AW: VPN tunnel between PfSense and Checkpoint NG

dogbert

2006-02-02 10:59:23 UTC

Post by Holger Bauer
Some logs would be helpful.
Holger

-----Ursprüngliche Nachricht-----
Gesendet: Donnerstag, 2. Februar 2006 11:39
Betreff: [pfSense Support] VPN tunnel between PfSense and
Checkpoint NG
Hi everyone,
I'm having trouble creating a VPN tunnel between my
Checkpoint NG R56 cluster
and a pfsense box.
I successfully create a tunnel in the reverse direction, e.g.
a client behind
pfsense can connect via IPSEC tunnel to a client protected by
checkpoint. I
still have problem the other way around.
Both firewall has been configured with 3DES and MDS for both
phase 1 and 2 and
PFS (perfect forward secrecy) and the same shared secret (obviously).
I've created successfully the same scenario with a SmoothWall
box with Openswan
patch and vpnpack.
Does anyone has any idea ?
Thanks
Riccardo

sure...
this is the log from pfsense:

Feb 2 11:45:51 racoon: ERROR: failed to pre-process packet.
Feb 2 11:45:51 racoon: ERROR: failed to get sainfo.
Feb 2 11:45:51 racoon: ERROR: failed to get sainfo.
Feb 2 11:45:51 racoon: INFO: respond new phase 2 negotiation:
XXX.XXX.XXX.XXX[0]<=>YYY.YYY.YYY.YYY[0]
Feb 2 11:45:49 racoon: ERROR: failed to pre-process packet.
Feb 2 11:45:49 racoon: ERROR: failed to get sainfo.
Feb 2 11:45:49 racoon: ERROR: failed to get sainfo.
Feb 2 11:45:49 racoon: INFO: respond new phase 2 negotiation:
XXX.XXX.XXX.XXX[0]<=>YYY.YYY.YYY.YYY[0]
Feb 2 11:45:47 racoon: ERROR: failed to pre-process packet.
Feb 2 11:45:47 racoon: ERROR: failed to get sainfo.
Feb 2 11:45:47 racoon: ERROR: failed to get sainfo.
Feb 2 11:45:47 racoon: INFO: respond new phase 2 negotiation:
XXX.XXX.XXX.XXX[0]<=>YYY.YYY.YYY.YYY[0]

while this is the log from checkpoint:

Number: 591705
Date: 2Feb2006
Time: 11:43:29
Product: VPN-1 & FireWall-1
Interface: daemon
Origin: der-fw1b (YYY.YYY.YYY.YYY)
Type: Log
Action: Key Install
Source: der-fw1b (YYY.YYY.YYY.YYY)
Destination: FW_TEST (XXX.XXX.XXX.XXX)
Encryption Scheme: IKE
VPN Peer Gateway: FW_TEST (XXX.XXX.XXX.XXX)
IKE Initiator Cookie: e9b87140d007eded
IKE Responder Cookie: 33ef3658619d621c
Encryption Methods: 3DES + MD5, Pre shared secrets
Information: IKE: Main Mode completion.

Number: 593262
Date: 2Feb2006
Time: 11:44:05
Product: VPN-1 & FireWall-1
Interface: daemon
Origin: der-fw1b (YYY.YYY.YYY.YYY)
Type: Log
Action: Reject
Reject Reason: IKE failure
Protocol: ip
Rule: 0 - Implied Rules
Encryption Scheme: IKE
VPN Peer Gateway: FW_TEST (XXX.XXX.XXX.XXX)
Information: encryption failure: no response from peer.

Number: 594109
Date: 2Feb2006
Time: 11:44:28
Product: VPN-1 & FireWall-1
Interface: qfe1
Origin: der-fw1b (YYY.YYY.YYY.YYY)
Type: Log
Action: Drop
Source: CLIENT_A (aaa.aaa.aaa.aa)
Destination: CLIENT_B (bbb.bbb.bbb.bbb)
Protocol: icmp
Rule: 75
NAT rule number: 39
NAT additional rule number: 0
Destination Key ID: 0x00000000
XlateSrc: DER-Cluster-EXT (YYY.YYY.YYY.YYY)
Encryption Scheme: IKE
VPN Peer Gateway: FW_TEST (XXX.XXX.XXX.XXX)
Encryption Methods: ESP: 3DES + MD5 + PFS
Information: ICMP: Echo Request
ICMP Type: 8
ICMP Code: 0
encryption fail reason: Packet is
dropped because there is no valid SA - please refer to solution sk19423 in
SecureKnowledge Database for more information