NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] Mgmt. Console Migration & VPN Issues



Hi all, have an interesting situation happening, I'm really hoping someone
can come to my rescue, I'm basically at my wits end.

I have three locations, three firewalls.  I originally had a main office
with mgmt. console and vpn-1/firewall-1 on same machine, managing all three
locations.  Have vpns between all three firewalls, everything working
wonderfully!  Also have a separate vpn to another check point not under my
management, it is also working great.  I have a 2nd check point firewall,
which is a very cold standby (ie. I have to manually copy things back and
forth to keep it up-to-date).  I decided to simplify this process by moving
the mgmt. console off the firewall, re-installing _only_ the firewall module
on the firewall machine, and moving all the rules over to the new firewall
(by the way, all firewalls are running 4.1, SP2).  I was able to move the
mgmt. console fine, copied all the rules etc. over no difficulty, using
phoneboy's steps.  In a nutshell, here's what is happening.

1)  I first switched location B and C over to talk to the new management
console.  This worked with no problems at all, and I still had my vpns up
between all locations.
2)  Went to move away from original firewall/mgmt. console combo to new
firewall talking to new mgmt console.  This also worked great, and from the
mgmt. console I am getting all logging from all three firewalls, can push
rulebases no problem.
3)  Here's where the problem starts.  I can no longer get ANY of the VPNs to
work anywhere.  I don't even see A,B, or C try to do any key installs, let
alone encrypt/decrypt any data.  The remote location that is NOT under my
mgmt. does a number of key installs with me when I first switch over, but is
unable to actually send any encrypted data at all.
4)  In my logs, I don't even see any of the locations attempting to talk.
What I do now see, which is new to me, is the external address of my
firewall trying to talk to the external addresses of the remote firewalls,
and getting dropped, due to Rule 0, reason: local interface address
spoofing.  I have verified that NO interfaces on ANY of the firewalls
currently have address spoofing enabled.

Here's some of the things I've done to try to work around the problem (from
searches, suggestions from other list readers, etc.).

1)  Created the FW Mgmt. object, set it as a VPN1 host, and set up IKE
encryption on it.  Someone suggested that the mgmt. console actually has to
house the keys etc. so I thought I'd try that route.  This had no
appreciable affect.
2)  Someone else suggested we needed an internal CA on the mgmt. object.
Accordingly, I did that, also no appreciable effect.

I'm wondering if there was some other step that I needed to perform in order
to move from the mgmt. console on the firewall to the mgmt. console as a
separate entity, that I've missed completely.  It doesn't make a lot of
sense to me that the VPNs work great until I move to the new environment.

Any thoughts/suggestions/ideas anyone has would be greatly appreciated, I'm
pretty well out of ideas at this point!

Thanks in advance,

Dave Millier, CISSP





================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.