|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: VPN OBSD <-> FW1
From: Steven S. (ssurdock
engineered-net.com)
Date: Tue Nov 02 2004 - 07:25:16 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I don't think there is a preshare mismatch, since it looks like Phase 1 was
completed (can anyone validate that?) The problem appears to me to be the
phase 2 negotiation. I find the last thing from the remote interesting...
-----
20:55:51.309252 194.252.180.30.500 > 200.150.68.74.500: [udp sum ok]
isakmp v1.0 exchange INFO
cookie: c2b9625799f6f05e->24b2c3db14c7cf41 msgid: 2bdd1eae len: 40
payload: NOTIFICATION len: 12
notification: PAYLOAD MALFORMED (ttl 39, id 32077)
-----
What output do you get when you crank up isakmpd debug? Also, verify the
subnet masks are correct (that get me all too often:-(.
-Steve S.
Rafael Coninck Teigão wrote:
> Hi, Steve.
> I don't have access to the FW-1, but yes, it's the one from
> CheckPoint. I'll try to find out the version they are using. The
> configuration they asked me was:
> - IKE (Phase 1): 3DES, SHA-1, Diffie-Hellman Group 2, Renegotiate IKE
> every 1440 Minutes.
> - IPSec (Phase 2): 3DES, SHA-1, Renegotiate IPSec every 3600 seconds.
>
> I've let it in Passive-connection, and now I'm getting "dropped
> message from 194.252.180.30 port 500 due to notification type
> INVALID_PAYLOAD_TYPE", I'm now suspecting we are using the wrong
> pre-share. How can I be sure, before talking to the other side?
>
> Best regards,
> Rafael.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]