[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] oh so frustrating IKE VPN problem
I know that the last time I set up an IKE VPN, I had to build the rules something like this: Create workstation objects with the external address of each of the firewalls (leave everything else default). Then, for each site, create a group the contains the firewall object, internal network, and the new workstation object for the respective site (for example, the "HonoluluGroup" group might contain "HonoluluFW" and "HonoluluOutside" workstation objects and a "HonoluluNet" network object; similarly for NewYorkGroup, SanFranGroup, etc). Then, create one rule for each site as follows: Source: HonoluluGroup Dest: NewYorkGroup, SanFranGroup, DallasGroup Service: Any Action: Encrypt Track: Long In this scenario, you'd need 3 more rules: one for each source site. Although the documentation claims this isn't necessary, I could not get it to work properly otherwise. YMMV. Hope that's a start... Dan Hitchcock CCNA, MCSE Network Engineer Xylo, Inc.The work/life solution for corporate thought leaders -----Original Message----- From: Michael Liberte [mailto:[email protected]] Sent: Thursday, December 14, 2000 5:10 AM To: 'Chris Arnold'; '[email protected]' Subject: RE: [FW1] oh so frustrating IKE VPN problem Add an address translation rule that says that both encryption domains will communicate between each other without address translation (original). This rule must be on before all other NAT rules. Give us some more information about the messages that you get in the log, when you try to communicate between two sites. HTH, Michael. -----Original Message----- From: Chris Arnold [mailto:[email protected]] Sent: Thursday, December 14, 2000 3:21 AM To: '[email protected]' Subject: [FW1] oh so frustrating IKE VPN problem Hello, all. I've been bumbling through a multiple FW-1/VPN-1 (4.1 SP2 on one and 4.1 SP1 on the other) installation with the help of you all for a few weeks now. I'm at the final step and can't quite get it though. I followed CP's page on setting up an IKE site to site VPN tunnel between two CP FWs ("How to setup gateway to gateway Single Entry Point (SEP) IKE VPN tunnel with VPN-1 4.1? "). 10.3.0.0/16 --> FW <--> Internet <--> FW <-- 10.1.0.0/16 Both private networks can reach the internet successfully with hide behind NAT. The trouble comes when I try to reach a private network from the other. I keep seeing drops due to the rule: (both private nets) (both private nets) ANY ENCRYPT LONG GATEWAYS I'm trying to do shared secret IKE with any encryption and hash. The encryption domains are two groups with their respective private networks and FWs. For the interface security of the FWs I have "others" associated with the external interfaces and "this net" for all of the internal interfaces. Any thoughts on how to get this going? Will CP do the routing here or do I need to add routes on the OS beneath it? Licensing is correct also. The FW module works perfectly. Sigh. Chris ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|