|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: VPN OBSD <-> FW1
From: Rafael Coninck Teigão (rafael.coninck.teigao
gmail.com)
Date: Tue Nov 02 2004 - 06:34:57 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi, Steve.
I don't have access to the FW-1, but yes, it's the one from
CheckPoint. I'll try to find out the version they are using. The
configuration they asked me was:
- IKE (Phase 1): 3DES, SHA-1, Diffie-Hellman Group 2, Renegotiate IKE
every 1440 Minutes.
- IPSec (Phase 2): 3DES, SHA-1, Renegotiate IPSec every 3600 seconds.
I've let it in Passive-connection, and now I'm getting "dropped
message from 194.252.180.30 port 500 due to notification type
INVALID_PAYLOAD_TYPE", I'm now suspecting we are using the wrong
pre-share. How can I be sure, before talking to the other side?
Best regards,
Rafael.
On Mon, 1 Nov 2004 20:45:51 -0500, Steven S.
<ssurdockengineered-net.com> wrote:
> Do you mean Check Point FW-1? What version and on what platform?
> I configured an VPN between OBSD 3.5 and FW-1/NG/R55 on SPLAT with no code
> changes on either side.
>
> How is the VPN configured on the FW1 side? If you have access to the FW1
> box (and it's Check Point FW-1;-) take a look at the 'vpn tunnelutil'
> command.
>
> -Steve S.
>
> Rafael Coninck Teigão wrote:
> > Hi, pp.
> > I'm trying to create a VPN between a OBSD 3.5 and a FW1 server, but
> > I'm getting this error message:
> > Nov 1 20:49:40 marte isakmpd[1035]: transport_send_messages: giving
> > up on message 0x3c12c600, exchange Andritz
> ..stuff deleted
>
>
> >
> > Does anyone know what's wrong here? Any help would be apreciated...
> >
> > Oh, and by the way, before I got here, I's seeing this error
> > message: essage_recv: cleartext phase 2 message
> > But I've read somewhere that this was indeed a problem with FW1 and
> > that the following block of code should be commented in the source
> > (messages.c):
> > /* Require encryption as soon as we have the keystate for it. */
> > /*
> > if ((flags & ISAKMP_FLAGS_ENC) == 0 &&
> > (msg->exchange->phase == 2 || msg->exchange->keystate))
> > {
> > log_print ("message_recv: cleartext phase %d message",
> > msg->exchange->phase);
> > message_drop (msg, ISAKMP_NOTIFY_INVALID_FLAGS, 0, 1, 1);
> > return -1;
> > }
> > */
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]