"We suspect, that FW-1 uses the configured object IP as the ID but that is
an internal one in our case." <- That´s it - Checkpoint uses the Object IP !
-----Ursprüngliche Nachricht-----
Von: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] Im Auftrag von Dennis
Breithaupt
Gesendet: Dienstag, 26. September 2006 11:03
An: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Betreff: [FW-1] "INVALID-ID-INFORMATION" // using internal IP as IPSec ID ?
Hello folks,
we've the problem, that while establishing a site-to-site VPN with a FW-1
NGX
Cluster the remote peer (NETGEAR) sends an "INVALID-ID-INFORMATION" packet.
We think that happens, because we are sending our internal IP as "ID Data"
in
MM Packet 5.
MM Packet 5 / ID:
"ID Payload
Next Payload: Certificate
Reserved: 0
Length: 00 0c (12)
ID type: ID_IPV4_ADDR
Service type: Not specified (0)
Service port: Not specified (0)
ID Data: 0a 64 xx yy (10.100.xx.yy)"
The remote peer (NETGEAR VPN decive) responds with:
"Notify Payload
Next Payload: NONE
Reserved: 0
Length: 00 1c (28)
DOI: 00 00 00 00 (0)
ProtID: 1
SPI Size: 16
Notify Type: 18 (INVALID-ID-INFORMATION)
SPI:
21 ca b8 ea a6 0b ad 5a 6c 8e 9b d3 5e 6e c8
f8 "
We have tried this with preshared keys as well as with certificate based
authentication with the same negative result.
We think it is very unlogical, to use the internal IP in the site-to-site
IPSec
packet? Why doesn't FW-1 use the IP defined as "external" in the topology
tab?
Is that configurable anywhere?
We suspect, that FW-1 uses the configured object IP as the ID but that is an
internal one in our case.
Ther're some site-to-site endpoints configured and working well with i.e. a
watchguard and a NetBSD endpoint at the far end. But it seems that this
particular NETGEAR device is more strict.
Thank you very much in advance for your help, regards,
Dennis Breithaupt
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
