[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [FW1] FWZ vs. IKE
Title: RE: [FW1] FWZ vs. IKE
Ok...
quick note.. I did find the source of my messed up userc.c file... a
typo on one of my firewall object interface definitions... although with
that broken, I'm surprised anything worked...
in
anycase... I fixed that... reinstalled the policy, deleted the site in
securemote, recreated it... and still no luck... client encrypt rules still seem
to be broken.... no traffic being logged.
Help
?
Hi Paul, thanks.....
Yes, I meant to mention that the Enc Domain was set to my
internal network object. I just double checked for the 100th time
too...just to be sure ;-)
I assume you mean on the client side... (there is none on the
server side)
I do see an extraneous entry or two for an interface that is
not in use anymore.... I'm not really up on the
anatomy of a userc.c file... but i'll give this a shot...
in my site definition section....
:ifaddrs (
: (external IP of
firewall) :
(interal IP #1 on firewall) (not the encryption domain)
: (just plain
wrong IP)
then each of those is broken down in detail in the :topology
section AND there is a 4th entry there with the proper IP and mask for the
encryption domain network obkect, BUT the name for that entry is wrong
.. it is Nickname.madeupwordhere instead of
Nickname.FWName
Thanks ....I will give it a shot and try to 'correct' these
... any tips for userc.c anatomy resources would be
appreciated.
> -----Original Message----- >
From: Paul Carmichael [mailto:[email protected]]
> Sent: Tuesday, November 14, 2000 2:23 PM
> To: 'Jason Kent';
'[email protected]' >
Subject: RE: [FW1] FWZ vs. IKE > > > Jason, >
> Can you confirm that you have your internal
network specified in the > Firewalls encryption
domain. Also check that userc.c file contains >
information regarding your internal network. There looks to > be some sort of > an issue
there. > > Paul
Carmichael > IT Security Engineer > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> SecureNet Ltd >
Level 3, 1 James Place, > North Sydney,
> NSW 2000 AUSTRALIA >
Ph: +61 2 9957 1000 Email:
[email protected] > Fx: +61 2 9957
1111 Web : http://www.securenet.com.au >
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > -----Original Message----- > From:
Jason Kent [mailto:[email protected]]
> Sent: Wednesday, 15 November 2000 7:21 AM
> To: '[email protected]'
> Subject: [FW1] FWZ vs. IKE >
> >
**************************************************************
> This message has been scanned for viruses.
>
**************************************************************
> > > Is there any reason that FWZ would work with Client Encrypt
> Rules and IKE > with
preshared secrets would not ? > I have FWZ working
with both Accept and Client Encypt Actions... > IKE
works fine with Accept actions (I have Decypt on Accept > checked) but > will NOT pass any
traffic on a Client Encrypt action. > Using 4.1 SP2
3DES with SR build 4165 .... > When the
problem occures (trying to pass through a client >
encrypt rule)the > log files simply show:
> 1. workstation to firewall IKE Log: Phase 1
(agressive) completion. > 3DES/MD5/Pre shared
secrets Negotiation ID: (insert ID here) > 2.
workstation to firewall scheme IKE methods: Combined > 3DES+SHA1 (phase 2 > completion) for
host x.x.x.x and for subnet 0.0.0.0 (mask=0.0.0.0) > and then NOTHING... no drops..no decrypts..no traffic..no
nothing.... > The test workstation is on the same
subnet as the external > interface...I'm
> not sure what all those 0's are about... any ideas
? > > > If I use an accept rule, I get the same two entries... PLUS a 3rd:
> firewall to workstation scheme IKE methods:
Combined ESP: > 3DES+SHA1(phase 2 > completion) for subnet x.x.x.x (mask 255.255.255.192)and for
> host x.x.x.x >
(the subnet and mask correctly desscribes my encryption > domain...and the > host IP is the test
workstation, just as in entry number 2 in > the
logs) > and then things work... lots of decrypts
and traffic flows nicely... > So bottom line...
what is it about IKE with preshared secrets > and
Client > Encrypt actions ?? something special
i need to check ? any > help would be
> greatly appreciated... >
THanks, > Jason >
> >
**********************************************************************
> To stay up to date with the latest SecureNet news and
events click on > the following link direct to our
website www.securenet.com.au/news >
> > This email and any
files transmitted with it are confidential and >
intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error
please notify > the system manager.
> > This footnote also confirms
that this email message has been swept by >
MIMEsweeper for the presence of computer viruses. >
> www.mimesweeper.com >
**********************************************************************
>
|