Re: [Users] freeswan-x509 <--> Check Point VPN-1 NG FP-2

From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Fri Aug 23 2002 - 20:51:55 CEST

• Previous message: Markus Koellner: "Re: [Users] Can we close the FreeS/WAN list to non-subscribers?"
• In reply to: Reimer, Fred: "RE: [Users] freeswan-x509 <--> Check Point VPN-1 NG FP-2"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

IP fragments are often problematic since they get discarded by
firewall rules. Try to generate small and compact certificates
so that the ISAKMP message will be below 1500 bytes.

Regards

Andreas

Reimer, Fred wrote:
> O.K., it's getting weird...
>
> I had a hunch that the reason the firewall wasn't matching on the email
> address was because openssl was using Email=fwr_at_ga.prestige.net instead of
> E=fwr_at_ga.prestige.net. I don't even know if the E= form is acceptable, but
> I read somewhere, possibly on the x509 patch site, that both E= and Email=
> are for email addresses and though that the firewall might be broken and
> only searching for the E= label. Anyhow, I changed openssl source,
> recompiled, created a new cert/key for the Linux box and restarted ipsec.
> Now if comes up with a "PAYLOAD-MALFORMED" message from the firewall. BUT
> -- I'm not so sure that it is because of this change. I did a trace and see
> an ISAKMP packet from the Linux box to the firewall (Identity protection,
> main mode according to Ethereal) The IP header length field is 1500 bytes.
> The ISAKMP decode shows a length of 1644. Immediately after this is an IP
> fragment packet with 62 bytes of data. So, it looks like FreeS/WAN is
> fragmenting the packet. I thought you couldn't do that with encrypted
> packets.
>
> Why is this acting differently? Because of my change of the email field
> from Email to E, or because of the fragmented packets?
>
> Thanks,
>
> Fred

======================================================================
Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH phone: +41 76 340 25 56
Alter Zürichweg 20 home: http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Previous message: Markus Koellner: "Re: [Users] Can we close the FreeS/WAN list to non-subscribers?"
• In reply to: Reimer, Fred: "RE: [Users] freeswan-x509 <--> Check Point VPN-1 NG FP-2"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Aug 23 2002 - 23:19:49 CEST