|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] VPN going Up & Down
Per CP tech support, do not use FWZ for VPN between FW1. Use IKE only. Here's how to setup:(Remember to add NAT rules if you have both sides NATed.) --------------------------------------------------------------- Goal: How to create an ISAKMP (IKE) VPN between two Check Point FireWalls. Fact: FireWall-1 4.0 Fact: FireWall-1 4.1 Fact: VPN Fact: ISAKMP Fact: IKE Fix: There are 6 steps to creating an ISAKMP (IKE) VPN between two Check Point FireWalls. 1. Verify that both FireWalls are licensed for encryption. 2. On each FireWall, create a "FireWall-1 installed" object. 3. Enter the secrets in the FireWall objects encryption - ISAKMP (IKE) properties. 4. Create a rule that is: source: local firewall and remote firewall destination: local firewall and remote firewall service: ISAKMP (IKE) action: accept 5. Create a rule that is: source: local encryption domain and remote encryption domain destination: local encryption domain and remote encryption domain service: any action: encrypt 6. Push the policies on both FireWalls. *************************************************************** Goal: How to create Pre-shared secrets using an IKE VPN Fact: Firewall-1 4.0 SP2 Fact: Windows NT 4.0 SP3 Fact: IKE Fact: Each Firewall is its own Management station Fact: Hide NAT Symptom: When trying to create a pre-shared secret, no peers are listed to install the secret on Fix: In order to populate the "peer" pane on the pre-shared secrets option on the properties of IKE, you need to: 1) Create a Firewall object for each of the Firewalls on each of the Firewalls 2) Verify that the Firewall is a part of it's encryption domain 3) On all four of the Firewall objects, select IKE 4) Install the policy 5) Go to Manage >> Network Object >> Firewall Object >> Encryption Tab >> IKE: Edit >> Edit Pre-shared secrets to create the secret 6) Install the policy 7) Add a manual address translation rule ********************************************************* Goal: How to configure IPSec with NAT Fact: FireWall-1 4.0 SP2 Fact: ISAKMP Fact: SKIP Fact: Hide NAT Symptom: VPN between external gateways Symptom: Both internal networks in VPN are translated Symptom: Wants to use internal IP addresses after VPN implementation Fix: Define encryption domain with internal addresses and set NAT rule not to translate the VPN connection 1.Define internal networks with internal(invalid) IP addresses as encryption domain of each firewall 2. Configure firewall object with ISAKMP or SKIP scheme 3. Create the encryption rule with both encryption domains in the source and destination field 4. Since they want to use internal IP addresses, you should not use valid ip addresses for the encryption domain and the rule 5. Even though encryption happens prior to NAT, you need to keep NAT from happening for VPN connection This can be accomplished by adding two manual nat rules to the top of the NAT rulebase negating NAT between the encryption domains as shown: encrytpA encrytpB any orig orig orig encrytpB encrytpA any orig orig orig 6. Other standard TCP/IP rules of routing apply. Thus, the two internal networks must be on separate subnets and packets destined for the VPN must route to the FW-1 gateway. > -----Original Message----- > From: PEREZ SABATER Federico DICEI [SMTP:[email protected]] > Sent: Wednesday, September 13, 2000 2:18 PM > To: [email protected] > Subject: RE: [FW1] VPN going Up & Down > > > The encryption scheme is FWZ. Thanks > > Saludos, Federico. > > > -----Mensaje original----- > De: Michael Hernandez [mailto:[email protected]] > Enviado el: Miércoles, 13 de Septiembre de 2000 17:33 > Para: 'John Li'; 'PEREZ SABATER Federico DICEI'; > [email protected] > Asunto: RE: [FW1] VPN going Up & Down > > > * Mail ingresado via internet. No se garantiza autenticidad * > > > Which encryption Scheme are you using? not algorithm. > > -----Original Message----- > From: John Li [mailto:[email protected]] > Sent: Wednesday, September 13, 2000 4:07 PM > To: 'PEREZ SABATER Federico DICEI'; > [email protected] > Subject: RE: [FW1] VPN going Up & Down > > > > > Did you check your EncrptDomain? Make sure it include all network and > objects behind the FW1. Even the FW object itself. > > > -----Original Message----- > > From: PEREZ SABATER Federico DICEI [SMTP:[email protected]] > > Sent: Wednesday, September 13, 2000 10:58 AM > > To: [email protected] > > Subject: RV: [FW1] VPN going Up & Down > > > > > > Unfortunately, is a very random problem... the time that the VPN is > > up varies from 12 hours (max and only once) to a few minutes. The > > encryption > > scheme is DES and the keys are exchanged whit 3DES. I've discard all > (most > > of all) configuration problems, but it still goes down. > > > > I even installed every thing all over again with no better results. > > As ussual, if anyone can help, thanks, if not, thanks too. > > > > Regards, Federico. > > > > > > -----Mensaje original----- > > De: Aylton Souza [mailto:[email protected]] > > Enviado el: Miércoles, 13 de Septiembre de 2000 11:03 > > Para: PEREZ SABATER Federico DICEI; > > [email protected] > > Asunto: RES: [FW1] VPN going Up & Down > > > > > > Hmm... Does it occur in a regular time basis? I mean, for example every > 2 > > hours, side x goes down.... > > > > What VPN are you setting up: FWZ, IPSEC, x? > > > > Best wishes > > > > Aylton > > > > > > -----Mensagem original----- > > De: [email protected] > > [mailto:[email protected]]Em nome de PEREZ > > SABATER Federico DICEI > > Enviada em: Wednesday, September 06, 2000 12:54 PM > > Para: '[email protected]' > > Assunto: [FW1] VPN going Up & Down > > > > > > > > Hi! > > I'm working with a VPN that goes up for a couple of hours and then > > goes down with no apparent reason. Both FW are Checkpoint V 4.1 SP1 but > > one > > over NT and the other over Solaris. Usually, resetting one of the FW > makes > > the VPN go up again. > > Does anyone have a clue? > > > > Saludos, Federico. > > > > > > > > > ========================================================================== > > ====== > > To unsubscribe from this mailing list, please see the instructions > at > > http://www.checkpoint.com/services/mailing.html > > > ========================================================================== > > ====== > > > > > > > ========================================================================== > > ====== > > To unsubscribe from this mailing list, please see the instructions > at > > http://www.checkpoint.com/services/mailing.html > > > ========================================================================== > > ====== > > > ========================================================================== > == > ==== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ========================================================================== > == > ==== > > > ========================================================================== > == > ==== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ========================================================================== > == > ==== > > > ========================================================================== > ====== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ========================================================================== > ====== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
