RE: [FW1] FWZ vs. IKE

[Jason Kent <jkent@FW1-NOSPAMmainsail.com>]

Title: RE: [FW1] FWZ vs. IKE

Let me jump on the bad form bandwagon here...and reply to myself...

It just dawned on me...   Can I really do a preshared secret with a user ??  My secrets that match are on the workstation the user is using and on the firewall...

In the user properties... I select IKE ..and am given the choice to use either "password" or "certificate" authentication... of course I was putting in my same user password which was the same as the preshared secret for my test workstation.. that is where I was confused and believed that the secret was properly set....

So, let me ask, can i do preshared secrets with users somehow ? or do i have to do certificates... (which, by the way, i have no idea how to make work.... so I'd like to avoid it... I'm under the impression that to do that I'd have to have a certificate server, we have a server running 2000 that doesn't have much a load on it..and we are only talking 5-10 uesrs total... but I have no idea where to start if I need to make that a cert server ... can someone point me in the right direction there... everything i read just says to make a cert server... but I need to know how ....)

Thanks for all the help

Jason

> -----Original Message-----
> From: Jason Kent
> Sent: Wednesday, November 15, 2000 7:53 AM
> To: 'Robert MacDonald';
> fw-1-mailinglist@lists.us.checkpoint.com; Jason
> Kent; pcarmichael@securenet.com.au
> Subject: RE: [FW1] FWZ vs. IKE
>
>
> Robert, thanks again for the suggestions....still no luck though
>
> I double checked all of these:
>
> SR client default scheme is IKE
> IKE is checked in the FW object (with 3DES, SHA1, MD5,
> Supports Agressive Mode, and Supports Subnets all checked)
> User Object IKE is allowed (ESP, MD5 and 3DES are selected)
> Secrets certainly match, retyped them both.. just to make sure...
>
> IKE not blocked nothing shows in logs, logs are filled with
> nothing after the inital 2/3 IKE entries that should be there
>
> encryption domain (network object x.x.x.128 mask
> 255.255.255.128 - the internal interface is .229) and that
> object is selected as the encryption domain in the FW object.
>
> external interface is x.x.x.10 mask 255.255.255.192 
> certainly no overlap (no security or spoof settings on any
> interfaces at this point either
>
> Supports Subnets is checked in IKE properties
> and encryption levels do seem to match....
>
> yes..create and update site in SR is fine... (and SR works
> when pushed through a workstation -> network ->
> whateverservice -> accept rule)
>
> userc.c  - yes... the :obj section is the x.x.x.10 interface.
>
>
>
> From the logs the IKE phase 1 (secret key) succeeds.. then
> workstation sends it's phase 2 packets..and the firewall just
> doesn't care to reply if they arrived from a Client Auth
> rule.... but if they come from an accept rule, everything
> works great..(this holds true for every service i've tried;
> telnet, ftp, http, pcanywhere)
>
> Of course when things fail...the client app just times out...
>
>
> i normally like to find and solve the problem without
> rebuilding... but if I must, rebuilding is an option ...  but
> I can't stand throwing in the towel yet....so...Any other
> ideas would be greatly appreciated.....
>
> Thanks in advance...
>
> Jason
>
>
>
>
>
> > -----Original Message-----
> > From: Robert MacDonald [mailto:rmacdonald@gfs.com]
> > Sent: Tuesday, November 14, 2000 7:51 PM
> > To: fw-1-mailinglist@lists.us.checkpoint.com; jkent@mainsail.com;
> > pcarmichael@securenet.com.au
> > Subject: RE: [FW1] FWZ vs. IKE
> >
> >
> >
> > Jason,
> >
> > Some reasons it may not work:
> >
> > Your SR client default encryption scheme is not IKE.
> > You haven't checked IKE in fw object.
> > You haven't allowed user objects to use IKE.
> > Your secret keys do not match.
> > Your IKE rule is blocked(that would show in the logs.)
> > Your encryption domain is wrong(care to look for the 101st time ;)
> > Your external interface is included in your encryption domain??
> > 'Supports keys exchange for Subnets' is not checked(may not need
> > it. Found in IKE properties of fw object.)
> > Your encryption levels do not match
> >
> > I assume(ack) that you successfully can create/update the site
> > in SR.
> >
> > In users.C right above the 'ifaddrs' section, there is a reference
> > to :obj. Make sure that the IP is that of your external inf
> of the fw.
> > From your comments, it sounds like it will be.
> >
> > Robert
> >
> > - -
> > Robert P. MacDonald, Network Engineer
> > Team Lead, e-Business Infrastructure
> > G o r d o n   F o o d    S e r v i c e
> > Voice:email: rmacdonald@gfs.com
> >
> > >>> Jason Kent <jkent@mainsail.com> 11/14/00 6:46:01 PM >>>
> > >Ok... quick note..  I did find the source of my messed up
> > userc.c file...  a
> > >typo on one of my firewall object interface definitions... 
> > although with
> > >that broken, I'm surprised anything worked...
> > >
> > >in anycase... I fixed that... reinstalled the policy,
> > deleted the site in
> > >securemote, recreated it... and still no luck... client
> > encrypt rules still
> > >seem to be broken.... no traffic being logged.
> > >
> > >Help ?
> > >
> > >-----Original Message-----
> > >From: Jason Kent [mailto:jkent@mainsail.com]
> > >Sent: Tuesday, November 14, 2000 3:02 PM
> > >To: 'Paul Carmichael'; Jason Kent;
> > >'fw-1-mailinglist@lists.us.checkpoint.com'
> > >Subject: RE: [FW1] FWZ vs. IKE
> > >
> > >Hi Paul, thanks.....
> > >
> > >Yes, I meant to mention that the Enc Domain was set to my
> > internal network
> > >object.  I just double checked for the 100th time too...just
> > to be sure ;-)
> > >
> > >I assume you mean on the client side... (there is none on
> > the server side)
> > >
> > >I do see an extraneous entry or two for an interface that is
> > not in use
> > >anymore....
> > >I'm not really up on the anatomy of a userc.c file... but
> > i'll give this a
> > >shot...
> > >
> > >in my site definition section....
> > >
> > >:ifaddrs (
> > >        : (external IP of firewall)
> > >        : (interal IP #1 on firewall)  (not the encryption domain)
> > >        : (just plain wrong IP)
> > >
> > >then each of those is broken down in detail in the :topology
> > section AND
> > >there is a 4th entry there with the proper IP and mask for
> > the encryption
> > >domain network obkect, BUT the name for that entry is
> wrong ..  it is
> > >Nickname.madeupwordhere   instead of Nickname.FWName
> > >
> > >Thanks ....I will give it a shot and try to 'correct' these
> > ...  any tips
> > >for userc.c anatomy resources would be appreciated.
> > >
> > >> -----Original Message-----
> > >> From: Paul Carmichael [ mailto:pcarmichael@securenet.com.au
> > ><mailto:pcarmichael@securenet.com.au> ]
> > >> Sent: Tuesday, November 14, 2000 2:23 PM
> > >> To: 'Jason Kent'; 'fw-1-mailinglist@lists.us.checkpoint.com'
> > >> Subject: RE: [FW1] FWZ vs. IKE
> > >>
> > >> Jason,
> > >>
> > >> Can you confirm that you have your internal network
> > specified in the
> > >> Firewalls encryption domain. Also check that userc.c
> file contains
> > >> information regarding your internal network. There looks to
> > >> be some sort of
> > >> an issue there.
> > >>
> > >> Paul Carmichael
> > >> -----Original Message-----
> > >> From: Jason Kent [ mailto:jkent@mainsail.com
> > <mailto:jkent@mainsail.com> ]
> > >
> > >> Sent: Wednesday, 15 November 2000 7:21 AM
> > >> To: 'fw-1-mailinglist@lists.us.checkpoint.com'
> > >> Subject: [FW1] FWZ vs. IKE
> > >>
> > >> Is there any reason that FWZ would work with Client Encrypt
> > >> Rules and IKE
> > >> with preshared secrets would not ?
> > >> I have FWZ working with both Accept and Client Encypt Actions...
> > >> IKE works fine with Accept actions (I have Decypt on Accept
> > >> checked) but
> > >> will NOT pass any traffic on a Client Encrypt action.
> > >> Using 4.1 SP2 3DES with SR build 4165 .... 
> > >> When the problem occures (trying to pass through a client
> > >> encrypt rule)the
> > >> log files simply show:
> > >> 1. workstation to firewall IKE Log: Phase 1 (agressive)
> > completion.
> > >> 3DES/MD5/Pre shared secrets Negotiation ID: (insert ID here)
> > >> 2. workstation to firewall scheme IKE methods: Combined
> > >> 3DES+SHA1 (phase 2
> > >> completion) for host x.x.x.x and for subnet 0.0.0.0
> (mask=0.0.0.0)
> > >> and then NOTHING... no drops..no decrypts..no traffic..no
> > nothing....
> > >> The test workstation is on the same subnet as the external
> > >> interface...I'm
> > >> not sure what all those 0's are about... any ideas ?
> > >>
> > >> If I use an accept rule, I get the same two entries...
> PLUS a 3rd:
> > >> firewall to workstation scheme IKE methods: Combined ESP:
> > >> 3DES+SHA1(phase 2
> > >> completion) for subnet x.x.x.x (mask 255.255.255.192)and for
> > >> host x.x.x.x 
> > >> (the subnet and mask correctly desscribes my encryption
> > >> domain...and the
> > >> host IP is the test workstation, just as in entry number 2 in
> > >> the logs)
> > >> and then things work... lots of decrypts and traffic flows
> > nicely...
> > >> So bottom line... what is it about IKE with preshared secrets
> > >> and Client
> > >> Encrypt actions ??  something special i need to check ? any
> > >> help would be
> > >> greatly appreciated...
> > >> THanks,
> > >> Jason
> >
> >
> >
> >
> > ==============================================================
> > ==================
> >      To unsubscribe from this mailing list, please see the
> > instructions at
> >                http://www.checkpoint.com/services/mailing.html
> > ==============================================================
> > ==================
> >
>