[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] Mgmt. Console Migration & VPN Issues
Hi all, have an interesting situation happening, I'm really hoping someone can come to my rescue, I'm basically at my wits end. I have three locations, three firewalls. I originally had a main office with mgmt. console and vpn-1/firewall-1 on same machine, managing all three locations. Have vpns between all three firewalls, everything working wonderfully! Also have a separate vpn to another check point not under my management, it is also working great. I have a 2nd check point firewall, which is a very cold standby (ie. I have to manually copy things back and forth to keep it up-to-date). I decided to simplify this process by moving the mgmt. console off the firewall, re-installing _only_ the firewall module on the firewall machine, and moving all the rules over to the new firewall (by the way, all firewalls are running 4.1, SP2). I was able to move the mgmt. console fine, copied all the rules etc. over no difficulty, using phoneboy's steps. In a nutshell, here's what is happening. 1) I first switched location B and C over to talk to the new management console. This worked with no problems at all, and I still had my vpns up between all locations. 2) Went to move away from original firewall/mgmt. console combo to new firewall talking to new mgmt console. This also worked great, and from the mgmt. console I am getting all logging from all three firewalls, can push rulebases no problem. 3) Here's where the problem starts. I can no longer get ANY of the VPNs to work anywhere. I don't even see A,B, or C try to do any key installs, let alone encrypt/decrypt any data. The remote location that is NOT under my mgmt. does a number of key installs with me when I first switch over, but is unable to actually send any encrypted data at all. 4) In my logs, I don't even see any of the locations attempting to talk. What I do now see, which is new to me, is the external address of my firewall trying to talk to the external addresses of the remote firewalls, and getting dropped, due to Rule 0, reason: local interface address spoofing. I have verified that NO interfaces on ANY of the firewalls currently have address spoofing enabled. Here's some of the things I've done to try to work around the problem (from searches, suggestions from other list readers, etc.). 1) Created the FW Mgmt. object, set it as a VPN1 host, and set up IKE encryption on it. Someone suggested that the mgmt. console actually has to house the keys etc. so I thought I'd try that route. This had no appreciable affect. 2) Someone else suggested we needed an internal CA on the mgmt. object. Accordingly, I did that, also no appreciable effect. I'm wondering if there was some other step that I needed to perform in order to move from the mgmt. console on the firewall to the mgmt. console as a separate entity, that I've missed completely. It doesn't make a lot of sense to me that the VPNs work great until I move to the new environment. Any thoughts/suggestions/ideas anyone has would be greatly appreciated, I'm pretty well out of ideas at this point! Thanks in advance, Dave Millier, CISSP ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|