Dennies,
We are also facing same problem. Checkpoint knowledgebase says it is due to
mismatch SA life time.
If you get any other solution let us know.
Regards,
Jignesh Joshi
ITIMD
Tel # 2829-1454 ext 5290
Link Line ext: 601-397
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Dennis
Breithaupt
Sent: Tuesday, September 26, 2006 2:33 PM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] "INVALID-ID-INFORMATION" // using internal IP as IPSec ID ?
Hello folks,
we've the problem, that while establishing a site-to-site VPN with a FW-1
NGX
Cluster the remote peer (NETGEAR) sends an "INVALID-ID-INFORMATION" packet.
We think that happens, because we are sending our internal IP as "ID Data"
in
MM Packet 5.
MM Packet 5 / ID:
"ID Payload
Next Payload: Certificate
Reserved: 0
Length: 00 0c (12)
ID type: ID_IPV4_ADDR
Service type: Not specified (0)
Service port: Not specified (0)
ID Data: 0a 64 xx yy (10.100.xx.yy)"
The remote peer (NETGEAR VPN decive) responds with:
"Notify Payload
Next Payload: NONE
Reserved: 0
Length: 00 1c (28)
DOI: 00 00 00 00 (0)
ProtID: 1
SPI Size: 16
Notify Type: 18 (INVALID-ID-INFORMATION)
SPI:
21 ca b8 ea a6 0b ad 5a 6c 8e 9b d3 5e 6e c8
f8 "
We have tried this with preshared keys as well as with certificate based
authentication with the same negative result.
We think it is very unlogical, to use the internal IP in the site-to-site
IPSec
packet? Why doesn't FW-1 use the IP defined as "external" in the topology
tab?
Is that configurable anywhere?
We suspect, that FW-1 uses the configured object IP as the ID but that is an
internal one in our case.
Ther're some site-to-site endpoints configured and working well with i.e. a
watchguard and a NetBSD endpoint at the far end. But it seems that this
particular NETGEAR device is more strict.
Thank you very much in advance for your help, regards,
Dennis Breithaupt
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
http://www.patni.com
World-Wide Partnerships. World-Class Solutions.
_____________________________________________________________________
This e-mail message may contain proprietary, confidential or legally
privileged information for the sole use of the person or entity to
whom this message was originally addressed. Any review, e-transmission
dissemination or other use of or taking of any action in reliance upon
this information by persons or entities other than the intended
recipient is prohibited. If you have received this e-mail in error
kindly delete this e-mail from your records. If it appears that this
mail has been forwarded to you without proper authority, please notify
us immediately at netadmin AT patni DOT com and delete this mail.
_____________________________________________________________________
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
