Hi,

I'm trying to setup a 3rd party S2S VPN to a checkpoint appliance.
I have a BM 3.8 server patched to SP5 on a 6.5 SP7 server. I have been
followed the steps outlined in Craig's latest book although he uses a
Linksys device in his example.

On the surface (as best I can tell) my configuration is correct. But
when the server initiates a connection as echoed on the console eg,

"Call connection established for protocol IP destination
VPTUNNEL@IPADDRESS"

No traffic destined for the checkpoint device ever leaves the server.
If I do a stopvpn, start an TCP IP debug, then do a startvpn. The conlog
never shows any traffic to specified checkpoint IP. The IKE console is
also static.

I'm testing this with filters disabled. 

If I change the checkpoint slaves authentication method from Non BM PSK
to say BM 3.8 certificate based authentication. The server will actually
attempt to connect to the checkpoint slave. A trace shows packets being
sent and received plus plenty of IKE activity is seen.

But when I switch back to PSK on the checkpoint
slave.......................nothing. This is what I see in using
CSAUDIT:

- A VPN site licence has been acquired
- Started VPNIBF.NLM
- Started VPNMaster.nlm
- The trusted root container of this VPN server is
TRC-VPNSERVER.context
- Server is hosting Site-To_Site Services
- Configured server certificate is ServerCert - VPNServer.context
- VPN GetRootCert: Read trusted root certs from TRC -
VPNServer.context
- VPN S2S service trusted root container is TRC - VPNServer.context
- VPNGettRootCert: Read trusted root certs from TRC -
VPNServer.context
- Server VPNServer added to IPSEC
- Policy:Tunnel.3rdpartyVPNRules.VPNS2SVPNServer.context has been
added / modified
-Policy:Tunnel_DEFAULT_RULE.3rdPartyVPNRules.VPNS2SVPNServer.context
has been added/modified
- S2S Call initiation direction is both sides
- S2S topology is mesh
- Policy: Default_Traffic_Rule.VPNRules.VPNS2SVPNServer.context has
been added/modified
- VPN Member Tunnel is configured for outbound call
- Configured RIP file to indicate that the VPN tunnel is active
- VPN tunnel routed to 172.16.0.0/255.255.0.0
- VPN tunnel routed to 172.18.0.0/255.255.0.0
- Enable IP Routes
- SPX/IPX is bound to the VPN tunnel
- TCP/IP is bound to the VPN tunnel
- Server VPNServer removed from IPSEC
- Server Tunnel added to IPSEC
- VPN control is reinitializing system
- Waiting for reinitialize system to start
- Reinitialize system started to process commands
- The VPTunnel is initializing
- Configuring VPN member VPNServer
- The VPTunnel has been initialized
- Configured VPN member VPNServer
- Configured vendor member Tunnel
- Initiated an IP call to Tunnel@IPADDRESS
- The trusted root container of this VPN server is TRC -
VPNServer.context
- The configured server certificate is ServerCert - VPNServer.context
- VPNGetRootCert: Read trusted root cert from TRC - VPNServer.context
- Send update cfg to 1 for type of mask = 7, typeofcfg=1
- Send update cfg to 2 for type of mask = 31, typeofcfg=1


__________________End of Log_____________________________

The last two lines of the csaudit log are always the same. I thought it
may
have been an Imanager issue not setting the correct values or
something.
I was using version 2.7. As this is not currently a production server I
rebuilt it from scratch but this time installed the standalone version
of Imanager 2.6SP4

I seeing exactly the same issue as I was before. If any body could
possibly tell me where I'm going wrong it would be greatly appreciated.

Thanks


-- 
David_Parker
------------------------------------------------------------------------

Hi,

David Parker wrote:
> 
> On the surface (as best I can tell) my configuration is correct. But
> when the server initiates a connection as echoed on the console eg,
> 
> "Call connection established for protocol IP destination
> VPTUNNEL@IPADDRESS"
> 
> No traffic destined for the checkpoint device ever leaves the server.

Ignore. The callmgr messages happens as soon as the server is ready to
make the connection. It unfortuately has absolutely nothing to do with
the server actually *actively making* the connection in reality, let
alone it haveing been successful.

> If I do a stopvpn, start an TCP IP debug, then do a startvpn. The conlog
> never shows any traffic to specified checkpoint IP. 

Right. Traffic to the destination along with connection setup only
happens when there actually *is* traffic that according to the routing
table has to be routed to the destination behind the VPN. Like e.g a
PING to one of the remote protected networks. Simply starting the VPN
does *NOT* establish the connection.

> The IKE console is
> also static.

And that's the most important information you need to look at if the
connection ever attempts to establish. It is also echoed into ike.log
under sys:\etc\ike.

> I'm testing this with filters disabled.
> 
> If I change the checkpoint slaves authentication method from Non BM PSK
> to say BM 3.8 certificate based authentication. The server will actually
> attempt to connect to the checkpoint slave. A trace shows packets being
> sent and received plus plenty of IKE activity is seen.

Well, this all really sounds pretty clear. You do not have any third
party traffic rule that defines what traffic needs to be encrypted to
yuor destination, *or* yuo never produce any traffic that matches that
rule, so that the VPN connection would even attempt to establish.

CU,
-- 
Massimo Rosen
Novell Product Support Forum Sysop
No emails please!
http://www.cfc-it.de

Thanks for the quick reply. Just to clarify a couple of the points you
raised.
I have tried sending traffic to the other side just by using ping but
they are not replied to. 

My colleague on the slave end tells they never logged any negotiation
attempts. I'm wondering if my 3rd party rule is set correctly. Its
currently defined as:

- 3rd Party Server Configuration
172.16.0.0


-- 
David_Parker
------------------------------------------------------------------------
David_Parker's Profile: http://forums.novell.com/member.php?userid=14423
View this thread: http://forums.novell.com/showthread.php?t=414400

Sorry hit send before finishing


Thanks for the quick reply. Just to clarify a couple of the points you
raised.
I have tried sending traffic to the other side just by using ping but
they are not replied to. 

My colleague on the slave end tells they never logged any negotiation
attempts. I'm wondering if my 3rd party rule is set correctly. Its
currently defined as:

- 3rd Party Server Configuration
3rd party gateway address XX.XX.XX.113
172.16.0.0  255.255.0.0
172.18.0.0 255.255.0.0

- NBM Protected Network
192.168.196.0


-Define Action

Encrypt
Key life time 120
Encryption 3DES
Auth HMAC-SHA1


This is the only rule I have. After this comes the default rule deny
rule on the same source IPAddress as the 3rd party check point device.


-- 
David_Parker
------------------------------------------------------------------------
David_Parker's Profile: http://forums.novell.com/member.php?userid=14423
View this thread: http://forums.novell.com/showthread.php?t=414400

Hi,

David Parker wrote:
> 
> Thanks for the quick reply. Just to clarify a couple of the points you
> raised.
> I have tried sending traffic to the other side just by using ping but
> they are not replied to.
> 
> My colleague on the slave end tells they never logged any negotiation
> attempts. I'm wondering if my 3rd party rule is set correctly. 

Very obviously it isn't.

> Its
> currently defined as:

The server configuration isn't the key. As I said in my previous
message, the important piece is the third party traffic rule. It sounds
like this is either missing entirely or not setup properly.

CU,
-- 
Massimo Rosen
Novell Product Support Forum Sysop
No emails please!
http://www.cfc-it.de

Thanks for the reply. I think my third party traffic rules look ok. I
realised after your first reply that connection wouldn't be initiated
unless you try to push some traffic to the other side. (I'm learning).
So now I'm seeing ike logging when attempting to send data.

The response I now have in CSAUDIT is No_Proposal_Chosen. The early IKE
phase appears to fail.

IKE Logs the following:


30-6-2010 11:29:11 am Start IPSEC SA 99A96120 - Initiator****totSA=1
30-6-2010 11:29:11 am src from IPsec
30-6-2010 11:29:11 am 10020000 D2D791AA
30-6-2010 11:29:11 am dst from IPsec
30-6-2010 11:29:11 am 10020000 48A69771
30-6-2010 11:29:11 am Start IKE-SA 9CD1B100 -
Initiator,src=IPADDRESS,dst=IPADDRESS,TotSA=1
30-6-2010 11:29:11 am AUTH ALG IS 3
30-6-2010 11:29:11 am ***Send Main Mode message to IPADDRESS
30-6-2010 11:29:11 am
I-COOKIE=D8A2CE97EB7A0CBF,R-COOKIE=0000000000000000,MsgID=0,1stPL=SA-PAYLOAD,state=-1636983284
30-6-2010 11:29:12 am ***Receive Unacknowledge Informational message
from IPADDRESS
30-6-2010 11:29:12 am
I-COOKIE=D8A2CE97EB7A0CBF,R-COOKIE=0000000000000000,MsgID=3ED92E52,1stPL=NOTIFY-PAYLOAD,state=-1636983120
30-6-2010 11:29:12 am Recieved notify message type 14 from IPADDRESS 
30-6-2010 11:29:12 am Notify Recvd :Packet could have corrupted on the
way ,retransmit to IPADDRESS
30-6-2010 11:29:12 am ***Send Main Mode message to IPADDRESS
30-6-2010 11:29:12 am
I-COOKIE=D8A2CE97EB7A0CBF,R-COOKIE=0000000000000000,MsgID=0,1stPL=SA-PAYLOAD,state=-1636983284

------------------This is my 3rd party rule---------------------

- 3rd Party Server Configuration
3rd party gateway address XXX.XXX.XXX.XXX
172.16.0.0 255.255.0.0
172.18.0.0 255.255.0.0

- NBM Protected Network
192.168.196.0

-Define Action

Encrypt
Key life time 60
Encryption 3DES
Auth HMAC-SHA1

-------------This is the checkpoint configuration--------------------

IP compress: disabled
IKE (phase 1) encryption:  3DES
IKE (phase 1) data integrity: SHA1
IKE (phase 1): DH Group 2 (1024 bit), renegotiate every 1440 minutes
IKE (phase 1): aggressive mode disabled
IPsec (phase 2) encryption: 3DES
IPsec (phase 2) data integrity: SHA1
IPsec (phase 2):  PFS enabled. 
IPsec (phase 2): renegotiate SA every 3600 seconds.
One VPN tunnel per subnet pair (IPsec standard)

Any suggestions would be greatly appreciated.


-- 
David_Parker
------------------------------------------------------------------------
David_Parker's Profile: http://forums.novell.com/member.php?userid=14423
View this thread: http://forums.novell.com/showthread.php?t=414400

Hi,

David Parker wrote:
> The response I now have in CSAUDIT is No_Proposal_Chosen. The early IKE
> phase appears to fail.
> 
> IKE Logs the following:

Is that log everything it produces, or just a snippet?

At any rate, at this point the usual ipsec "fun" begins. That is making
perfectly sure the configuration on both eneds is identical, otherwise
it will not establish. The most crucial pieces are:

1. PSK (of course, but I can't count how often it actually *was* a typo
in the PSK).

2. encryptions parameters  (yours seem ok).

3. Key lifetimes (renegotiation).

4. IP Addresses, especially encrypted (routed) networks.

Oh, yuo may want to look at the checkpoint logs too. It may provide some
additional insight what it thinks is wrong (as that's the one denying
the connection).

CU,
-- 
Massimo Rosen
Novell Product Support Forum Sysop
No emails please!
http://www.cfc-it.de

In article <David_Parker.4dcjrd@no-mx.forums.novell.com>, David Parker 
wrote:
> 30-6-2010 11:29:12 am ***Receive Unacknowledge Informational message
>
This is the key - it means the other side is rejecting your traffic and 
telling the sender.  Something is not matching on the other side.  The 
traffic rules need to match.

Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on 
BorderManager, go to http://www.craigjconsulting.com ***

Hello there,
I am actually still working on this issue off and on with a Colleague
at the Checkpoint end of the implementation.
We still have issues getting our S2S connection working using Pre
Shared Key.
After examining negotiation logs on the checkpoint end it would appear
that the BM server is preposing
"RSA Signature� as the authentication method instead of shared secret.

I have reviewed my configuration many times and made the following
observation.

- VPN Master
Pre shared Secret option is ticked and secret defined.
Perfect Forward Secrecy ticked
Server Certificate field is populated with the ServCert - Servername
certificate
Trusted Root Container certificated defined
All network setttings are correct

-Site To Site member list

-Master Server-
Member Version 3.9
Pre-shared key selected
Certificate 'Issuer' field populated 

-Slave-
Member version 'Non-BM'
Preferred Authentication Method 'Pre-Shared Key'
PSS Key entered and confirmed
Certificate 'Issuer' field populated 

Because the Checkpoint believes BM is to use certificate based
negotiation I removed all certificates in the VPN master and slave
certificate fields. I can successfully save this configuration in
iManager. However when I attempt stop/startvpn at the console
with this configuration in place bcallsrv never establishes a
connection attempt when you attempt to send some traffic over.

If I put these certificates back in does but once again the checkpoint
slave believes I using certs instead of PSK. Does anyone
have any suggestions as to why PSK wouldn't be forced over certificates
? Should I still be able to establish a connection
using PSK if certificates are removed out of the configuration ?

Many thanks for any suggestions.


-- 
David_Parker
------------------------------------------------------------------------
David_Parker's Profile: http://forums.novell.com/member.php?userid=14423
View this thread: http://forums.novell.com/showthread.php?t=414400

Hi,

David Parker wrote:
 
> -Slave-
> Member version 'Non-BM'
> Preferred Authentication Method 'Pre-Shared Key'
> PSS Key entered and confirmed
> Certificate 'Issuer' field populated

The last is incorrect. The Certificate field should be empty in the
slave config when you use PSK.

 
> Because the Checkpoint believes BM is to use certificate based
> negotiation I removed all certificates in the VPN master and slave
> certificate fields. 

You can't and don't need to remove the cert config from your Master. 

CU,
-- 
Massimo Rosen
Novell Product Support Forum Sysop
No emails please!
http://www.cfc-it.de

Hi Massimo,

I'm at a complete loss. On paper it looks ok. When I  made the change
you suggested callmgr deletes the connection and CSAudit suggests the
slave configuration is wrong as per TID10091045. 

This is my configuration:

When you click on Site To Site Configuration in iManager it lists:

- VPNServerName (master)
- 3rd Party Client (Slave)

Select VPNServerName -----> Defined Fields:
Member version = 3.9
Prefered Authentication Method = Pre-shared Key
Certificate:
Issuer = MasterTRO.TRC-VPNServername.context
Subject Name = O=TREE.CN=vpnserver.domainname
No other fields defined except correct IPaddress config

Select 3rd PartySlave -----> Defined Fields:
Member Version = Non-BM
Prefered Authentication Method = Pre-shared Key
PSS Key = same as main VPN server config page
No other fields like certificates etc populated just correct IPaddress
config

3rd Party Traffic Rules:

Listed on this page our two rules.
source               
destination            action              status
1. My 3rd Party Rule                    3rd party public ip            
specified list          Encrypt            Active
2. My 3rd Party_Default_Rule         3rd party public ip               
any host              Deny                Active

Contents of My 3rd Party Rule:

- 3rd party server configuration
3rd party server gateway address = XX:XXX:XXX:XXX
Rule Applies to = Only Use IP List
3rd Party server protected network list
172.18.0.0.
172.16.0.0

-NBN Server Protected Network List
Rule Applies to = Only Use IP List
192.168.196.0

-Define Action

Encrypt = Active
Key Life Time 60mins (checkpoint slave value)
Encryption: 3DES
Authentication: HMAC-SHA1

With the above values in the member list above. VPN services start ok
but no call destination gets defined hence
when trying to put some traffic accross the VPN IKE monitor does
nothing.
CSAudit as per the above listed TID would leave you to believe the
slave is configured incorrectly with the wrong
certificate name when in fact it is configured for PSS. The check point
firewall also believes negotiation attempts
are cert based instead of PSS.

The server is a fully patched 6.5 / 3.8. I have tried everything I can
think and I'm just going round in circles with it 
now. I'm starting wonder if scenario really needs 3.9 to work?

Thanks,

David


-- 
David_Parker
------------------------------------------------------------------------
David_Parker's Profile: http://forums.novell.com/member.php?userid=14423
View this thread: http://forums.novell.com/showthread.php?t=414400

I'm wondering now if this could be an issue with Imanager not setting
values correctly . I'm using 2.6.0 but
I need to check the version of BM npm's. Could this be a possibility ?

Thanks


-- 
David_Parker
------------------------------------------------------------------------
David_Parker's Profile: http://forums.novell.com/member.php?userid=14423
View this thread: http://forums.novell.com/showthread.php?t=414400

Hi,

David Parker wrote:
> 
> I'm wondering now if this could be an issue with Imanager not setting
> values correctly . I'm using 2.6.0 but
> I need to check the version of BM npm's. Could this be a possibility ?

That's entirely possible, especially when your BM snapins are as
outdated as your core iManager.

Other than that, your descriptions confuse the hell out of me. You seem
to be mixing up the VPN Server configuration and the VPN S2S Config.
That's two entirely different things, and you only ever need to touch
the latter when setting up a �rd party server. But you may have
inadverently broken your BM Server config now, and may have to redo it.

CU,
-- 
Massimo Rosen
Novell Product Support Forum Sysop
No emails please!
http://www.cfc-it.de

I took your advice and started again from scratch. This is a lab setup.
In fact I found a nice app note that with similarities to what I am
trying to achieve.

First I deleted my VPN config, upgraded the from SP7 to SP8 which gave
me iManager 2.7.2. 
Added the latest the BM VPN plugin. Then I decided to followed this
appnote just to see
what IKE would do. Obviously I used my public and private addresses in
place of those in the appnote.

I then did a stop/startvpn.

No entry was added to callmgr so I did nothing
The IKE Logging screen just showed its default "Read Trusted Root Cert
etc" and never showed any activity

I would have thought it would have at least attempted a connection to
the fictitious public ip address
in the appnote. So I would appear that this configuration behaves
exactly the same as mine
even after following exactly.

The bottom line of my problem is when I use PSS on my 3rd party slave
two things occur:

1. Callmgr does not get an entry to represent the connection to slaves
IP
2. IKE does nothing when you try ping a host on the other side

But............

If I leave the 3rd party slave as Non-Bm and change the auth method to
certificate and issue the cert etc. When I restart the VPN services a
connection attempt is made to the fictitious IP in appnote which
obviously. So why is when certs are used callmgr and IKE 
start functioning but under pss they don't? 

Here's the appnote...............thanks

'Setting Up an IPSec VPN Tunnel between Nortel and an NBM 3.8.4 Server
| Novell User Communities'
(http://www.novell.com/support/php/search.do?cmd=displayKC&docType=kc&externalId=http--wwwnovellcom-communities-node-3212-setting-ipsec-vpn-tunnel-between-nortel-and-nbm-384-server&sliceId=&docTypeID=DT_ARTICLES_TIPS_1_1&dialogID=183768104&stateId=0)
0 183766694


-- 
David_Parker
------------------------------------------------------------------------
David_Parker's Profile: http://forums.novell.com/member.php?userid=14423
View this thread: http://forums.novell.com/showthread.php?t=414400

Hi,

David Parker wrote:
> 
> I then did a stop/startvpn.
> 
> No entry was added to callmgr 

That's a problem. It should definitely add one.

> so I did nothing
> The IKE Logging screen just showed its default "Read Trusted Root Cert
> etc" and never showed any activity
>
> I would have thought it would have at least attempted a connection to
> the fictitious public ip address

Only when it detects traffic designated to the remote encrypted
networks. But as long as there's no entry in callmgr for the remote
side, nothing will happen, that's totally necessary.

Quite frankly, at this point I'm a bit stumped why it wouldn't create
the 3rd party tunnel properly. 

CU,
-- 
Massimo Rosen
Novell Product Support Forum Sysop
No emails please!
http://www.cfc-it.de