Re: [FW-1] how to snoop

[Paul Dawson [Permanent Link]]

It says rule 0 - implied rules .... have you had a look at those?

First look at those then....


It seems as though the remote peer is trying to use AES-MD5 in the SA
negotiation. Ensure this is the intended transform-set that you wish to use
and make sure that your negotiation contains the same information:

Key exchange:   Diffie (1,2,5)
Encryption:             DES, 3DES, AES
Secret:         Pre-shared/CA
IPsec & IKE lifetime
IPSec Transform Set ESP-MD5-HMAC or AH-SHA-HMAC

etc etc....

On the pix to a 'sh crypto ipsec sa' and 'sh crypto ike sa' and if you cant
see the goods in there then do some debugs.

Regards,

Paul Dawson




-----Original Message-----
From: Schroeer, Waldemar [mailto:Waldemar.Schroeer AT DE.TTIINC DOT COM]
Sent: 21 November 2003 13:10
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] how to snoop


Hi,

i am currently trying to set up vpn between my checkpoint ng+ai, running on
sparc solaris, and a cisco pix. it does not work at first go. so tried to
use snoop to see whether there are any IKE related packets originated on my
site or coming from the vpn endpoint. i tried the following (just assume
10.10.105.2 is the external nic of the fw):
 snoop -r -V from 10.10.105.2 or to 10.10.105.2

i did a telnet from outsite and snoop showed me this incoming packet
correctly even if the rulebase is blocking such packets. when i try to make
any connection from a host on my site to a host on the other site of the vpn
tunnel, nothing happens. snoop remains mute and after a while, about a
minute sometime a little bit more, i get the following error:
--------------------------------------------------------
Number:                         1091517
Date:                           20Nov2003
Time:                           17:43:31
Product:                        VPN-1 & FireWall-1
Interface:                      daemon
Origin:                         eukey003 (10.10.105.2)
Protocol:                       ip
Action:                         Reject
Type:                           Log
Reject Reason:                  IKE failure
Rule:                           0 - Implied Rules
Encryption Scheme:              IKE
VPN Peer Gateway:               TX__VPN-Gateway (120.50.162.6)
Information:                    encryption failure: no response from peer.
--------------------------------------------------------

twenty seconds later i get:

--------------------------------------------------------
Number:                         1091523
Date:                           20Nov2003
Time:                           17:43:55
Product:                        VPN-1 & FireWall-1
Interface:                      hme1
Origin:                         eukey003 (10.1.102.31)
Source:                         eukey003 (10.10.105.2)
Destination:                    TX__VPN-Gateway (120.50.162.6)
Protocol:                       udp
Service:                        IKE (500)
Action:                         Drop
Type:                           Log
Rule:                           0 - Implied Rules
Source Port:                    IKE (500)
Destination Key ID:             0x00000000
Encryption Scheme:              IKE
VPN Peer Gateway:               TX__VPN-Gateway (120.50.162.6)
Encryption Methods:             ESP: AES-128 + MD5
Community:                      TX_EU_VPN_2
Information:                    encryption fail reason: Packet is dropped
because there is no valid SA - please refer to solution sk19423 in
SecureKnowledge Database for more information
--------------------------------------------------------

thanks,
waldemar

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================




Please note that:

1. This e-mail may constitute privileged information. If you are not the 
intended recipient, you have received this confidential email and any 
attachments transmitted with it in error and you must not disclose, copy, 
circulate or in any other way use or rely on this information.
2. E-mails to and from the company are monitored for operational reasons and in 
accordance with lawful business practices.
3. The contents of this email are those of the individual and do not 
necessarily represent the views of the company.
4. The company does not conclude contracts by email and all negotiations are 
subject to contract.
5. The company accepts no responsibility once an e-mail and any attachments is 
sent.

http://www.activis.com


This annotation was added by the e-scan service.
http://www.activis.com
----------------------------------------------------------------------------------
This message has been checked for all known viruses by e:)scan.
For further information please contact support AT activis DOT com

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================