[nn] VPN not coming up (5XT <-> Checkpoint)

[Charles Robinson <charlesr@visi.com>]

I'm struggling with a VPN that is not finishing even P1 negotiations.

Each side is configured for:

P1: Pre-G2-3des-MD5
P2: G2-Esp-3Des-MD5

The two firewalls are at 209.98.244.9 and 198.22.122.247 (a 5xt and a  
Checkpoint respectively)

There is a policy-based VPN set up on the 5xt firewall which should  
bring up and negotiate a tunnel whenever they try to connect to the  
private (10.0.0.0/8) network behind the Checkpoint firewall, but they  
never even completes P1 negotiations.

I've turned on "debug IKE all" and have looked at the dbuf stream but  
cannot tell from that exactly what is failing.  I don't know if it's  
"my side" (the Netscreen) or "their side" (the Checkpoint).

Some of the dbuf stream that I'm seeing looks like this:

ns5xt-> get dbuf stream
##2007-03-14 06:58:42 : IKE<198.22.122.247> ****** Recv kernel msg  
IDX-4, TYPE-5 ******
##2007-03-14 06:58:42 : IKE<198.22.122.247> sa orig index<4>,  
peer_id<2>.
##2007-03-14 06:58:42 : IKE<198.22.122.247> C  
build_pref_cert_from_hash exit
##2007-03-14 06:58:42 : IKE<198.22.122.247> isadb get entry by peer/ 
local ip and port
##2007-03-14 06:58:42 : IKE<198.22.122.247>   create sa: 209.98.244.9- 
 >198.22.122.247
##2007-03-14 06:58:42 : IKE<0.0.0.0> getProfileFromP1Proposal->
##2007-03-14 06:58:42 : IKE<0.0.0.0> xauthstatus is 0
##2007-03-14 06:58:42 : IKE<0.0.0.0> find profile[0]=<00000005  
00000001 00000001 00000002> for p1 proosal (id 20)
##2007-03-14 06:58:42 : IKE<198.22.122.247> Phase 2 task added
##2007-03-14 06:58:42 : IKE<0.0.0.0> , exp pak
##2007-03-14 06:58:42 : IKE<198.22.122.247> Msg header built (next  
payload #1)
##2007-03-14 06:58:42 : IKE<198.22.122.247>   constructing SA payload  
for isakmp.
##2007-03-14 06:58:42 : XAUTH: disabled
##2007-03-14 06:58:42 : auth(1)<PRESHRD>, encr(5)<3DES>, hash(1) 
<MD5>, group(2)
##2007-03-14 06:58:42 :
##2007-03-14 06:58:42 : IKE<198.22.122.247> lifetime(86400/0)
##2007-03-14 06:58:42 : IKE<0.0.0.0> , exp pak
##2007-03-14 06:58:42 : IKE<0.0.0.0> , exp pak
##2007-03-14 06:58:42 : IKE<198.22.122.247> Sending P1 -->
##2007-03-14 06:58:42 : Msg, len 140, nxp 1, exch 2, flag 00
##2007-03-14 06:58:42 : Payload: Security_Assoc Vendor_ID Vendor_ID
##2007-03-14 06:58:42 : IKE<198.22.122.247> send phase 1 packet::
##2007-03-14 06:58:42 : 9a 49 24 7b d9 75 4c 1e  00 00 00 00 00 00 00 00
##2007-03-14 06:58:42 : 01 10 02 00 00 00 00 00  00 00 00 8c 0d 00 00 38
##2007-03-14 06:58:42 : 00 00 00 01 00 00 00 01  00 00 00 2c 01 01 00 01
##2007-03-14 06:58:42 : 00 00 00 24 01 01 00 00  80 01 00 05 80 02 00 01
##2007-03-14 06:58:42 : 80 04 00 02 80 03 00 01  80 0b 00 01 00 0c 00 04
##2007-03-14 06:58:42 : 00 01 51 80 0d 00 00 20  be dc 86 da bf 0a b7 97
##2007-03-14 06:58:42 : 38 70 b5 e6 c4 b8 7d 3e  e8 24 de 31 00 00 00 10
##2007-03-14 06:58:42 : 00 00 04 01 00 00 00 18  48 65 61 72 74 42 65 61
##2007-03-14 06:58:42 : 74 5f 4e 6f 74 69 66 79  38 6b 01 00
##2007-03-14 06:58:42 : IKE<198.22.122.247> send_request to peer
##2007-03-14 06:58:42 : IKE<198.22.122.247> <209.98.244.9 =>  
198.22.122.247> Phase 1: Initiated negotiations in main mode.
##2007-03-14 06:58:42 : IKE<198.22.122.247> ****** Recv packet if  
<untrust> vsys <Root> ******
##2007-03-14 06:58:42 : IKE<198.22.122.247> SA: (root, local  
209.98.244.9, sa 0/0001,i):
##2007-03-14 06:58:42 : Msg, len 84, nxp 1, exch 2, flag 00
##2007-03-14 06:58:42 : IKE<198.22.122.247> phase 1 sa for root sys.
##2007-03-14 06:58:42 :   validate(56): SA/56
##2007-03-14 06:58:42 : IKE<198.22.122.247> Receiving <--
##2007-03-14 06:58:42 : Payload: Security_Assoc
##2007-03-14 06:58:42 : IKE<0.0.0.0> extract(56):
##2007-03-14 06:58:42 : IKE<198.22.122.247> Process MM state  
OAK_MM_NO_STATE.
##2007-03-14 06:58:42 : IKE<198.22.122.247> Process SA:
##2007-03-14 06:58:42 : IKE<198.22.122.247> Receive p1:
##2007-03-14 06:58:42 : XAUTH: disabled
##2007-03-14 06:58:42 : auth(1)<PRESHRD>, encr(5)<3DES>, hash(1) 
<MD5>, group(2)
##2007-03-14 06:58:42 :
##2007-03-14 06:58:42 : IKE<198.22.122.247> phase 1 atts[0] selected.
##2007-03-14 06:58:42 : IKE<198.22.122.247> sa->OAK_LIFE_TYPE=1
##2007-03-14 06:58:42 : IKE<198.22.122.247> sa->lifetime=86400
##2007-03-14 06:58:42 : IKE<0.0.0.0>   dh group 2
##2007-03-14 06:58:42 : IKE<198.22.122.247> Phase 1 MM Initiator  
constructing 3rd message.
##2007-03-14 06:58:42 : IKE<0.0.0.0> , exp pak
##2007-03-14 06:58:42 : IKE<198.22.122.247> Msg header built (next  
payload #4)
##2007-03-14 06:58:42 : IKE<198.22.122.247> constructing ISA_KE.
##2007-03-14 06:58:42 : IKE<0.0.0.0> , exp pak
##2007-03-14 06:58:42 : IKE<198.22.122.247> constructing nonce
##2007-03-14 06:58:42 : IKE<198.22.122.247> Sending P1 -->
##2007-03-14 06:58:42 : Msg, len 184, nxp 4, exch 2, flag 00
##2007-03-14 06:58:42 : Payload: Key_Exchange Nonce
##2007-03-14 06:58:42 : IKE<198.22.122.247> send phase 1 packet::
##2007-03-14 06:58:42 : 9a 49 24 7b d9 75 4c 1e  66 56 94 84 fd 32 0c 0a
##2007-03-14 06:58:42 : 04 10 02 00 00 00 00 00  00 00 00 b8 0a 00 00 84
##2007-03-14 06:58:42 : df cf d8 d4 08 89 71 5b  8f b2 78 9e 99 1f ad 00
##2007-03-14 06:58:42 : b1 93 fb b6 2c af fc 07  20 45 d4 b3 1e c6 fc ec
##2007-03-14 06:58:42 : 4e af 8d eb b0 95 c6 c4  ce bf c8 57 98 bb 73 3a
##2007-03-14 06:58:42 : 61 64 ba af 63 99 ca f0  94 be 88 31 96 d9 de 00
##2007-03-14 06:58:42 : a7 d9 b6 49 1d 4b da c5  55 84 f6 8b 6a a8 4d 0c
##2007-03-14 06:58:42 : 60 16 ef b0 67 6b c0 c7  17 10 d5 ba d6 a5 b2 75
##2007-03-14 06:58:42 : 1e 80 a1 26 6c f1 e5 79  39 5e 4c 79 15 6a c7 1d
##2007-03-14 06:58:42 : 76 cd 85 40 ac da a8 1a  64 14 f7 8a ee d5 7f da
##2007-03-14 06:58:42 : 00 00 00 18 da e2 a8 14  e3 0e 72 67 61 d6 de a6
##2007-03-14 06:58:42 : ae 07 80 8b fe 21 14 86
##2007-03-14 06:58:42 : IKE<198.22.122.247> send_request to peer
##2007-03-14 06:58:42 : IKE<198.22.122.247> catcher: pki state<0>ike  
state<1/0007>
##2007-03-14 06:58:42 : IKE<198.22.122.247> ****** Recv packet if  
<untrust> vsys <Root> ******
##2007-03-14 06:58:42 : IKE<198.22.122.247> SA: (root, local  
209.98.244.9, sa 1/0007,i):
##2007-03-14 06:58:42 : Msg, len 184, nxp 4, exch 2, flag 00
##2007-03-14 06:58:42 : IKE<198.22.122.247> phase 1 sa for root sys.
##2007-03-14 06:58:42 :   validate(156): KE/132 NONCE/156
##2007-03-14 06:58:42 : IKE<198.22.122.247> Receiving <--
##2007-03-14 06:58:42 : Payload: Key_Exchange Nonce
##2007-03-14 06:58:42 : IKE<0.0.0.0> extract(156):
##2007-03-14 06:58:42 : IKE<198.22.122.247> Process MM state  
OAK_MM_SA_SETUP.
##2007-03-14 06:58:42 : IKE<198.22.122.247> Process KE:
##2007-03-14 06:58:42 : IKE<198.22.122.247> processing ISA_KE.
##2007-03-14 06:58:42 : IKE<198.22.122.247> Process NONCE:
##2007-03-14 06:58:42 : IKE<198.22.122.247> processing a NONCE.
##2007-03-14 06:58:42 : IKE<198.22.122.247> Phase 1 MM Initiator  
constructing 5th message.
##2007-03-14 06:58:42 : IKE<0.0.0.0> , exp pak
##2007-03-14 06:58:42 : IKE<198.22.122.247> Msg header built (next  
payload #5)
##2007-03-14 06:58:42 : IKE<198.22.122.247> ID, len=8, type=1,  
pro=17, port=500,
##2007-03-14 06:58:42 : IKE<198.22.122.247> addr=209.98.244.9
##2007-03-14 06:58:42 : IKE<198.22.122.247> Sending P1 -->
##2007-03-14 06:58:42 : Msg, len 60, nxp 5, exch 2, flag 00
##2007-03-14 06:58:42 : Payload: Identification Hash

  (then it seems to loop a bit before timing out)

Is it obvious from this what could be causing this to fail?  I'm not  
even sure where to look beyond this and could use some advice, please.

  -Charles

--
Charles Robinson - charlesr@visi.com
Minneapolis, MN
http://charles.robinsontwins.org



_______________________________________________
nn mailing list
nn@qorbit.net
http://qorbit.net/mailman/listinfo/nn