[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] AW: [FW1] VPN going Up & Down
VERY GOOD EXPLANATION !!! Arno > -----Ursprüngliche Nachricht----- > Von: [email protected] > [mailto:[email protected]]Im Auftrag von > John Li > Gesendet: Donnerstag, 14. September 2000 00:32 > An: 'PEREZ SABATER Federico DICEI'; > [email protected] > Betreff: RE: [FW1] VPN going Up & Down > > > > Per CP tech support, do not use FWZ for VPN between FW1. Use IKE only. > Here's how to setup:(Remember to add NAT rules if you have both sides > NATed.) > > --------------------------------------------------------------- > > Goal: How to create an ISAKMP (IKE) VPN between two Check > Point FireWalls. > > Fact: FireWall-1 4.0 > Fact: FireWall-1 4.1 > Fact: VPN > Fact: ISAKMP > Fact: IKE > > Fix: There are 6 steps to creating an ISAKMP (IKE) VPN > between two Check > Point FireWalls. > > 1. Verify that both FireWalls are licensed for encryption. > 2. On each FireWall, create a "FireWall-1 installed" object. > 3. Enter the secrets in the FireWall objects encryption - ISAKMP (IKE) > properties. > 4. Create a rule that is: > source: local firewall and remote firewall > destination: local firewall and remote firewall > service: ISAKMP (IKE) > action: accept > 5. Create a rule that is: > source: local encryption domain and remote > encryption domain > destination: local encryption domain and remote encryption > domain > service: any > action: encrypt > 6. Push the policies on both FireWalls. > > > > *************************************************************** > Goal: How to create Pre-shared secrets using an IKE VPN > > Fact: Firewall-1 4.0 SP2 > Fact: Windows NT 4.0 SP3 > Fact: IKE > Fact: Each Firewall is its own Management station > Fact: Hide NAT > > Symptom: When trying to create a pre-shared secret, no peers > are listed > to install the secret on > > Fix: In order to populate the "peer" pane on the pre-shared secrets > option on the properties of IKE, you need to: > 1) Create a Firewall object for each of the Firewalls > on each of the > Firewalls > 2) Verify that the Firewall is a part of it's encryption domain > 3) On all four of the Firewall objects, select IKE > 4) Install the policy > 5) Go to Manage >> Network Object >> Firewall Object >> > Encryption > Tab >> IKE: Edit >> Edit Pre-shared secrets to create the secret > 6) Install the policy > 7) Add a manual address translation rule > ********************************************************* > Goal: How to configure IPSec with NAT > > Fact: FireWall-1 4.0 SP2 > Fact: ISAKMP > Fact: SKIP > Fact: Hide NAT > > Symptom: VPN between external gateways > Symptom: Both internal networks in VPN are translated > > Symptom: Wants to use internal IP addresses after VPN implementation > > Fix: Define encryption domain with internal addresses and set NAT rule > not to translate the VPN connection > 1.Define internal networks with internal(invalid) IP > addresses as encryption > domain of each firewall > 2. Configure firewall object with ISAKMP or SKIP scheme > 3. Create the encryption rule with both encryption domains in > the source > and destination field > 4. Since they want to use internal IP addresses, you should not use > valid ip addresses for the encryption domain and the rule > 5. Even though encryption happens prior to NAT, you need to keep NAT > from happening for VPN connection > This can be accomplished by adding two manual nat rules to the top of > the NAT rulebase negating NAT between the encryption domains as shown: > > encrytpA encrytpB any orig orig orig > encrytpB encrytpA any orig orig orig > > 6. Other standard TCP/IP rules of routing apply. Thus, the > two internal > networks must be on separate subnets and packets destined for the VPN > must route to the FW-1 gateway. > > > > -----Original Message----- > > From: PEREZ SABATER Federico DICEI [SMTP:[email protected]] > > Sent: Wednesday, September 13, 2000 2:18 PM > > To: [email protected] > > Subject: RE: [FW1] VPN going Up & Down > > > > > > The encryption scheme is FWZ. Thanks > > > > Saludos, Federico. > > > > > > -----Mensaje original----- > > De: Michael Hernandez [mailto:[email protected]] > > Enviado el: Miércoles, 13 de Septiembre de 2000 17:33 > > Para: 'John Li'; 'PEREZ SABATER Federico DICEI'; > > [email protected] > > Asunto: RE: [FW1] VPN going Up & Down > > > > > > * Mail ingresado via internet. No se garantiza autenticidad * > > > > > > Which encryption Scheme are you using? not algorithm. > > > > -----Original Message----- > > From: John Li [mailto:[email protected]] > > Sent: Wednesday, September 13, 2000 4:07 PM > > To: 'PEREZ SABATER Federico DICEI'; > > [email protected] > > Subject: RE: [FW1] VPN going Up & Down > > > > > > > > > > Did you check your EncrptDomain? Make sure it include all > network and > > objects behind the FW1. Even the FW object itself. > > > > > -----Original Message----- > > > From: PEREZ SABATER Federico DICEI [SMTP:[email protected]] > > > Sent: Wednesday, September 13, 2000 10:58 AM > > > To: [email protected] > > > Subject: RV: [FW1] VPN going Up & Down > > > > > > > > > Unfortunately, is a very random problem... the time > that the VPN is > > > up varies from 12 hours (max and only once) to a few minutes. The > > > encryption > > > scheme is DES and the keys are exchanged whit 3DES. I've > discard all > > (most > > > of all) configuration problems, but it still goes down. > > > > > > I even installed every thing all over again with no > better results. > > > As ussual, if anyone can help, thanks, if not, thanks too. > > > > > > Regards, Federico. > > > > > > > > > -----Mensaje original----- > > > De: Aylton Souza [mailto:[email protected]] > > > Enviado el: Miércoles, 13 de Septiembre de 2000 11:03 > > > Para: PEREZ SABATER Federico DICEI; > > > [email protected] > > > Asunto: RES: [FW1] VPN going Up & Down > > > > > > > > > Hmm... Does it occur in a regular time basis? I mean, for > example every > > 2 > > > hours, side x goes down.... > > > > > > What VPN are you setting up: FWZ, IPSEC, x? > > > > > > Best wishes > > > > > > Aylton > > > > > > > > > -----Mensagem original----- > > > De: [email protected] > > > [mailto:[email protected]]Em > nome de PEREZ > > > SABATER Federico DICEI > > > Enviada em: Wednesday, September 06, 2000 12:54 PM > > > Para: '[email protected]' > > > Assunto: [FW1] VPN going Up & Down > > > > > > > > > > > > Hi! > > > I'm working with a VPN that goes up for a couple of > hours and then > > > goes down with no apparent reason. Both FW are Checkpoint > V 4.1 SP1 but > > > one > > > over NT and the other over Solaris. Usually, resetting > one of the FW > > makes > > > the VPN go up again. > > > Does anyone have a clue? > > > > > > Saludos, Federico. > > > > > > > > > > > > > > > ============================================================== > ============ > > > ====== > > > To unsubscribe from this mailing list, please see > the instructions > > at > > > http://www.checkpoint.com/services/mailing.html > > > > > > ============================================================== > ============ > > > ====== > > > > > > > > > > > > ============================================================== > ============ > > > ====== > > > To unsubscribe from this mailing list, please see > the instructions > > at > > > http://www.checkpoint.com/services/mailing.html > > > > > > ============================================================== > ============ > > > ====== > > > > > > > ============================================================== > ============ > > == > > ==== > > To unsubscribe from this mailing list, please see the > instructions at > > http://www.checkpoint.com/services/mailing.html > > > ============================================================== > ============ > > == > > ==== > > > > > > > ============================================================== > ============ > > == > > ==== > > To unsubscribe from this mailing list, please see the > instructions at > > http://www.checkpoint.com/services/mailing.html > > > ============================================================== > ============ > > == > > ==== > > > > > > > ============================================================== > ============ > > ====== > > To unsubscribe from this mailing list, please see the > instructions at > > http://www.checkpoint.com/services/mailing.html > > > ============================================================== > ============ > > ====== > > > ============================================================== > ================== > To unsubscribe from this mailing list, please see the > instructions at > http://www.checkpoint.com/services/mailing.html > ============================================================== > ================== > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|