It's not actually a catch - it's part of the IKE RFC's. Check
http://www.ietf.org/rfc/rfc2409.txt. Aggressive mode is listed as a SHOULD
implement, but most vendors seem to support it, not just Checkpoint
(including Cisco)
Cheers
Stu
> -----Original Message-----
> From: Damien @ HammerheadTech.net [mailto:damien (at) hammerheadtech (dot) net [email concealed]]
> Sent: Tuesday, 22 April 2003 8:56 a.m.
> To: 'Pasikowski, Gary'; 'Mark Fagan'; 'Security Focus Forum';
> focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: RE: interoperability of VPN checkpoint FW1 to ISA
>
>
> Mark,
>
> So long as all ends are matching on their encryption
> configuration, like Gary said, things should be fine.
> However, CheckPoint has one little "catch" to be aware of.
> They have a setting on their systems for "aggressive"
> negotiation of the VPN connection. Basically this tries to
> get the communication kicked off in half as many packets as
> your "industry standard" 6 packet handshake. So depending on
> whether not the tunnel is made from ISA to CheckPoint or
> CheckPoint to ISA, you could see a failure in the communications.
>
> We saw something similar where a tunnel was made from a Cisco
> VPN device to a CheckPoint device. When the tunnel would
> drop before the scheduled re-negotiation the CheckPoint
> device would try it's "aggressive" mode and the reconnect
> would fail until the Cisco device eventually got around to
> its scheduled re-negotiation. Turning off the "aggressive"
> mode (which is really only designed for CP to CP tunnels)
> resolved that.
>
> The same thing could very well happen when going from CP to ISA.
>
> My 2c worth.
>
> Damien
>
>
------------------------------------------------------------------------
-----
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts. The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches. Deadline for the best rates is April 25. Register today to
ensure your place. http://www.securityfocus.com/BlackHat-focus-ms
------------------------------------------------------------------------
------
http://www.ietf.org/rfc/rfc2409.txt. Aggressive mode is listed as a SHOULD
implement, but most vendors seem to support it, not just Checkpoint
(including Cisco)
Cheers
Stu
> -----Original Message-----
> From: Damien @ HammerheadTech.net [mailto:damien (at) hammerheadtech (dot) net [email concealed]]
> Sent: Tuesday, 22 April 2003 8:56 a.m.
> To: 'Pasikowski, Gary'; 'Mark Fagan'; 'Security Focus Forum';
> focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: RE: interoperability of VPN checkpoint FW1 to ISA
>
>
> Mark,
>
> So long as all ends are matching on their encryption
> configuration, like Gary said, things should be fine.
> However, CheckPoint has one little "catch" to be aware of.
> They have a setting on their systems for "aggressive"
> negotiation of the VPN connection. Basically this tries to
> get the communication kicked off in half as many packets as
> your "industry standard" 6 packet handshake. So depending on
> whether not the tunnel is made from ISA to CheckPoint or
> CheckPoint to ISA, you could see a failure in the communications.
>
> We saw something similar where a tunnel was made from a Cisco
> VPN device to a CheckPoint device. When the tunnel would
> drop before the scheduled re-negotiation the CheckPoint
> device would try it's "aggressive" mode and the reconnect
> would fail until the Cisco device eventually got around to
> its scheduled re-negotiation. Turning off the "aggressive"
> mode (which is really only designed for CP to CP tunnels)
> resolved that.
>
> The same thing could very well happen when going from CP to ISA.
>
> My 2c worth.
>
> Damien
>
>
------------------------------------------------------------------------
-----
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts. The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches. Deadline for the best rates is April 25. Register today to
ensure your place. http://www.securityfocus.com/BlackHat-focus-ms
------------------------------------------------------------------------
------
[ reply ]