unrecognized peer gateway.

I double checked that there are no typos in de DN, the clocks are
set up allright and that the certs are signed correctly.

My problem is that i have absolutely no idea, what this SOFAWARE
device expects as IKE ID, neighter what it sends as local IKE ID.

Annother mirracle is the contents of the certificate for the SW box.

In annother run, i tried to create a certificate containing an email
address in the subjectAltName field. I used this as Peer ID in
netscreens AutoKey->GateWay configuration dialog.

Same errormessage.

have anyone on the list experience whith the SW boxes?
I am new to both of these devices, but i definitley prefer the NS.
lots of documentation, nice cmdline.
Exactley the things i miss at the SW box.

i include a dbuf run of one (unsuccesfull IKE run) at the end of this
mail. ( debug ike all )

Best Regards
and many thanks
Timo

dbuf shows:

-- IKE<62.246.143.211> Receive 1st Phase 1 packet::
-- 86 6f 5c e5 4e 99 22 78 00 00 00 01 00 00 0f a2
[..]
-- 00 00 00 00 00 00 00 00 18 40 00 00
-- IKE<62.246.143.211> Getting IKE gateway entry for peer ip <62.246.143.211>, local ip <62.246.143.210>, vsys <none>,
id type <0>.
-- IKE<62.246.143.211> Getting peer_ent by peer IP/local IP.
-- IKE<62.246.143.211> Failed to get peer_ent by peer IP/local IP.
-- IKE<62.246.143.211> Getting the 1st peer_ent that is used, with no peer IP, and right local IP.
-- IKE<62.246.143.211> Failed to get the 1st peer_ent that is used, with no peer IP, and right local IP.
-- IKE<62.246.143.211> Rejected an initial Phase 1 packet from an unrecognized peer gateway.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

netscreen 25 sofaware ipsec interop Timo Proescholdt (Jan 05)
- Re: netscreen 25 sofaware ipsec interop R. DuFresne (Jan 10)
  - Re: netscreen 25 sofaware ipsec interop Ng Pheng Siong (Jan 18)
- <Possible follow-ups>
- Re: netscreen 25 sofaware ipsec interop Mark . Boltz (Jan 06)