Re: [FW-1] "INVALID-ID-INFORMATION" // using internal IP as IPSec ID ?

Subject:	Re: [FW-1] "INVALID-ID-INFORMATION" // using internal IP as IPSec ID ?
From:	Dennis Breithaupt <dbr AT TETAWORX DOT DE>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Tue, 26 Sep 2006 21:24:53 +0200

Alex schrieb:

"We suspect, that FW-1 uses the configured object IP as the ID but that is
an internal one in our case." <- That´s it - Checkpoint uses the Object IP !

Errr,

but everywhere there is the recommendation to use the internal IP forthe firewallobject in NGX. But obviously it seems not to be very cleverto have the internal IP in the IPSec ID?

So how can I solve this contradiction? Isn't there _any_ possibilty toenforce another IP (=the external) in the ID field? Some config-file orkind of?

Does anyone know, why some devices (OpenSWAN, some NETGEAR routers) takecare of the (wrong) ID and others (i.e. Watchguard, NetBSD, some otherNETGEAR routers ;) ) don't ? What does the IPSec standard say to this?

Setting the object IP to the external IP seems to be quite difficult inour situation. Whole licencing, RemoteAccessVPN with multiple interfacesand the policy server and so on are depending on the object IP. I'mpretty unsure, what side effects we have to expact.


Thanks,

Dennis

-----Ursprüngliche Nachricht-----
Von: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] Im Auftrag von Dennis
Breithaupt
Gesendet: Dienstag, 26. September 2006 11:03
An: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Betreff: [FW-1] "INVALID-ID-INFORMATION" // using internal IP as IPSec ID ?

Hello folks,

we've the problem, that while establishing a site-to-site VPN with a FW-1
NGX
Cluster the remote peer (NETGEAR) sends an "INVALID-ID-INFORMATION" packet.

We think that happens, because we are sending our internal IP as "ID Data"
in
MM Packet 5.

[...]

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] "INVALID-ID-INFORMATION" // using internal IP as IPSec ID ?, Dennis Breithaupt Re: [FW-1] "INVALID-ID-INFORMATION" // using internal IP as IPSec ID ?, Jignesh Joshi Re: [FW-1] "INVALID-ID-INFORMATION" // using internal IP as IPSec ID ?, Alex Re: [FW-1] "INVALID-ID-INFORMATION" // using internal IP as IPSec ID ?, Dennis Breithaupt <= Re: [FW-1] "INVALID-ID-INFORMATION" // using internal IP as IPSec ID ?, Crist Clark

Previous by Date:	[FW-1] What does it take to become a Certified Checkpoint Instructor?, cisco4ng
Next by Date:	Re: [FW-1] What does it take to become a Certified Checkpoint Instructor?, The Security Freak
Previous by Thread:	Re: [FW-1] "INVALID-ID-INFORMATION" // using internal IP as IPSec ID ?, Alex
Next by Thread:	Re: [FW-1] "INVALID-ID-INFORMATION" // using internal IP as IPSec ID ?, Crist Clark
Indexes:	[Date] [Thread] [Top] [All Lists]