Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Can phase 2 proxy-id be modified on SonicWall VPN's?

from [Neal Stroh] Network Security [Permanent Link]
Subject: Can phase 2 proxy-id be modified on SonicWall VPN's?
Date: Tue, 29 Aug 2006 10:38:45 -0500 
All,

I've ran into a roadblock that I've never come across before on a VPN
between a Netscreen and a SonicWall.  I have 2 different protected networks
behind the Netscreen that the SonicWall net needs access to across the
tunnel.

 

Here are the facts..

-The network behind the SonicWall needs access to two different networks
behind the Netscreen

-Netscreen VPN is designed with route based topology

-Both protected networks behind the Netscreen are connected to different
trunked interfaces on the Netscreen

-I am using a single tunnel interface on the Netscreen, therefore NHTB is
required

 

 

Since phase 2 proxy id on the SonicWall is determined by the "access rules"
that control traffic across the tunnel, we initially get a proxy-id
mismatch.  I can modify the Netscreen to match the proxy-id that the
SonicWall is sending, but since the SonicWall needs access to two different
networks behind the Netscreen, it will try to negotiate a separate phase 2
SA for access to the second network behind the Netscreen.  Because I am
using a route based topology on the Netscreen, in theory I would only need
to build one phase 2 SA to the Sonicwall.  Since the SonicWall essentially
has two phase 2 SA's and the Netscreen only has 1, only the SA with the
corresponding proxy-id will negotiate properly and therefore the SonicWall
can only communicate with that network.

 

I then added a second phase 2 SA on the Netscreen and bound that to the
appropriate phase 1 gateway.  That worked for when we initiate traffic from
the SonicWall side, however, when we initiate traffic from the second
network behind the Netscreen, the packets get lost because the tunnel.1 NHTB
entry for the remote peer is bound to the VPN that has the proxy-id
configured for the first network.

 

 

I guess I'm not looking for suggestions on what I can try on the Netscreen
side to fix the issue as I have a couple of ideas.  My bigger question is
whether or not it is possible to manipulate the proxy-id on the SonicWall?
As stated earlier, it seems that the phase 2 proxy-id on the SonicWall is
determined by the rules that dictate access control.  We've run across
similar situations numerous times with SonicWall as well as other
Non-Netscreen vendors, and it seems that if there were a way to manipulate
the proxy-id (for example, configure the proxy-id as the public peer IP
addresses of both sides, instead of the protected networks on both sides), I
think a lot proxy-id mismatch headaches will go away.  

 

Any feedback is greatly appreciated.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Can phase 2 proxy-id be modified on SonicWall VPN's?, Neal Stroh <=
Previous by Date:  PIX 6.2(2) behaviour for traffic from lower to higher level, Amol Sapkal
Previous by Thread:  PIX 6.2(2) behaviour for traffic from lower to higher level, Amol Sapkal
Indexes:  [Date] [Thread] [Top] [All Lists]