RE: [FW1] Nokia (Network Alchemy) CC 500 (Crypto Cluster) and FW1 SP2 on NT

[Martin WF Hui]

Hi,

 

I  am also Nokia product. How can you obtain such detail log in particular to the IPSEC information. How can I obtain this kind of data from CP.

 

Please indicate.

 

Thanks in advance.

 

 

Best regards,

 

maritn

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Scott Hunter
Sent: Thursday, February 15, 2001 11:40 PM
To: Fw-1-Mailinglist (E-mail)
Subject: [FW1] Nokia (Network Alchemy) CC 500 (Crypto Cluster) and FW1 SP2 on NT

    I am trying to set up a VPN using a Nokia CC 500 and FW1.  I'm using IKE and pre-shared secrets.  The tunnel works in one direction, from the network behind the Nokia to the network behind the FW1 machine, but when I attempt to access the network behind the Nokia CC 500 from the network behind the FW1, it fails and I get the following on the CC 500 console (some IPs changed to protect the innocent):

 

Thu Feb 15 15:16:18 2001 (IPSEC)-ERR: key_find_responder_policy: matching outbound selector not found
Thu Feb 15 15:16:18 2001 (IKE)-ERR: receive: failed to locate QM responder policy

 

then:

 

Thu Feb 15 15:16:43 2001 (IKE)-AUDIT: IKE SA deleted for 123.123.123.66 (123.123.123.66)
Thu Feb 15 15:16:43 2001 (IKE)-NOTICE: process_sa: no proposal chosen

 

Then the tunnel goes down and does not come back up until traffic goes from the network behind the Nokia CC 500 to the network behind the FW1 box.

 

When it is up, IPSEC looks like this:

IPSec Security Associations:

 

  spi:                     ffff3c00 <- ffff1d87
  source address:          123.123.123.66
  destination address:     123.123.123.80
  client identity:         10.10/24
  type:                    esp
  integrity algorithm:     md5 (128 bits)
  secrecy algorithm:       3des (192 bits)
  flags:                   inbound,initiator,tunnel
  lifetime:                60 minutes
  time-to-live:            59 minutes
  traffic:                 848 bytes

 

  spi:                     ffff1d87 -> ffff3c00 (1)
  source address:          123.123.123.80
  destination address:     123.123.123.66
  client identity:         10/24
  type:                    esp
  integrity algorithm:     md5 (128 bits)
  secrecy algorithm:       3des (192 bits)
  flags:                   outbound,initiator,tunnel
  lifetime:                60 minutes
  time-to-live:            59 minutes
  traffic:                 632 bytes

 

and IKE looks like this:

 

IKE Security Associations:

 

  sequence:                2b
  state:                   MM_IDLE
  flags:                   outbound,valid
  source:                  123.123.123.80
  destination:             123.123.123.66
  peer identity:           fqdn.domain.com
  oakley group:            modp-768
  encryption algorithm:    3des
  hash algorithm:          md5
  authentication method:   pre-shared key
  associations:            2
  lifetime:                8 hours
  time-to-live:            7 hours

 

 

 

It's also really slow.  Anyone out there have any experience with the Nokia CC 500 that they would like to share?

 

Scott