RE: [Users] freeswan-x509 <--> Check Point VPN-1 NG FP-2

From: Reimer, Fred (Fred.Reimer_at_Eclipsys.com)
Date: Fri Aug 23 2002 - 23:31:22 CEST

• Next message: Andreas Steffen: "Re: [Users] freeswan-x509 <--> Check Point VPN-1 NG FP-2"
• Previous message: Sam Sgro: "Re: [Users] DNS names"
• Maybe in reply to: Reimer, Fred: "[Users] freeswan-x509 <--> Check Point VPN-1 NG FP-2"
• Next in thread: Andreas Steffen: "Re: [Users] freeswan-x509 <--> Check Point VPN-1 NG FP-2"
• Reply: Andreas Steffen: "Re: [Users] freeswan-x509 <--> Check Point VPN-1 NG FP-2"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

How would you propose I do that? Make the key shorter? I already reduced
it to 1024 bits, and I'm not going below that. Make the DN shorter? It
already only contains the information I believe is necessary. "Small and
compact" certificates isn't a solution for me, but thanks for the
suggestion!

- Fred

-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen_at_strongsec.net]
Sent: Friday, August 23, 2002 2:52 PM
To: Reimer, Fred
Cc: users_at_freeswan.org
Subject: Re: [Users] freeswan-x509 <--> Check Point VPN-1 NG FP-2

IP fragments are often problematic since they get discarded by
firewall rules. Try to generate small and compact certificates
so that the ISAKMP message will be below 1500 bytes.

Regards

Andreas

Reimer, Fred wrote:
> O.K., it's getting weird...
>
> I had a hunch that the reason the firewall wasn't matching on the email
> address was because openssl was using Email=fwr_at_ga.prestige.net instead of
> E=fwr_at_ga.prestige.net. I don't even know if the E= form is acceptable,
but
> I read somewhere, possibly on the x509 patch site, that both E= and Email=
> are for email addresses and though that the firewall might be broken and
> only searching for the E= label. Anyhow, I changed openssl source,
> recompiled, created a new cert/key for the Linux box and restarted ipsec.
> Now if comes up with a "PAYLOAD-MALFORMED" message from the firewall. BUT
> -- I'm not so sure that it is because of this change. I did a trace and
see
> an ISAKMP packet from the Linux box to the firewall (Identity protection,
> main mode according to Ethereal) The IP header length field is 1500
bytes.
> The ISAKMP decode shows a length of 1644. Immediately after this is an IP
> fragment packet with 62 bytes of data. So, it looks like FreeS/WAN is
> fragmenting the packet. I thought you couldn't do that with encrypted
> packets.
>
> Why is this acting differently? Because of my change of the email field
> from Email to E, or because of the fragmented packets?
>
> Thanks,
>
> Fred

======================================================================
Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH phone: +41 76 340 25 56
Alter Zürichweg 20 home: http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Andreas Steffen: "Re: [Users] freeswan-x509 <--> Check Point VPN-1 NG FP-2"
• Previous message: Sam Sgro: "Re: [Users] DNS names"
• Maybe in reply to: Reimer, Fred: "[Users] freeswan-x509 <--> Check Point VPN-1 NG FP-2"
• Next in thread: Andreas Steffen: "Re: [Users] freeswan-x509 <--> Check Point VPN-1 NG FP-2"
• Reply: Andreas Steffen: "Re: [Users] freeswan-x509 <--> Check Point VPN-1 NG FP-2"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Aug 26 2002 - 03:20:24 CEST