Subscribe Feed (RSS)VPN Phase 1 fails – Checkpoint to Cisco – Update
May 22nd, 2009 by devnull | Filed under Uncategorized.A while back i wrote a post about a problem setting up a vpn tunnel between a cisco router and a checkpoint firewall.
When i tried to open he tunnel, the following error showed up in the log files:
“Duplicate Phase 1 packet detected. Retransmitting lastpacket.”
Back then i didnt have the time to research the problem, so i still owe you an explanation:
By default, main mode is selected for phase 1 ike on the checkpoint configuration. The router was i trying to connect with, was configured with aggressive mode.
So what was the problem?
The two modes operate differently -
Main mode uses 6 packet in the ike phase 1 and aggressive mode uses only 3.
Aggressive mode identity packets are sent in clear text. This means one can sniff the identity traffic. The main mode first allow the encryption of the identity packets, and only then send them.
While the aggressive mode is faster, as it requires less resources, the main mode is considered more secure.
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=aeef120b-4c26-48e2-a522-0487a3ef3313)
[...] Update – here is why [...]