Re: [FW-1] "INVALID-ID-INFORMATION" // using internal IP as IPSec ID ?

Subject:	Re: [FW-1] "INVALID-ID-INFORMATION" // using internal IP as IPSec ID ?
From:	Crist Clark <Crist.Clark AT GLOBALSTAR DOT COM>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Tue, 26 Sep 2006 15:44:21 -0700

>>> On 9/26/2006 at 12:24 PM, Dennis Breithaupt <dbr AT TETAWORX DOT DE>
wrote:
> Alex schrieb:
>> "We suspect, that FW-1 uses the configured object IP as the ID but
that is
>> an internal one in our case." <- That́s it - Checkpoint uses the
Object IP !
>>   
> Errr,
> 
> but everywhere there is the recommendation to use the internal IP for

> the firewallobject in NGX. But obviously it seems not to be very
clever 
> to have the internal IP in the IPSec ID?

It's actually the IKE, Phase 1 ID, not the Phase 2 ID.

> So how can I solve this contradiction? Isn't there _any_ possibilty
to 
> enforce another IP (=the external) in the ID field? Some config-file
or 
> kind of?

Haven't tried it, but might the change you want be a side effect
of specifying the IP address in the "VPN>Link Selection" tab of
the Check Point gateway's properties?

OTOH, can you not put the internal address in the configuration
for the other device? It shouldn't matter what the identifier
is as long as it is unique to the peer.

> Does anyone know, why some devices (OpenSWAN, some NETGEAR routers)
take 
> care of the (wrong) ID and others (i.e. Watchguard, NetBSD, some
other 
> NETGEAR routers ;) ) don't ? What does the IPSec standard say to
this?

It's up to the end-points what to do with it. To quote RFC2407,

   The Identification Payload is used to identify the initiator of the
   Security Association.  The identity of the initiator SHOULD be used
   by the responder to determine the correct host system security
policy
   requirement for the association.

B¼information contained in this e-mail message is confidential, intended
only for the use of the individual or entity named above. If the reader
of this e-mail is not the intended recipient, or the employee or agent
responsible to deliver it to the intended recipient, you are hereby
notified that any review, dissemination, distribution or copying of this
communication is strictly prohibited. If you have received this e-mail
in error, please contact postmaster AT globalstar DOT com 

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] "INVALID-ID-INFORMATION" // using internal IP as IPSec ID ?, Dennis Breithaupt Re: [FW-1] "INVALID-ID-INFORMATION" // using internal IP as IPSec ID ?, Jignesh Joshi Re: [FW-1] "INVALID-ID-INFORMATION" // using internal IP as IPSec ID ?, Alex Re: [FW-1] "INVALID-ID-INFORMATION" // using internal IP as IPSec ID ?, Dennis Breithaupt Re: [FW-1] "INVALID-ID-INFORMATION" // using internal IP as IPSec ID ?, Crist Clark <=

Previous by Date:	Re: [FW-1] What does it take to become a Certified Checkpoint Instructor?, Sergio Alvarez
Next by Date:	Re: [FW-1] Need help on upgrading, Clive Luk
Previous by Thread:	Re: [FW-1] "INVALID-ID-INFORMATION" // using internal IP as IPSec ID ?, Dennis Breithaupt
Next by Thread:	Re: [FW-1] FW-1-MAILINGLIST Digest - 24 Sep 2006 to 25 Sep 2006 (#2006-256), Eddie
Indexes:	[Date] [Thread] [Top] [All Lists]