[vpn] Problems with Ipsec over sonicwall and checkpoint

Christopher Gripp cgripp at axcelerant.com
Tue Dec 18 21:21:15 EST 2001

If you want a tunnel to stay up forever use static keys and not IKE.
Most tunnel issues I have seen are caused by IKE timing out and one end
not realizing the SA is no longer valid.

-----Original Message-----
From: Ryan Malayter [mailto:rmalayter at bai.org]
Sent: Tuesday, December 18, 2001 4:01 PM
To: 'vpn at securityfocus.com'
Cc: 'Dante Mercurio'
Subject: RE: [vpn] Problems with Ipsec over sonicwall and checkpoint

Hash: SHA1

From: Dante Mercurio [mailto:dmercurio at ccgsecurity.com] 
>Though it doesn't appear to be a timeout issue, I have 
>seen random problems appear between unlike hardware 
>when their timeouts are set separately. In these situations, 
>I have found that it is best to allow one side to initiate 
>the renegotiation, and set the other side never to timeout.

Thanks for the insight. Unfortunately, that's how our setup is already
configured. The Checkpoint keeps the tunnel alive forever, and the
Sonicwall does renegotiation every 24 hours. (The Sonicwall can't even
be set to keep the tunnel up forever - 29 days is the max. So I can't
test it the other way. Argh!)

I've been reading all over the net about various
*sonicwall-to-sonicwall* VPNs going down randomly. If Sonicwall can't
even get that right, I think I'm in deep doodoo using that box.

:::Ryan Malayter, MCSE
:::Bank Administration Institute
:::Chicago, Illinois, USA
"To call something public is to define it as dirty, insufficient and
hazardous. The ultimate paradigm of social spending is the public rest
    -P.J. O'Rourke
Version: GnuPG v1.0.6 (MingW32) - GPGshell v2.10b19
Comment: For info see http://www.gnupg.org


VPN is sponsored by SecurityFocus.com

VPN is sponsored by SecurityFocus.com

More information about the VPN mailing list