Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Checkpoint FW-1 -> Cisco VPN error

from [Ivan Coric] Network Security [Permanent Link]
Subject: Re: Checkpoint FW-1 -> Cisco VPN error
Date: Wed, 22 Dec 2004 14:57:48 +1000 
Hi Matt,

I am guessing you have the rule for interesting traffic to bring up the
tunnel?
source ---> dst_encrypt_domain - service - encrypt action

are your parameters correct in the "encrypt" action?

do your VPN settings in the Global Properties match that of the PIX?

are your renegotiate parameters for SA the same on both devices?

just some possible issues you may want to check.

cheers
Ivan


Ivan Coric, CISSP, RHCE
Senior IT Security Specialist
Information Technology
WorkCover Queensland
Ph: (07) 30066414 Fax: (07) 30066424
Email: ivan.coric@workcoverqld.com.au


Matthew West <matthew.west@eds.com> 22/12/2004 11:16:46 am >>>



Hi All

I am getting a rather cryptic message after a successful IKE handshake
between CP FW-1 R55 and Cisco PIX (the PIX has been happily VPN'ing with
another PIX). Once the handshake has completed (successfully) and
traffic is attempted to be routed the CP firewall denies the traffic
stating:

encryption failure: Packet was decrypted, but policy says connection
should not be decrypted

I am using 'simplified mode' VPN configuration and have the external
interoperable devices as a part of the VPN star config and do not have
the tick box 'allow key exchange for subnets' ticked either in the
global properties or the properties of the VPN community.

I did find something after googling for the error message but this was
resolved by changing settings for MEP's and failover gateways which I do
not have in this instance.

Any thoughts? Any further info needed?

All help much appreciated.

Matt





***************************************************************************
Messages included in this e-mail and any of its attachments are those
of the author unless specifically stated to represent WorkCover Queensland. The 
contents of this message are to be used for the intended purpose only and are 
to be kept confidential at all times.
This message may contain privileged information directed only to the intended 
addressee/s. Accidental receipt of this information should be deleted promptly 
and the sender notified.
This e-mail has been scanned by Sophos for known viruses.
However, no warranty nor liability is implied in this respect.
**********************************************************************
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Checkpoint FW-1 -> Cisco VPN error, Rob Hughes
Next by Date:  RE: Cisco PIX 515e Multiple VPN Question, paul . richmond
Previous by Thread:  RE: Checkpoint FW-1 -> Cisco VPN error, David Taylor
Next by Thread:  HOTBrick LB2vpn update, Chili G.
Indexes:  [Date] [Thread] [Top] [All Lists]