NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AW: [FW1] VPN going Up & Down



VERY GOOD EXPLANATION !!!

Arno

> -----Ursprüngliche Nachricht-----
> Von: [email protected]
> [mailto:[email protected]]Im Auftrag von
> John Li
> Gesendet: Donnerstag, 14. September 2000 00:32
> An: 'PEREZ SABATER Federico DICEI';
> [email protected]
> Betreff: RE: [FW1] VPN going Up & Down
> 
> 
> 
> Per CP tech support, do not use FWZ for VPN between FW1. Use IKE only.
> Here's how to setup:(Remember to add NAT rules if you have both sides
> NATed.)
> 
> ---------------------------------------------------------------
> 
> Goal: How to create an ISAKMP (IKE) VPN between two Check 
> Point FireWalls.
> 
> Fact: FireWall-1 4.0
> Fact: FireWall-1 4.1
> Fact: VPN
> Fact: ISAKMP
> Fact: IKE
> 
> Fix: There are 6 steps to creating an ISAKMP (IKE) VPN 
> between two Check
> Point FireWalls.
> 
> 1. Verify that both FireWalls are licensed for encryption.
> 2. On each FireWall, create a "FireWall-1 installed" object.
> 3. Enter the secrets in the FireWall objects encryption - ISAKMP (IKE)
> properties.
> 4. Create a rule that is:
> 	source:		 local firewall and remote firewall
> 	destination:	 local firewall and remote firewall
> 	service:		 ISAKMP (IKE)
> 	action:		 accept 
> 5. Create a rule that is:
> 	source: 		 local encryption domain and remote
> encryption domain
> 	destination:	 local encryption domain and remote encryption
> domain
> 	service:		 any
> 	action: 		 encrypt
> 6. Push the policies on both FireWalls.
> 
> 
> 
> ***************************************************************
> Goal: How to create Pre-shared secrets using an IKE VPN
> 
> Fact: Firewall-1 4.0 SP2
> Fact: Windows NT 4.0 SP3
> Fact: IKE
> Fact: Each Firewall is its own Management station
> Fact: Hide NAT
> 
> Symptom: When trying to create a pre-shared secret, no peers 
> are listed
> to install the secret on
> 
> Fix: In order to populate the "peer" pane on the pre-shared secrets
> option on the properties of IKE, you need to:
> 	1) Create a Firewall object for each of the Firewalls 
> on each of the
> Firewalls
> 	2) Verify that the Firewall is a part of it's encryption domain
> 	3) On all four of the Firewall objects, select IKE
> 	4) Install the policy
> 	5) Go to Manage >> Network Object >> Firewall Object >> 
> Encryption
> Tab >> IKE: Edit >> Edit Pre-shared secrets     to create the secret
> 	6) Install the policy
> 	7) Add a manual address translation rule
> *********************************************************
> Goal: How to configure IPSec with NAT
> 
> Fact: FireWall-1 4.0 SP2
> Fact: ISAKMP
> Fact: SKIP
> Fact: Hide NAT
> 
> Symptom: VPN between external gateways
> Symptom: Both internal networks in VPN are translated
> 
> Symptom: Wants to use internal IP addresses after VPN implementation
> 
> Fix: Define encryption domain with internal addresses and set NAT rule
> not to translate the VPN connection
> 1.Define internal networks with internal(invalid) IP 
> addresses as encryption
> domain of each firewall
> 2. Configure firewall object with ISAKMP or SKIP scheme
> 3. Create the encryption rule with both encryption domains in 
> the source
> and destination field
> 4. Since they want to use internal IP addresses, you should not use
> valid ip addresses for the encryption domain and the rule
> 5. Even though encryption happens prior to NAT, you need to keep NAT
> from happening for VPN connection
> This can be accomplished by adding two manual nat rules to the top of
> the NAT rulebase negating NAT between the encryption domains as shown:
> 
> encrytpA	encrytpB	any	orig	orig	orig
> encrytpB	encrytpA	any	orig	orig	orig
> 
> 6.  Other standard TCP/IP rules of routing apply.  Thus, the 
> two internal
> networks must be on separate subnets and packets destined for the VPN
> must route to the FW-1 gateway.
> 
> 
> > -----Original Message-----
> > From:	PEREZ SABATER Federico DICEI [SMTP:[email protected]]
> > Sent:	Wednesday, September 13, 2000 2:18 PM
> > To:	[email protected]
> > Subject:	RE: [FW1] VPN going Up & Down
> > 
> > 
> > The encryption scheme is FWZ. Thanks
> > 
> > Saludos, Federico.
> > 
> > 
> > -----Mensaje original-----
> > De: Michael Hernandez [mailto:[email protected]]
> > Enviado el: Miércoles, 13 de Septiembre de 2000 17:33
> > Para: 'John Li'; 'PEREZ SABATER Federico DICEI';
> > [email protected]
> > Asunto: RE: [FW1] VPN going Up & Down
> > 
> > 
> > * Mail ingresado via internet. No se garantiza autenticidad *
> > 
> > 
> > Which encryption Scheme are you using? not algorithm.
> > 
> > -----Original Message-----
> > From: John Li [mailto:[email protected]]
> > Sent: Wednesday, September 13, 2000 4:07 PM
> > To: 'PEREZ SABATER Federico DICEI';
> > [email protected]
> > Subject: RE: [FW1] VPN going Up & Down
> > 
> > 
> > 
> > 
> > Did you check your EncrptDomain? Make sure it include all 
> network and
> > objects behind the FW1. Even the FW object itself.
> > 
> > > -----Original Message-----
> > > From:	PEREZ SABATER Federico DICEI [SMTP:[email protected]]
> > > Sent:	Wednesday, September 13, 2000 10:58 AM
> > > To:	[email protected]
> > > Subject:	RV: [FW1] VPN going Up & Down
> > > 
> > > 
> > > 	Unfortunately, is a very random problem... the time 
> that the VPN is
> > > up varies from 12 hours (max and only once) to a few minutes. The
> > > encryption
> > > scheme is DES and the keys are exchanged whit 3DES. I've 
> discard all
> > (most
> > > of all) configuration problems, but it still goes down.
> > > 
> > > 	I even installed every thing all over again with no 
> better results.
> > > As ussual, if anyone can help, thanks, if not, thanks too.
> > > 
> > > Regards, Federico.
> > > 
> > > 
> > > -----Mensaje original-----
> > > De: Aylton Souza [mailto:[email protected]]
> > > Enviado el: Miércoles, 13 de Septiembre de 2000 11:03
> > > Para: PEREZ SABATER Federico DICEI;
> > > [email protected]
> > > Asunto: RES: [FW1] VPN going Up & Down
> > > 
> > > 
> > > Hmm... Does it occur in a regular time basis? I mean, for 
> example every
> > 2
> > > hours, side x goes down....
> > > 
> > > What VPN are you setting up: FWZ, IPSEC, x?
> > > 
> > > Best wishes
> > > 
> > > Aylton
> > > 
> > > 
> > > -----Mensagem original-----
> > > De: [email protected]
> > > [mailto:[email protected]]Em 
> nome de PEREZ
> > > SABATER Federico DICEI
> > > Enviada em: Wednesday, September 06, 2000 12:54 PM
> > > Para: '[email protected]'
> > > Assunto: [FW1] VPN going Up & Down
> > > 
> > > 
> > > 
> > > Hi!
> > > 	I'm working with a VPN that goes up for a couple of 
> hours and then
> > > goes down with no apparent reason. Both FW are Checkpoint 
> V 4.1 SP1 but
> > > one
> > > over NT and the other over Solaris. Usually, resetting 
> one of the FW
> > makes
> > > the VPN go up again.
> > > 	Does anyone have a clue?
> > > 
> > > Saludos, Federico.
> > > 
> > > 
> > > 
> > >
> > 
> ==============================================================
> ============
> > > ======
> > >      To unsubscribe from this mailing list, please see 
> the instructions
> > at
> > >                http://www.checkpoint.com/services/mailing.html
> > >
> > 
> ==============================================================
> ============
> > > ======
> > > 
> > > 
> > >
> > 
> ==============================================================
> ============
> > > ======
> > >      To unsubscribe from this mailing list, please see 
> the instructions
> > at
> > >                http://www.checkpoint.com/services/mailing.html
> > >
> > 
> ==============================================================
> ============
> > > ======
> > 
> > 
> > 
> ==============================================================
> ============
> > ==
> > ====
> >      To unsubscribe from this mailing list, please see the 
> instructions at
> >                http://www.checkpoint.com/services/mailing.html
> > 
> ==============================================================
> ============
> > ==
> > ====
> > 
> > 
> > 
> ==============================================================
> ============
> > ==
> > ====
> >      To unsubscribe from this mailing list, please see the 
> instructions at
> >                http://www.checkpoint.com/services/mailing.html
> > 
> ==============================================================
> ============
> > ==
> > ====
> > 
> > 
> > 
> ==============================================================
> ============
> > ======
> >      To unsubscribe from this mailing list, please see the 
> instructions at
> >                http://www.checkpoint.com/services/mailing.html
> > 
> ==============================================================
> ============
> > ======
> 
> 
> ==============================================================
> ==================
>      To unsubscribe from this mailing list, please see the 
> instructions at
>                http://www.checkpoint.com/services/mailing.html
> ==============================================================
> ==================
> 


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents � 2003 Network Presence, LLC. All rights reserved.