Re: [Users] Progress on NG FP-2

From: Andreas Steffen (andreas.steffen_at_strongsec.com)
Date: Mon Aug 26 2002 - 14:38:26 CEST

• Next message: af15_at_gmx.de: "[Users] Incomplete ISAKMP SA"
• Previous message: Jesse Delima: "[Users] new to the list"
• In reply to: Reimer, Fred: "[Users] Progress on NG FP-2"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

There might be two possible causes:
   - Have you chosen 3DES for the IPsec SA in the Check Point configuration?
   - What about Perfect Forward Secrecy (PFS)? Is PFS enabled in the
     Checkpoint configuration? Otherwise you would have to disable it
     in ipsec.conf by writing pfs=no.

Regards

Andreas
Reimer, Fred wrote:
> I've found out that Check Point requires CRL distribution points in the
> certs in order to work, and it has to be able to retrieve a CRL in DER
> format. After figuring that out, and translating the public key into RFC
> 2537 format, I get this far:
>
> [root_at_mack etc]# ipsec auto --up linux-encdom
> 104 "linux-encdom" #1: STATE_MAIN_I1: initiate
> 106 "linux-encdom" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> 108 "linux-encdom" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> 004 "linux-encdom" #1: STATE_MAIN_I4: ISAKMP SA established
> 112 "linux-encdom" #2: STATE_QUICK_I1: initiate
> 010 "linux-encdom" #2: STATE_QUICK_I1: retransmission; will wait 20s for
> response
> 010 "linux-encdom" #2: STATE_QUICK_I1: retransmission; will wait 40s for
> response
> 031 "linux-encdom" #2: max number of retransmissions (2) reached
> STATE_QUICK_I1. No acceptable response to our first Quick Mode message:
> perhaps peer likes no proposal
> 000 "linux-encdom" #2: starting keying attempt 2 of an unlimited number, but
> releasing whack
>
>
> Any suggestions? The firewall is sending back "no proposal chosen"
> messages. Need a barf?
>
> Oh, Apparently I messed up when creating the diffs for the NAT patches on
> top of 1.98b, x509, and alg patches (it didn't include files that were not
> present in the original 1.98b tree). I'll be working on a new diff that
> includes everything when I have time...
>
> - Fred

======================================================================
Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH phone: +41 76 340 25 56
Alter Zuerichweg 20 fax: +41 52 268 74 34
CH-8952 Schlieren (Switzerland) web: http://www.strongsec.com
======================================================================

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: af15_at_gmx.de: "[Users] Incomplete ISAKMP SA"
• Previous message: Jesse Delima: "[Users] new to the list"
• In reply to: Reimer, Fred: "[Users] Progress on NG FP-2"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Aug 26 2002 - 17:19:49 CEST