*****SPAM***** Re: [Users] Progress on NG FP-2

From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Mon Aug 26 2002 - 17:00:08 CEST

• Next message: Ken Bantoft: "[Users] Contributions to the Kernel/FreeS/WAN inter-op table wanted"
• Previous message: Ken Bantoft: "Re: [Users] new to the list"
• In reply to: Reimer, Fred: "RE: [Users] Progress on NG FP-2"
• Next in thread: Reimer, Fred: "RE: [Users] Progress on NG FP-2"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

SPAM: -------------------- Start SpamAssassin results ----------------------
SPAM: This mail is probably spam. The original message has been altered
SPAM: so you can recognise or block similar unwanted mail in future.
SPAM: See http://spamassassin.org/tag/ for more details.
SPAM:
SPAM: Content analysis details: (5.3 hits, 5 required)
SPAM: DOUBLE_CAPSWORD (1.1 points) BODY: A word in all caps repeated on the line
SPAM: MIME_EXCESSIVE_QP (2.4 points) RAW: Excessive quoted-printable encoding in body
SPAM: NO_MX_FOR_FROM (1.8 points) No MX records for the From: domain
SPAM:
SPAM: -------------------- End of SpamAssassin results ---------------------

Something else comes to my mind. CheckPoint does not create
IPsec SAs for whole subnets. If you ping a host in a subnet
behind the FreeS/WAN gateway from a host behind the CheckPoint
box then it will negotiate a host-to-host connection.
Therefore you must define in ipsec.conf

...
leftsubnet=3Dxx.xx.xx.xx/32
rightsubnet=3Dyy.yy.yy.yy/32
...

Regards

Andreas

Reimer, Fred wrote:
> Yes, I have 3DES for the IPsec SA on the Check Point firewall
> I have PFS DISabled on the CheckPoint and pfs=3Dno in the ipsec.conf...
>=20
> - Fred
>=20
> -----Original Message-----
> From: Andreas Steffen [mailto:andreas.steffen_at_strongsec.com]
> Sent: Monday, August 26, 2002 8:38 AM
> To: Reimer, Fred
> Cc: users_at_lists.freeswan.org
> Subject: Re: [Users] Progress on NG FP-2
>=20
>=20
> There might be two possible causes:
> - Have you chosen 3DES for the IPsec SA in the Check Point configura=
tion?
> - What about Perfect Forward Secrecy (PFS)? Is PFS enabled in the
> Checkpoint configuration? Otherwise you would have to disable it
> in ipsec.conf by writing pfs=3Dno.
>=20
> Regards
>=20
> Andreas
> Reimer, Fred wrote:
>=20
>>I've found out that Check Point requires CRL distribution points in the
>>certs in order to work, and it has to be able to retrieve a CRL in DER
>>format. After figuring that out, and translating the public key into R=
FC
>>2537 format, I get this far:
>>
>>[root_at_mack etc]# ipsec auto --up linux-encdom
>>104 "linux-encdom" #1: STATE_MAIN_I1: initiate
>>106 "linux-encdom" #1: STATE_MAIN_I2: sent MI2, expecting MR2
>>108 "linux-encdom" #1: STATE_MAIN_I3: sent MI3, expecting MR3
>>004 "linux-encdom" #1: STATE_MAIN_I4: ISAKMP SA established
>>112 "linux-encdom" #2: STATE_QUICK_I1: initiate
>>010 "linux-encdom" #2: STATE_QUICK_I1: retransmission; will wait 20s fo=
r
>>response
>>010 "linux-encdom" #2: STATE_QUICK_I1: retransmission; will wait 40s fo=
r
>>response
>>031 "linux-encdom" #2: max number of retransmissions (2) reached
>>STATE_QUICK_I1. No acceptable response to our first Quick Mode message=
:
>>perhaps peer likes no proposal
>>000 "linux-encdom" #2: starting keying attempt 2 of an unlimited number=
,
>=20
> but
>=20
>>releasing whack
>>
>>
>>Any suggestions? The firewall is sending back "no proposal chosen"
>>messages. Need a barf?
>>
>>Oh, Apparently I messed up when creating the diffs for the NAT patches =
on
>>top of 1.98b, x509, and alg patches (it didn't include files that were =
not
>>present in the original 1.98b tree). I'll be working on a new diff tha=
t
>>includes everything when I have time...
>>
>>- Fred
>=20
>=20
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
> strongSec GmbH phone: +41 76 340 25 56
> Alter Zuerichweg 20 fax: +41 52 268 74 34
> CH-8952 Schlieren (Switzerland) web: http://www.strongsec.com
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users

--=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH phone: +41 76 340 25 56
Alter Z=FCrichweg 20 home: http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D[strong internet secur=
ity]=3D=3D

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Ken Bantoft: "[Users] Contributions to the Kernel/FreeS/WAN inter-op table wanted"
• Previous message: Ken Bantoft: "Re: [Users] new to the list"
• In reply to: Reimer, Fred: "RE: [Users] Progress on NG FP-2"
• Next in thread: Reimer, Fred: "RE: [Users] Progress on NG FP-2"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Aug 26 2002 - 23:19:50 CEST