NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] FWZ vs. IKE



Jason,

Some reasons it may not work:

Your SR client default encryption scheme is not IKE.
You haven't checked IKE in fw object.
You haven't allowed user objects to use IKE.
Your secret keys do not match.
Your IKE rule is blocked(that would show in the logs.)
Your encryption domain is wrong(care to look for the 101st time ;)
Your external interface is included in your encryption domain??
'Supports keys exchange for Subnets' is not checked(may not need
it. Found in IKE properties of fw object.)
Your encryption levels do not match

I assume(ack) that you successfully can create/update the site
in SR.

In users.C right above the 'ifaddrs' section, there is a reference
to :obj. Make sure that the IP is that of your external inf of the fw.
>From your comments, it sounds like it will be.

Robert

- -
Robert P. MacDonald, Network Engineer
Team Lead, e-Business Infrastructure
G o r d o n   F o o d    S e r v i c e
Voice:email: [email protected]

>>> Jason Kent <[email protected]> 11/14/00 6:46:01 PM >>>
>Ok... quick note..  I did find the source of my messed up userc.c file...  a
>typo on one of my firewall object interface definitions...  although with
>that broken, I'm surprised anything worked...
> 
>in anycase... I fixed that... reinstalled the policy, deleted the site in
>securemote, recreated it... and still no luck... client encrypt rules still
>seem to be broken.... no traffic being logged.
> 
>Help ?
>
>-----Original Message-----
>From: Jason Kent [mailto:[email protected]] 
>Sent: Tuesday, November 14, 2000 3:02 PM
>To: 'Paul Carmichael'; Jason Kent;
>'[email protected]' 
>Subject: RE: [FW1] FWZ vs. IKE
>
>Hi Paul, thanks..... 
>
>Yes, I meant to mention that the Enc Domain was set to my internal network
>object.  I just double checked for the 100th time too...just to be sure ;-)
>
>I assume you mean on the client side... (there is none on the server side) 
>
>I do see an extraneous entry or two for an interface that is not in use
>anymore.... 
>I'm not really up on the anatomy of a userc.c file... but i'll give this a
>shot... 
>
>in my site definition section.... 
>
>:ifaddrs ( 
>        : (external IP of firewall) 
>        : (interal IP #1 on firewall)  (not the encryption domain) 
>        : (just plain wrong IP) 
>
>then each of those is broken down in detail in the :topology section AND
>there is a 4th entry there with the proper IP and mask for the encryption
>domain network obkect, BUT the name for that entry is wrong ..  it is
>Nickname.madeupwordhere   instead of Nickname.FWName
>
>Thanks ....I will give it a shot and try to 'correct' these ...  any tips
>for userc.c anatomy resources would be appreciated.
>
>> -----Original Message----- 
>> From: Paul Carmichael [ mailto:[email protected] 
><mailto:[email protected]> ] 
>> Sent: Tuesday, November 14, 2000 2:23 PM 
>> To: 'Jason Kent'; '[email protected]' 
>> Subject: RE: [FW1] FWZ vs. IKE 
>> 
>> Jason, 
>> 
>> Can you confirm that you have your internal network specified in the 
>> Firewalls encryption domain. Also check that userc.c file contains 
>> information regarding your internal network. There looks to 
>> be some sort of 
>> an issue there. 
>> 
>> Paul Carmichael 
>> -----Original Message----- 
>> From: Jason Kent [ mailto:[email protected] <mailto:[email protected]> ]
>
>> Sent: Wednesday, 15 November 2000 7:21 AM 
>> To: '[email protected]' 
>> Subject: [FW1] FWZ vs. IKE 
>> 
>> Is there any reason that FWZ would work with Client Encrypt 
>> Rules and IKE 
>> with preshared secrets would not ? 
>> I have FWZ working with both Accept and Client Encypt Actions... 
>> IKE works fine with Accept actions (I have Decypt on Accept 
>> checked) but 
>> will NOT pass any traffic on a Client Encrypt action. 
>> Using 4.1 SP2 3DES with SR build 4165 ....  
>> When the problem occures (trying to pass through a client 
>> encrypt rule)the 
>> log files simply show: 
>> 1. workstation to firewall IKE Log: Phase 1 (agressive) completion. 
>> 3DES/MD5/Pre shared secrets Negotiation ID: (insert ID here) 
>> 2. workstation to firewall scheme IKE methods: Combined 
>> 3DES+SHA1 (phase 2 
>> completion) for host x.x.x.x and for subnet 0.0.0.0 (mask=0.0.0.0) 
>> and then NOTHING... no drops..no decrypts..no traffic..no nothing.... 
>> The test workstation is on the same subnet as the external 
>> interface...I'm 
>> not sure what all those 0's are about... any ideas ? 
>> 
>> If I use an accept rule, I get the same two entries... PLUS a 3rd: 
>> firewall to workstation scheme IKE methods: Combined ESP: 
>> 3DES+SHA1(phase 2 
>> completion) for subnet x.x.x.x (mask 255.255.255.192)and for 
>> host x.x.x.x  
>> (the subnet and mask correctly desscribes my encryption 
>> domain...and the 
>> host IP is the test workstation, just as in entry number 2 in 
>> the logs) 
>> and then things work... lots of decrypts and traffic flows nicely... 
>> So bottom line... what is it about IKE with preshared secrets 
>> and Client 
>> Encrypt actions ??  something special i need to check ? any 
>> help would be 
>> greatly appreciated... 
>> THanks, 
>> Jason 




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.