NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] FWZ vs. IKE



Title: RE: [FW1] FWZ vs. IKE

Hi Paul, thanks.....

Yes, I meant to mention that the Enc Domain was set to my internal network object.  I just double checked for the 100th time too...just to be sure ;-)

I assume you mean on the client side... (there is none on the server side)


I do see an extraneous entry or two for an interface that is not in use anymore....
I'm not really up on the anatomy of a userc.c file... but i'll give this a shot...


in my site definition section....

:ifaddrs (
        : (external IP of firewall)
        : (interal IP #1 on firewall)  (not the encryption domain)
        : (just plain wrong IP)

then each of those is broken down in detail in the :topology section AND there is a 4th entry there with the proper IP and mask for the encryption domain network obkect, BUT the name for that entry is wrong ..  it is Nickname.madeupwordhere   instead of Nickname.FWName


Thanks ....I will give it a shot and try to 'correct' these ...  any tips for userc.c anatomy resources would be appreciated.






> -----Original Message-----
> From: Paul Carmichael [mailto:[email protected]]
> Sent: Tuesday, November 14, 2000 2:23 PM
> To: 'Jason Kent'; '[email protected]'
> Subject: RE: [FW1] FWZ vs. IKE
>
>
> Jason,
>
> Can you confirm that you have your internal network specified in the
> Firewalls encryption domain. Also check that userc.c file contains
> information regarding your internal network. There looks to
> be some sort of
> an issue there.
>
> Paul Carmichael
> IT Security Engineer
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> SecureNet  Ltd
> Level 3, 1 James Place,
> North Sydney,
> NSW 2000 AUSTRALIA
> Ph: +61 2 9957 1000     Email: [email protected]
> Fx: +61 2 9957 1111     Web : http://www.securenet.com.au
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
> -----Original Message-----
> From: Jason Kent [mailto:[email protected]]
> Sent: Wednesday, 15 November 2000 7:21 AM
> To: '[email protected]'
> Subject: [FW1] FWZ vs. IKE
>
>
> **************************************************************
> This message has been scanned for viruses.
> **************************************************************
>
>
> Is there any reason that FWZ would work with Client Encrypt
> Rules and IKE
> with preshared secrets would not ?
> I have FWZ working with both Accept and Client Encypt Actions...
> IKE works fine with Accept actions (I have Decypt on Accept
> checked) but
> will NOT pass any traffic on a Client Encrypt action.
> Using 4.1 SP2 3DES with SR build 4165 .... 
> When the problem occures (trying to pass through a client
> encrypt rule)the
> log files simply show:
> 1. workstation to firewall IKE Log: Phase 1 (agressive) completion.
> 3DES/MD5/Pre shared secrets Negotiation ID: (insert ID here)
> 2. workstation to firewall scheme IKE methods: Combined
> 3DES+SHA1 (phase 2
> completion) for host x.x.x.x and for subnet 0.0.0.0 (mask=0.0.0.0)
> and then NOTHING... no drops..no decrypts..no traffic..no nothing....
> The test workstation is on the same subnet as the external
> interface...I'm
> not sure what all those 0's are about... any ideas ?
>
>
> If I use an accept rule, I get the same two entries... PLUS a 3rd:
> firewall to workstation scheme IKE methods: Combined ESP:
> 3DES+SHA1(phase 2
> completion) for subnet x.x.x.x (mask 255.255.255.192)and for
> host x.x.x.x 
> (the subnet and mask correctly desscribes my encryption
> domain...and the
> host IP is the test workstation, just as in entry number 2 in
> the logs)
> and then things work... lots of decrypts and traffic flows nicely...
> So bottom line... what is it about IKE with preshared secrets
> and Client
> Encrypt actions ??  something special i need to check ? any
> help would be
> greatly appreciated...
> THanks,
> Jason
>
>
> **********************************************************************
> To stay up to date with the latest SecureNet news and events click on
> the following link direct to our website www.securenet.com.au/news
>
>
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager.
>
> This footnote also confirms that this email message has been swept by
> MIMEsweeper for the presence of computer viruses.
>
> www.mimesweeper.com
> **********************************************************************
>



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.