Re: [Users] FreeS/WAN w/ Checkpoint

From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Mon Jul 29 2002 - 08:57:10 CEST

• Next message: Hamish Cameron: "Re: [Users] FreeS/WAN w/ Checkpoint"
• Previous message: elizabeth: "[Users] A funny website"
• Maybe in reply to: SkyLeach: "[Users] FreeS/WAN w/ Checkpoint"
• Next in thread: Hamish Cameron: "Re: [Users] FreeS/WAN w/ Checkpoint"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

The informational payload is sent by the Checkpoint firewall. It gets
message MI3 from FreeS/WAN signed with the 2084 bit private key and
probably with FreeS/WAN's IP address as the ID. If Checkpoint does
not receive FreeS/WAN's certificate then It will not accept any ID.

In order to help you I need the ipsec.conf file.

Regards

Andreas

SkyLeach wrote:
>
> I patched the ipsec code witht he X.509 certificate code, and now this is what
> happens:
>
> [root_at_skyleach_lt skyleach]# ipsec auto --up oakridge
> 104 "oakridge" #1: STATE_MAIN_I1: initiate
> 106 "oakridge" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> 108 "oakridge" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> 003 "oakridge" #1: ignoring informational payload, type INVALID_ID_INFORMATION
> 003 "oakridge" #1: received and ignored informational message
> 010 "oakridge" #1: STATE_MAIN_I3: retransmission; will wait 20s for response
> 010 "oakridge" #1: STATE_MAIN_I3: retransmission; will wait 40s for response
> 031 "oakridge" #1: max number of retransmissions (2) reached STATE_MAIN_I3.
> Possible authentication failure: no acceptable response to our first
> encrypted message
> 000 "oakridge" #1: starting keying attempt 2 of an unlimited number, but
> releasing whack
>
> I don't believe it can be an authentication failure because I have entered no
> authentication data. My RSA key is a 2048 bit key and the firewall is using
> a 1024 bit key, but I don't believe (although I could be wrong) that this has
> any bearing on the situation.
>
> Is there anything else I can try to get more information? Again, there are no
> errors in my /var/log/messages file.
>

======================================================================
Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH phone: +41 76 340 25 56
Alter Zürichweg 20 home: http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Hamish Cameron: "Re: [Users] FreeS/WAN w/ Checkpoint"
• Previous message: elizabeth: "[Users] A funny website"
• Maybe in reply to: SkyLeach: "[Users] FreeS/WAN w/ Checkpoint"
• Next in thread: Hamish Cameron: "Re: [Users] FreeS/WAN w/ Checkpoint"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Aug 05 2002 - 21:01:34 CEST