| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [FW1] FWZ vs. IKE
Title: RE: [FW1] FWZ vs. IKE
Ok...
resolved... thanks Paul, Robert, Keith, and CryptoTech (on the other
thread)
Issue
was that VPN was defined on the workstation object as well. I was using
the pre-shared secret as the user password as well... So when I thought I
was authenticating the user, I was still only Authenticating the
machine.
I
still find it disturbing that you can't do Client Encrypt based on users from a
machine that is defined on the firewall as using VPN.
(If
the machine is defined to use VPN... it seems to completely ignore the username
you input in SR..and just verifies that the password matches the preshared
secret ??)
Thanks
again for all the help
Let me jump on the bad form bandwagon here...and reply to
myself...
It just dawned on me... Can I really do a
preshared secret with a user ?? My secrets that match are on the
workstation the user is using and on the firewall...
In the user properties... I select IKE ..and am given the
choice to use either "password" or "certificate" authentication... of course I
was putting in my same user password which was the same as the preshared
secret for my test workstation.. that is where I was confused and believed
that the secret was properly set....
So, let me ask, can i do preshared secrets with users somehow
? or do i have to do certificates... (which, by the way, i have no idea how to
make work.... so I'd like to avoid it... I'm under the impression that to do
that I'd have to have a certificate server, we have a server running 2000 that
doesn't have much a load on it..and we are only talking 5-10 uesrs total...
but I have no idea where to start if I need to make that a cert server ... can
someone point me in the right direction there... everything i read just says
to make a cert server... but I need to know how ....)
Thanks for all the help
Jason
> -----Original Message-----
>
From: Jason Kent
> Sent: Wednesday, November 15,
2000 7:53 AM
> To: 'Robert MacDonald';
> [email protected];
Jason
> Kent; [email protected]
> Subject: RE: [FW1] FWZ vs. IKE
>
>
> Robert,
thanks again for the suggestions....still no luck though
>
> I double checked all of these:
>
> SR client default scheme is
IKE
> IKE is checked in the FW object (with 3DES,
SHA1, MD5,
> Supports Agressive Mode, and Supports
Subnets all checked)
> User Object IKE is allowed
(ESP, MD5 and 3DES are selected)
> Secrets
certainly match, retyped them both.. just to make sure...
>
> IKE not blocked nothing shows in
logs, logs are filled with
> nothing after the
inital 2/3 IKE entries that should be there
>
> encryption domain (network object x.x.x.128 mask
> 255.255.255.128 - the internal interface is .229)
and that
> object is selected as the encryption
domain in the FW object.
>
> external interface is x.x.x.10 mask 255.255.255.192
> certainly no overlap (no security or spoof
settings on any
> interfaces at this point
either
>
> Supports
Subnets is checked in IKE properties
> and
encryption levels do seem to match....
>
> yes..create and update site in SR is fine... (and
SR works
> when pushed through a workstation ->
network ->
> whateverservice -> accept
rule)
>
> userc.c
- yes... the :obj section is the x.x.x.10 interface.
>
>
>
> From the logs the IKE phase 1 (secret key)
succeeds.. then
> workstation sends it's phase 2
packets..and the firewall just
> doesn't care to
reply if they arrived from a Client Auth
> rule....
but if they come from an accept rule, everything
>
works great..(this holds true for every service i've tried;
> telnet, ftp, http, pcanywhere)
>
> Of course when things fail...the client app just
times out...
>
>
> i normally like to find and solve the problem
without
> rebuilding... but if I must, rebuilding
is an option ... but
> I can't stand throwing
in the towel yet....so...Any other
> ideas would be
greatly appreciated.....
>
> Thanks in advance...
>
> Jason
>
>
>
>
>
> > -----Original
Message-----
> > From: Robert MacDonald [mailto:[email protected]]
> > Sent: Tuesday, November 14, 2000 7:51 PM
> > To: [email protected];
[email protected];
> >
[email protected]
> > Subject: RE:
[FW1] FWZ vs. IKE
> >
> >
> >
> > Jason,
> >
> > Some reasons it may not work:
>
>
> > Your SR client default encryption
scheme is not IKE.
> > You haven't checked IKE
in fw object.
> > You haven't allowed user
objects to use IKE.
> > Your secret keys do not
match.
> > Your IKE rule is blocked(that would
show in the logs.)
> > Your encryption domain is
wrong(care to look for the 101st time ;)
> >
Your external interface is included in your encryption domain??
> > 'Supports keys exchange for Subnets' is not
checked(may not need
> > it. Found in IKE
properties of fw object.)
> > Your encryption
levels do not match
> >
> > I assume(ack) that you successfully can create/update the
site
> > in SR.
>
>
> > In users.C right above the 'ifaddrs'
section, there is a reference
> > to :obj. Make
sure that the IP is that of your external inf
> of
the fw.
> > From your comments, it sounds like
it will be.
> >
>
> Robert
> >
>
> - -
> > Robert P. MacDonald, Network
Engineer
> > Team Lead, e-Business
Infrastructure
> > G o r d o n F o o
d S e r v i c e
> > Voice:email: [email protected]
> >
> > >>> Jason Kent
<[email protected]> 11/14/00 6:46:01 PM >>>
> > >Ok... quick note.. I did find the source of my
messed up
> > userc.c file... a
> > >typo on one of my firewall object interface
definitions...
> > although with
> > >that broken, I'm surprised anything
worked...
> > >
>
> >in anycase... I fixed that... reinstalled the policy,
> > deleted the site in
> > >securemote, recreated it... and still no luck... client
> > encrypt rules still
> > >seem to be broken.... no traffic being logged.
> > >
> > >Help
?
> > >
> >
>-----Original Message-----
> > >From:
Jason Kent [mailto:[email protected]]
> > >Sent: Tuesday, November 14, 2000 3:02
PM
> > >To: 'Paul Carmichael'; Jason
Kent;
> >
>'[email protected]'
>
> >Subject: RE: [FW1] FWZ vs. IKE
> >
>
> > >Hi Paul, thanks.....
> > >
> >
>Yes, I meant to mention that the Enc Domain was set to my
> > internal network
> >
>object. I just double checked for the 100th time too...just
> > to be sure ;-)
>
> >
> > >I assume you mean on the
client side... (there is none on
> > the server
side)
> > >
> >
>I do see an extraneous entry or two for an interface that is
> > not in use
> >
>anymore....
> > >I'm not really up on the
anatomy of a userc.c file... but
> > i'll give
this a
> > >shot...
> > >
> > >in my site
definition section....
> > >
> > >:ifaddrs (
> >
> : (external IP of firewall)
> >
> : (interal IP #1 on
firewall) (not the encryption domain)
> >
> : (just plain wrong IP)
> > >
> >
>then each of those is broken down in detail in the :topology
> > section AND
>
> >there is a 4th entry there with the proper IP and mask for
> > the encryption
>
> >domain network obkect, BUT the name for that entry is
> wrong .. it is
>
> >Nickname.madeupwordhere instead of Nickname.FWName
> > >
> > >Thanks
....I will give it a shot and try to 'correct' these
> > ... any tips
> > >for
userc.c anatomy resources would be appreciated.
>
> >
> > >> -----Original
Message-----
> > >> From: Paul Carmichael
[ mailto:[email protected]
> > ><mailto:[email protected]>
]
> > >> Sent: Tuesday, November 14, 2000
2:23 PM
> > >> To: 'Jason Kent';
'[email protected]'
> >
>> Subject: RE: [FW1] FWZ vs. IKE
> >
>>
> > >> Jason,
> > >>
> > >> Can you
confirm that you have your internal network
> >
specified in the
> > >> Firewalls
encryption domain. Also check that userc.c
> file
contains
> > >> information regarding your
internal network. There looks to
> > >> be
some sort of
> > >> an issue there.
> > >>
> >
>> Paul Carmichael
> > >>
-----Original Message-----
> > >> From:
Jason Kent [ mailto:[email protected]
> > <mailto:[email protected]> ]
> > >
> > >>
Sent: Wednesday, 15 November 2000 7:21 AM
> >
>> To: '[email protected]'
> > >> Subject: [FW1] FWZ vs. IKE
> > >>
> > >> Is there
any reason that FWZ would work with Client Encrypt
> > >> Rules and IKE
> >
>> with preshared secrets would not ?
> >
>> I have FWZ working with both Accept and Client Encypt Actions...
> > >> IKE works fine with Accept actions
(I have Decypt on Accept
> > >> checked)
but
> > >> will NOT pass any traffic on a
Client Encrypt action.
> > >> Using 4.1
SP2 3DES with SR build 4165 ....
> >
>> When the problem occures (trying to pass through a client
> > >> encrypt rule)the
> > >> log files simply show:
>
> >> 1. workstation to firewall IKE Log: Phase 1 (agressive)
> > completion.
>
> >> 3DES/MD5/Pre shared secrets Negotiation ID: (insert ID here)
> > >> 2. workstation to firewall scheme
IKE methods: Combined
> > >> 3DES+SHA1
(phase 2
> > >> completion) for host
x.x.x.x and for subnet 0.0.0.0
> (mask=0.0.0.0)
> > >> and then NOTHING... no drops..no
decrypts..no traffic..no
> > nothing....
> > >> The test workstation is on the same
subnet as the external
> > >>
interface...I'm
> > >> not sure what all
those 0's are about... any ideas ?
> > >>
> > >> If I use an accept rule, I get the
same two entries...
> PLUS a 3rd:
> > >> firewall to workstation scheme IKE methods: Combined
ESP:
> > >> 3DES+SHA1(phase 2
> > >> completion) for subnet x.x.x.x
(mask 255.255.255.192)and for
> > >> host
x.x.x.x
> > >> (the subnet and mask
correctly desscribes my encryption
> > >>
domain...and the
> > >> host IP is the
test workstation, just as in entry number 2 in
>
> >> the logs)
> > >> and then
things work... lots of decrypts and traffic flows
>
> nicely...
> > >> So bottom line...
what is it about IKE with preshared secrets
> >
>> and Client
> > >> Encrypt actions
?? something special i need to check ? any
>
> >> help would be
> > >> greatly
appreciated...
> > >> THanks,
> > >> Jason
>
>
> >
> >
> >
> >
==============================================================
> > ==================
>
> To unsubscribe from this mailing list,
please see the
> > instructions at
>
>
http://www.checkpoint.com/services/mailing.html
> >
==============================================================
> > ==================
>
>
>
|
|
