I guess I had another problem last time I tested that, cause in fact it does not use necessarily DH group 2. It can also use group 1. The decision about the DH group is probably made following the proposals of the IKE peer. If there is a compatible IKE proposal made with DH group 1 then group 1 is used, if it is with group 2 then this is group 2. At least it seems to behave this way. David > -----Message d'origine----- > De: NET2S - ABDELMOULAH, David > Date: lundi 25 juin 2001 15:37 > À: pen-testat_private > Objet: RE: how IKE works in case of Checkpoint Firewall > > IKE in VPN-1 takes place the normal way (the proof is that it can work > with > other implementations ;)). The first phase is classical, the goal is to > buil > the SA ISAKMP using DH, and a preshared key or a certificate for > authentication. The second phase build the 2 SAs needed for the data > exchange. What can be confusing is that you can not configure DH on VPN-1, > you just have to know that it is group 2 (1024 bits), and it can not be > changed (not from what I know at least). Though DH can not be configured, > you can at least activate PFS, which is of course PFS group 2. > Regards > > David > > > -----Message d'origine----- > > De: priya subramanian [SMTP:pentestingat_private] > > Date: lundi 25 juin 2001 07:03 > > À: pen-testat_private > > Objet: how IKE works in case of Checkpoint Firewall > > > > In my understanding IKE invloves two phases wherin the > > DH keys and the CA keys are exchanged and a secret key > > is derived for encryption. > > > > But when configuring IKE VPN in a checpoint firewall > > we do exchenge any DH keys.. only a preshared secret > > is directly given. This is really confusing. > > > > Could anyone elaborate on how exactly IKe encryption > > works with Firewall-1 > > > > Regards > > Priya > > > > ____________________________________________________________ > > Do You Yahoo!? > > For regular News updates go to http://in.news.yahoo.com
This archive was generated by hypermail 2b30 : Mon Jun 25 2001 - 12:26:00 PDT