VPN zu einer Checkpoint Firewall

raffael · Beitrag von **raffael** » 06 Okt 2008, 16:51

hi zusammen,
hat von euch schon mal wer einen VPN zu einer checkpoint firewall aufgebaut?
mein problem dabei ist im moment, daß phase I normalerweise problemlos abgeschlossen wird, für die phase II braucht es aber einige versuche!!

im attachmeht hab ich mal einen sochen fall mitgetraced:
*) der tunnelaufbau beginnt korrekteigentlich beim hochfahren
*) handelt dann phase I aus und findet ein gemeinsames proposal
*) sagt dann aber meist "no response" bzw. "time-out"
*) nach 5 bis 10min scheinen beide dann aber doch irgendwie zusammenzufinden u. schließen auch phase II erfolgreich ab?

im moment weiß ich hier leider nicht wo ich mit der suche ansetzten soll
prinzipiell müßten die settings (wie shared-secret, access-list) ja stimmen wenn nach einiger zeit der tunnel doch zustande kommt, oder irre ich mich da?

==================================================

[VPN-Status] 1900/01/01 00:04:13,530
VPN: Disconnect info: remote-disconnected (0x4301) for CHECKPOINT_2 (111.222.333.444)

[VPN-Status] 1900/01/01 00:04:13,560
VPN: selecting next remote gateway using strategy eFirst for CHECKPOINT_2
=> no remote gateway selected

[VPN-Status] 1900/01/01 00:04:13,560
VPN: selecting first remote gateway using strategy eFirst for CHECKPOINT_2
=> CurrIdx=0, IpStr=>111.222.333.444<, IpAddr=111.222.333.444, IpTtl=0s

[VPN-Status] 1900/01/01 00:04:13,560
VPN: installing ruleset for CHECKPOINT_2 (111.222.333.444)

[VPN-Status] 1900/01/01 00:04:13,560
VPN: CHECKPOINT_2 (111.222.333.444) disconnected

[VPN-Status] 1900/01/01 00:04:13,570
VPN: rulesets installed

[VPN-Status] 1900/01/01 00:04:14,560
VPN: connecting to CHECKPOINT_2 (111.222.333.444)

[VPN-Status] 1900/01/01 00:04:14,580
VPN: installing ruleset for CHECKPOINT_2 (111.222.333.444)

[VPN-Status] 1900/01/01 00:04:14,590
VPN: ruleset installed for CHECKPOINT_2 (111.222.333.444)

[VPN-Status] 1900/01/01 00:04:14,590
VPN: start IKE negotiation for CHECKPOINT_2 (111.222.333.444)

[VPN-Status] 1900/01/01 00:04:14,610
VPN: rulesets installed

[VPN-Status] 1900/01/01 00:04:14,620
IKE info: Phase-1 negotiation started for peer CHECKPOINT_2 rule isakmp-peer-CHECKPOINT_2 using MAIN mode

[VPN-Status] 1900/01/01 00:04:14,670
IKE info: phase-1 proposal failed: remote No 1 encryption algorithm = 3DES_CBC <-> local No 1 encryption algorithm = AES_CBC
IKE info: phase-1 proposal failed: remote No 1 encryption algorithm = 3DES_CBC <-> local No 2 encryption algorithm = AES_CBC
IKE info: phase-1 proposal failed: remote No 1 encryption algorithm = 3DES_CBC <-> local No 3 encryption algorithm = BLOWFISH_CBC
IKE info: phase-1 proposal failed: remote No 1 encryption algorithm = 3DES_CBC <-> local No 4 encryption algorithm = BLOWFISH_CBC
IKE info: Phase-1 remote proposal 1 for peer CHECKPOINT_2 matched with local proposal 5

[VPN-Status] 1900/01/01 00:04:14,890
IKE info: Phase-1 [inititiator] for peer CHECKPOINT_2 between initiator id 83.65.178.126, responder id 111.222.333.444 done
IKE info: SA ISAKMP for peer CHECKPOINT_2 encryption 3des-cbc authentication md5
IKE info: life time ( 108000 sec/ 0 kb)

[VPN-Status] 1900/01/01 00:04:22,060
IKE info: phase-1 proposal failed: remote No 1 encryption algorithm = 3DES_CBC <-> local No 1 encryption algorithm = AES_CBC
IKE info: phase-1 proposal failed: remote No 1 encryption algorithm = 3DES_CBC <-> local No 2 encryption algorithm = AES_CBC
IKE info: phase-1 proposal failed: remote No 1 encryption algorithm = 3DES_CBC <-> local No 3 encryption algorithm = BLOWFISH_CBC
IKE info: phase-1 proposal failed: remote No 1 encryption algorithm = 3DES_CBC <-> local No 4 encryption algorithm = BLOWFISH_CBC
IKE info: Phase-1 remote proposal 1 for peer CHECKPOINT_2 matched with local proposal 5

[VPN-Status] 1900/01/01 00:04:22,470
IKE info: Phase-1 [responder] for peer CHECKPOINT_2 between initiator id 111.222.333.444, responder id 555.666.777.888 done
IKE info: SA ISAKMP for peer CHECKPOINT_2 encryption 3des-cbc authentication md5
IKE info: life time ( 86400 sec/ 0 kb)

[VPN-Status] 1900/01/01 00:04:44,610
VPN: connection for CHECKPOINT_2 (111.222.333.444) timed out: no response

[VPN-Status] 1900/01/01 00:04:44,610
VPN: Error: IFC-I-Connection-timeout-IKE-IPSEC (0x1106) for CHECKPOINT_2 (111.222.333.444)

[VPN-Status] 1900/01/01 00:04:44,610
VPN: disconnecting CHECKPOINT_2 (111.222.333.444)

[VPN-Status] 1900/01/01 00:04:44,610
VPN: Error: (unknown) (0x0117) for CHECKPOINT_2 (111.222.333.444)

[VPN-Status] 1900/01/01 00:04:44,640
IKE info: Delete Notificaton sent for Phase-1 SA to peer CHECKPOINT_2

[VPN-Status] 1900/01/01 00:04:44,640
IKE info: Phase-1 SA removed: peer CHECKPOINT_2 rule CHECKPOINT_2 removed

[VPN-Status] 1900/01/01 00:04:44,640
IKE info: Delete Notificaton sent for Phase-1 SA to peer CHECKPOINT_2

[VPN-Status] 1900/01/01 00:04:44,640
IKE info: Phase-1 SA removed: peer CHECKPOINT_2 rule CHECKPOINT_2 removed

[VPN-Status] 1900/01/01 00:04:44,660
VPN: CHECKPOINT_2 (111.222.333.444) disconnected

[VPN-Status] 1900/01/01 00:04:44,660
VPN: Disconnect info: remote-disconnected (0x4301) for CHECKPOINT_2 (111.222.333.444)

[VPN-Status] 1900/01/01 00:04:44,690
VPN: selecting next remote gateway using strategy eFirst for CHECKPOINT_2
=> no remote gateway selected

[VPN-Status] 1900/01/01 00:04:44,690
VPN: selecting first remote gateway using strategy eFirst for CHECKPOINT_2
=> CurrIdx=0, IpStr=>111.222.333.444<, IpAddr=111.222.333.444, IpTtl=0s

[VPN-Status] 1900/01/01 00:04:44,690
VPN: installing ruleset for CHECKPOINT_2 (111.222.333.444)

[VPN-Status] 1900/01/01 00:04:44,690
VPN: CHECKPOINT_2 (111.222.333.444) disconnected

[VPN-Status] 1900/01/01 00:04:44,700
VPN: rulesets installed

[VPN-Status] 1900/01/01 00:04:45,690
VPN: connecting to CHECKPOINT_2 (111.222.333.444)

[VPN-Status] 1900/01/01 00:04:45,710
VPN: installing ruleset for CHECKPOINT_2 (111.222.333.444)

[VPN-Status] 1900/01/01 00:04:45,720
VPN: ruleset installed for CHECKPOINT_2 (111.222.333.444)

[VPN-Status] 1900/01/01 00:04:45,720
VPN: start IKE negotiation for CHECKPOINT_2 (111.222.333.444)

[VPN-Status] 1900/01/01 00:04:45,750
VPN: rulesets installed

[VPN-Status] 1900/01/01 00:04:45,750
IKE info: Phase-1 negotiation started for peer CHECKPOINT_2 rule isakmp-peer-CHECKPOINT_2 using MAIN mode

[VPN-Status] 1900/01/01 00:04:45,790
IKE info: phase-1 proposal failed: remote No 1 encryption algorithm = 3DES_CBC <-> local No 1 encryption algorithm = AES_CBC
IKE info: phase-1 proposal failed: remote No 1 encryption algorithm = 3DES_CBC <-> local No 2 encryption algorithm = AES_CBC
IKE info: phase-1 proposal failed: remote No 1 encryption algorithm = 3DES_CBC <-> local No 3 encryption algorithm = BLOWFISH_CBC
IKE info: phase-1 proposal failed: remote No 1 encryption algorithm = 3DES_CBC <-> local No 4 encryption algorithm = BLOWFISH_CBC
IKE info: Phase-1 remote proposal 1 for peer CHECKPOINT_2 matched with local proposal 5

[VPN-Status] 1900/01/01 00:04:46,010
IKE info: Phase-1 [inititiator] for peer CHECKPOINT_2 between initiator id 83.65.178.126, responder id 111.222.333.444 done
IKE info: SA ISAKMP for peer CHECKPOINT_2 encryption 3des-cbc authentication md5
IKE info: life time ( 108000 sec/ 0 kb)

[VPN-Status] 1900/01/01 00:04:53,050
IKE info: phase-1 proposal failed: remote No 1 encryption algorithm = 3DES_CBC <-> local No 1 encryption algorithm = AES_CBC
IKE info: phase-1 proposal failed: remote No 1 encryption algorithm = 3DES_CBC <-> local No 2 encryption algorithm = AES_CBC
IKE info: phase-1 proposal failed: remote No 1 encryption algorithm = 3DES_CBC <-> local No 3 encryption algorithm = BLOWFISH_CBC
IKE info: phase-1 proposal failed: remote No 1 encryption algorithm = 3DES_CBC <-> local No 4 encryption algorithm = BLOWFISH_CBC
IKE info: Phase-1 remote proposal 1 for peer CHECKPOINT_2 matched with local proposal 5

[VPN-Status] 1900/01/01 00:04:53,330
IKE info: Phase-1 [responder] for peer CHECKPOINT_2 between initiator id 111.222.333.444, responder id 83.65.178.126 done
IKE info: SA ISAKMP for peer CHECKPOINT_2 encryption 3des-cbc authentication md5
IKE info: life time ( 86400 sec/ 0 kb)

[VPN-Status] 1900/01/01 00:05:15,750
VPN: connection for CHECKPOINT_2 (111.222.333.444) timed out: no response

[VPN-Status] 1900/01/01 00:05:15,750
VPN: Error: IFC-I-Connection-timeout-IKE-IPSEC (0x1106) for CHECKPOINT_2 (111.222.333.444)

[VPN-Status] 1900/01/01 00:05:15,750
VPN: disconnecting CHECKPOINT_2 (111.222.333.444)

[VPN-Status] 1900/01/01 00:05:15,750
VPN: Error: (unknown) (0x0117) for CHECKPOINT_2 (111.222.333.444)

[VPN-Status] 1900/01/01 00:05:15,770
IKE info: Delete Notificaton sent for Phase-1 SA to peer CHECKPOINT_2

[VPN-Status] 1900/01/01 00:05:15,780
IKE info: Phase-1 SA removed: peer CHECKPOINT_2 rule CHECKPOINT_2 removed

[VPN-Status] 1900/01/01 00:05:15,780
IKE info: Delete Notificaton sent for Phase-1 SA to peer CHECKPOINT_2

[VPN-Status] 1900/01/01 00:05:15,780
IKE info: Phase-1 SA removed: peer CHECKPOINT_2 rule CHECKPOINT_2 removed

[VPN-Status] 1900/01/01 00:05:15,800
VPN: CHECKPOINT_2 (111.222.333.444) disconnected

[VPN-Status] 1900/01/01 00:05:15,800
VPN: Disconnect info: remote-disconnected (0x4301) for CHECKPOINT_2 (111.222.333.444)

[VPN-Status] 1900/01/01 00:05:15,830
VPN: selecting next remote gateway using strategy eFirst for CHECKPOINT_2
=> no remote gateway selected

[VPN-Status] 1900/01/01 00:05:15,830
VPN: selecting first remote gateway using strategy eFirst for CHECKPOINT_2
=> CurrIdx=0, IpStr=>111.222.333.444<, IpAddr=111.222.333.444, IpTtl=0s

[VPN-Status] 1900/01/01 00:05:15,830
VPN: installing ruleset for CHECKPOINT_2 (111.222.333.444)

[VPN-Status] 1900/01/01 00:05:15,830
VPN: CHECKPOINT_2 (111.222.333.444) disconnected

[VPN-Status] 1900/01/01 00:05:15,840
VPN: rulesets installed

[VPN-Status] 1900/01/01 00:05:16,830
VPN: connecting to CHECKPOINT_2 (111.222.333.444)

[VPN-Status] 1900/01/01 00:05:16,850
VPN: installing ruleset for CHECKPOINT_2 (111.222.333.444)

[VPN-Status] 1900/01/01 00:05:16,860
VPN: ruleset installed for CHECKPOINT_2 (111.222.333.444)

[VPN-Status] 1900/01/01 00:05:16,860
VPN: start IKE negotiation for CHECKPOINT_2 (111.222.333.444)

[VPN-Status] 1900/01/01 00:05:16,890
VPN: rulesets installed

[VPN-Status] 1900/01/01 00:05:16,890
IKE info: Phase-1 negotiation started for peer CHECKPOINT_2 rule isakmp-peer-CHECKPOINT_2 using MAIN mode

[VPN-Status] 1900/01/01 00:05:17,250
IKE info: phase-1 proposal failed: remote No 1 encryption algorithm = 3DES_CBC <-> local No 1 encryption algorithm = AES_CBC
IKE info: phase-1 proposal failed: remote No 1 encryption algorithm = 3DES_CBC <-> local No 2 encryption algorithm = AES_CBC
IKE info: phase-1 proposal failed: remote No 1 encryption algorithm = 3DES_CBC <-> local No 3 encryption algorithm = BLOWFISH_CBC
IKE info: phase-1 proposal failed: remote No 1 encryption algorithm = 3DES_CBC <-> local No 4 encryption algorithm = BLOWFISH_CBC
IKE info: Phase-1 remote proposal 1 for peer CHECKPOINT_2 matched with local proposal 5

[VPN-Status] 1900/01/01 00:05:17,790
IKE info: Phase-1 [inititiator] for peer CHECKPOINT_2 between initiator id 83.65.178.126, responder id 111.222.333.444 done
IKE info: SA ISAKMP for peer CHECKPOINT_2 encryption 3des-cbc authentication md5
IKE info: life time ( 108000 sec/ 0 kb)

[VPN-Status] 1900/01/01 00:05:18,010
IKE info: Phase-2 [inititiator] done with 2 SAS for peer CHECKPOINT_2 rule ipsec-0-CHECKPOINT_2-pr0-l0-r0
IKE info: rule:' ipsec 172.19.211.96/255.255.255.224 <-> 172.19.192.0/255.255.240.0 '
IKE info: SA ESP [0xa8fb1440] alg 3DES keylength 192 +hmac HMAC_MD5 outgoing
IKE info: SA ESP [0x4a69ae36] alg 3DES keylength 192 +hmac HMAC_MD5 incoming
IKE info: life soft( 1600 sec/160000 kb) hard (2000 sec/200000 kb)
IKE info: tunnel between src: 555.666.777.888 dst: 111.222.333.444

[VPN-Status] 1900/01/01 00:05:19,020
VPN: CHECKPOINT_2 (111.222.333.444) connected

A new configuration is being uploaded ...

Configuration has been uploaded successfully
[VPN-Status] 1900/01/01 00:07:24,910
VPN: installing ruleset generally
==================================================