Firewall Wizards mailing list archives
netscreen 25 sofaware ipsec interop
From: Timo Proescholdt <proescho () informatik uni-muenchen de>
Date: Mon, 5 Jan 2004 17:44:04 +0100
Hi List, my first post to this list. The archive helped me a lot in the past, but i have come to a point where i dont know what to do. I try to setup a route based vpn between a netscreen NS25 and one of these Checkpoint SOFAWARE 4.0.41 appliances. I need the SOFAWARE box because of its PPTP internet access feature which i am missing at other vendors. The NS has a fixed ip, the SW a dynamic one. Authentication shall be done using certificates. First i created and signed two simple (no subjectAltname) certificates, with an openssl CA, and imported the local certificates and the cacert both into the devices. Then i configured the netscreen to use its DN for phase 1 IKE ID. [local Id [DistinguishedName] ], and to expect the DN of the peer, as peer IKE ID. [use distinguished name for peer id]. I mostly followed the configuration example "Route Based Site-to-Site VPN, dynamic peer) in the manual, enriched by the hints of David Klein given on this list. My problem is that i cannot pass phase 1 (IKE). My netscreen device shows the following error in its log. Rejected an initial Phase 1 packet from an unrecognized peer gateway. I double checked that there are no typos in de DN, the clocks are set up allright and that the certs are signed correctly. My problem is that i have absolutely no idea, what this SOFAWARE device expects as IKE ID, neighter what it sends as local IKE ID. Annother mirracle is the contents of the certificate for the SW box. In annother run, i tried to create a certificate containing an email address in the subjectAltName field. I used this as Peer ID in netscreens AutoKey->GateWay configuration dialog. Same errormessage. have anyone on the list experience whith the SW boxes? I am new to both of these devices, but i definitley prefer the NS. lots of documentation, nice cmdline. Exactley the things i miss at the SW box. i include a dbuf run of one (unsuccesfull IKE run) at the end of this mail. ( debug ike all ) Best Regards and many thanks Timo dbuf shows: -- IKE<62.246.143.211> Receive 1st Phase 1 packet:: -- 86 6f 5c e5 4e 99 22 78 00 00 00 01 00 00 0f a2 [..] -- 00 00 00 00 00 00 00 00 18 40 00 00 -- IKE<62.246.143.211> Getting IKE gateway entry for peer ip <62.246.143.211>, local ip <62.246.143.210>, vsys <none>, id type <0>. -- IKE<62.246.143.211> Getting peer_ent by peer IP/local IP. -- IKE<62.246.143.211> Failed to get peer_ent by peer IP/local IP. -- IKE<62.246.143.211> Getting the 1st peer_ent that is used, with no peer IP, and right local IP. -- IKE<62.246.143.211> Failed to get the 1st peer_ent that is used, with no peer IP, and right local IP. -- IKE<62.246.143.211> Rejected an initial Phase 1 packet from an unrecognized peer gateway. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- netscreen 25 sofaware ipsec interop Timo Proescholdt (Jan 05)
- Re: netscreen 25 sofaware ipsec interop R. DuFresne (Jan 10)
- Re: netscreen 25 sofaware ipsec interop Ng Pheng Siong (Jan 18)
- <Possible follow-ups>
- Re: netscreen 25 sofaware ipsec interop Mark . Boltz (Jan 06)
- Re: netscreen 25 sofaware ipsec interop R. DuFresne (Jan 10)