[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] VPNs on CP2000 SP1 not working ...
Some brainstorming... 1. Make sure the following are checked under Policy -> Properties, to view all enc. related logs/events: - "Log Implied Rules" Security Policy tab. - "Log IKE Negotiations" Log and Alert tab. - "Log encryption kernel events" Log and Alert tab. 2. Make sure your time/date/time zone settings are correct on each firewall module. 3. If you are using "pre-shared secrets" make sure they are set properly. - sometimes the file fwauth.NDB gets corrupted. (fwstop on both firewalls, rename $FWDIR/database/fwauth.NDB to something else, fwstart, reset the "pre-shared secrets under the IKE tab). 4. If you have "Accept VPN-1/FireWall-1 Control Connections" turned off then allow following between the firewalls: -IKE (UDP:500) -depending on your encryption rule settings ESP (ip type 50) AH (ip type 51) [..don't forget about routers in front doing ACL's...] 5. Verify you have enabled the encryption algorithms you want to use on both firewall objects (under the VPN -> IKE properties tab). 6. Verify you have set the encryption rule's Encrypt "properties" tab properly on both ends. ... sounds like your problem may be #3 ... Let us know of any errors etc... Amin Tora, CISSP ePlus Technology http://www.eplus.com NASDAQ: PLUS -----Original Message----- From: #Checkpoint [mailto:[email protected]] Sent: Wednesday, March 28, 2001 12:01 PM To: '[email protected]' Subject: [FW1] VPNs on CP2000 SP1 not working ... Hello all, I´m dispairing with a VPN building project between two VPN-1 implementations. Everything seems to be configured properly, but apart from the key exchange (IKE) and encryption on the sending side, nothing more happens. The decrypt is not done (no firewall logging), however a sniffer analysis within the arriving internet segment BEFORE the target firewall provides several frames of IPSEC traffic. Is there anyone, who has an idea? My systems (on both sides): NT server 4.0 SP5 (target system), NT server 4.0 SP6 (source system), both operating CP2000 SP 1. HELP! Best regards, Gerd Lienemann CATS-Team Central Europe & Nordic IS Communication Pilkington Deutschland AG Haydnstr. 19 D-45884 Gelsenkirchen Tel (+49)Fax (+49)============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|