Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] VPNs on CP2000 SP1 not working ...

To: "'[email protected]'" <[email protected]>
Subject: RE: [FW1] VPNs on CP2000 SP1 not working ...
From: Amin Tora <[email protected]>
Date: Sun, 1 Apr 2001 22:31:59 -0400
Sender: [email protected]


Some brainstorming...

1. Make sure the following are checked under Policy -> Properties, to view
all enc. related logs/events:

-  "Log Implied Rules" Security Policy tab.
-  "Log IKE Negotiations" Log and Alert tab.
-  "Log encryption kernel events" Log and Alert tab.

2. Make sure your time/date/time zone settings are correct on each firewall
module.

3. If you are using "pre-shared secrets" make sure they are set properly.

- sometimes the file fwauth.NDB gets corrupted. 

(fwstop on both firewalls, rename $FWDIR/database/fwauth.NDB to something
else, fwstart, reset the "pre-shared secrets under the IKE tab).

4. If you have "Accept VPN-1/FireWall-1 Control Connections" turned off then
allow following between the firewalls:

-IKE (UDP:500)
-depending on your encryption rule settings
	ESP (ip type 50)
	AH (ip type 51)

[..don't forget about routers in front doing ACL's...]

5. Verify you have enabled the encryption algorithms you want to use on both
firewall objects (under the VPN -> IKE properties tab).

6. Verify you have set the encryption rule's Encrypt "properties" tab
properly on both ends.

... sounds like your problem may be #3 ...

Let us know of any errors etc...


Amin Tora, CISSP
ePlus Technology
http://www.eplus.com
NASDAQ: PLUS



-----Original Message-----
From: #Checkpoint [mailto:[email protected]]
Sent: Wednesday, March 28, 2001 12:01 PM
To: '[email protected]'
Subject: [FW1] VPNs on CP2000 SP1 not working ...



Hello all,

I´m dispairing with a VPN building project between two VPN-1
implementations. Everything seems to be configured properly, but apart from
the key exchange (IKE) and encryption on the sending side, nothing more
happens. The decrypt is not done (no firewall logging), however a sniffer
analysis within the arriving internet segment BEFORE the target firewall
provides several frames of IPSEC traffic. Is there anyone, who has an idea?

My systems (on both sides): NT server 4.0 SP5 (target system), NT server 4.0
SP6 (source system), both operating CP2000 SP 1.

HELP!

Best regards,

Gerd Lienemann

CATS-Team Central Europe & Nordic
IS Communication
Pilkington Deutschland AG
Haydnstr. 19
D-45884 Gelsenkirchen
Tel  (+49)Fax (+49)============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] SecuRemote
Next by Date: [FW1] Managment Console and GUI
Previous by thread: [FW1] Securemote
Next by thread: [FW1] Managment Console and GUI
Index(es):
- Date
- Thread