From: Sam Sgro (sam_at_freeswan.org)
Date: Wed Nov 06 2002 - 04:53:25 CET
-----BEGIN PGP SIGNED MESSAGE-----
> This was in fact what was done. Phase1 correctly negotiated 3des-sha1 as
> expected but phase2, didn't apparently even attept to negotiate it
> simply started using MD5, which didn't work as MD5 had been removed by
> the FW-1 people. When they put it back in again, the tunnels work fine.
I find this surprising; we should never create Phase 2 SA using parameters our
peer has rejected. This "offer / accept or reject" system used by the IPSec
protocols was chosen for its flexibility - either party should be able to
disallow the authentication and encryption mechanisms it doesn't wish to use.
We'll need your help to get to the bottom of this.
Can you attempt to connect to Checkpoint FW-1 box, and take a barf? Clear your
log files, set "plutodebug=all" in ipsec.conf, and post it either to the web,
or to the list if necessary. As well, do you have any details about the
Checkpoint - what service pack it is running? A copy of its logs during that
connection attempt would be ideal as well.
- --
Sam Sgro
sam_at_freeswan.org
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.
iQCVAwUBPciSOUOSC4btEQUtAQEs0AQA3LaQdtNRshPgB1DSjdM1kmonKd3B7MoJ
dVg0Th6kCGFpybzzcjspC3WTT3VVetBFzzf2qSo4QJUS8TOuQtw0qz7RW3GaqOUD
fDbg/pdZkXIpRuzq2AFyhuXN8/NXHUN9iZRJ/xiyAKudv6uiug/kYg0fbFPU4j0Y
Ws62wjPSIX4=
=O8UJ
-----END PGP SIGNATURE-----
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Thu Nov 07 2002 - 05:20:39 CET