Checkpoint-Netscreen VPN

[How to run the NSM GUI under Mac OS X]

How to run the NSM GUI under Mac OS X
How to setup a route-based VPN on a NetScreen
How to make your PPTP VPN client work through a NetScreen/SSG
Setting up a dial-up VPN and NetScreen Remote
How the Global Zone Works (It's probably not what you think)
How to configure NetScreen/SSG devices to work with the built in Mac OS X VPN client
How to Configure Dial-up VPN with route-based tunnels, XAuth, and use IPSecuritas

[netmanau]

Hello

I'm trying to setup a LAN-to-LAN VPN between a Checkpoint NG and a Netscreen 100 3.0.3r3 using Preshare/DES/MD5. I am having trouble with Phase 2 negotiations:

Multiple SA for multiple policy mode, skipping base sa 11 when searching for sa.
##2003-03-03 10:53:00 system-debugging: IKE <y.y.y.y> Phase 2: No policy exists for the proxy ID received: local ID(x.x.x.x>/<255.255.254.0>,<0>,<0>) remote ID (<y.y.y.y>/<255.255.255.255>,<0>,<0>)

y=Host on trusted side of Checkpoint, x=Trusted Netscreen Address Range

The Netscreen knowledgebase suggests this is because I do not have the correct incoming policy, but I have made sure this is not the case. Any other ideas what could be causing this?
Thanks

[cyh]

check you address as well.
you should set the two addresses like:

set address t1 trust x.x.x.x 255.255.254.0
set address u1 untrust y.y.y.y 255.255.255.255

and the policy should be like

set policy incoming u1 t1 any tunnel vpn vpn1

Or use WebUI.

[netmanau]

Addresses are fine too. I've even tried changing the policy to allow all untrusted ip addresses though but still get this error.

[netmanau]

Also there are NATs on the checkpoint which translate to public addresses. Both internal and NATed public addresses have been added to the incoming policy.

A 'get sa' command shows the tunnel as active and I can ping hosts on trusted side of Checkpoint from trusted side of Netscreen, however when I ping from the Checkpoint side the error occurs in Netscreen logs. Does NATing at the Checkpoint affect the proxy id (other than ip address) to make it unrecognisable to the Netscreen?

[Florent]

what is the exact source IP, destination IP and services defined in both Netscreen and Checkpoint ?

[Florent]

I encoutered the same problem.
It looks like the DOI on checkpoint is strange and come from space
which NG version are you running ?

If you need to have this quickly working, unset ike pol on NS solve the problem (just to wait)

[netmanau]

Thanks for that Flo. The problem was that the incoming policy on the Netscreen would not allow me to use groups of addresses!! It would only work when I specified individual addresses which corresponded exactly to the outgoing on the Checkpoint. I got around this by using a subnet mask on an individual address (luckily all the addresses i wanted to allow in were sequential and inside one small network!)

[Florent]

The problem was that the incoming policy on the Netscreen would not allow me to use groups of addresses!!

This is the same with a majority of other VPN device since Netscreen use the IP 0.0.0.0 when a group is used (and 0 for a service group) and lot of others will negociate IKE for each member of an IP group individualy.

It would only work when I specified individual addresses which corresponded exactly to the outgoing on the Checkpoint.

Another time, the proxy id must always exactly match with peer gateway.

I got around this by using a subnet mask on an individual address (luckily all the addresses i wanted to allow in were sequential and inside one small network!)

There is another thing to ntoe with NG. There is some behavior that change during IKE negociation between 4.1 and NG. A working VPN config with 4.1 is not working in one direction after NG upgrade.

if someone here has checkpoint skills, he can help to understand the change.

•      Forum/Home
•      Store
•      Articles
•        Tech Articles
•        Industry News
•        Site News
•      Knowledgebase
•        JUNOS/Routing
•        NS/ISG/SSG/NSM
•        SSL VPN
•      Downloads

Please consider donating if we've saved you time or money. It helps pay for the bandwidth, equipment, and hosting charges to keep this site running

Submit Article/KB - Do not submit questions here.

[Today]

• www.nikeaaashoes.com.cn s... by kelly110 [Today at 01:58:21 PM]
• www. nikeaaashoes.com.cn ... by kelly110 [Today at 01:55:29 PM]
• www. nikeaaashoes.com.cn ... by kelly110 [Today at 01:53:25 PM]
• www. nikeaaashoes.com.cn ... by kelly110 [Today at 01:52:19 PM]
• www.nikeaaashoes.com.cn s... by kelly110 [Today at 01:49:14 PM]
• www.nikeaaashoes.com.cn s... by kelly110 [Today at 01:42:22 PM]
• www. nikeaaashoes.com.cn ... by kelly110 [Today at 01:23:43 PM]
• www. nikeaaashoes.com.cn ... by kelly110 [Today at 01:21:58 PM]
• www.holesale shoes clothe... by kelly110 [Today at 01:21:15 PM]
• www. nikeaaashoes.com.cn ... by kelly110 [Today at 01:20:08 PM]

Members

• Total Members: 22551
• Latest: barneb01

Stats

• Total Posts: 40719
• Total Topics: 11389
• Online Today: 82
• Online Ever: 393
• (August 06, 2008, 07:40:57 AM)

Users Online

Users: 0
Guests: 48
Total: 48