RE: [FW1] Setting up VPN tunnel from FW-1 to Watchguard Firebox..

[James Clarke <James.Clarke@FW1-NOSPAMDataroam.com>]

Title: RE: [FW1] Setting up VPN tunnel from FW-1 to Watchguard Firebox..

Hi.

 

Well, as you said, after a lot of trial and error, we got this working.  I was aware already of the hardcoded phase-1 negotiation, and this was already set.  As I wasn't actually in front of the Watchguard, I'm not 100% certain what the engineer was changing on his end, so I only have my 'take' on it....

The Watchguard will not establish a VPN to a whole subnet, by the looks of things - you must define individual hosts for the endpoint behind the FW-1, and an individual VPN to each of them from the Watchguard point of view (I believe that this had been posted already.)

I hindsight I don't think that there are too many problems setting this up, except that the Watchguard is almost an out of the box product, and isn't the most configurable firewall around. The Firewall-1 was configured as you would for any standard VPN.  All the changes that we made to the VPN configuration were done at the Watchguard, like you said - with lots of trial and error! 

Sorry that I can't offer any more!

 

James.

-----Original Message-----
From: Dave Millier [mailto:dmillier@dexagon.com]
Sent: 14 June 2001 19:38
To: James Clarke; 'Goetz, Jarrett'
Cc: FW-1 Mailing List (E-mail)
Subject: RE: [FW1] Setting up VPN tunnel from FW-1 to Watchguard Firebox..

I have built a VPN successfully with a Watchguard and a Check Point 4.1.  I've got beyond the "no response from peer" error you're seeing through a lot of trial and error.  One thing I found out which I was unaware of is that Phase 1 is _hard-coded_ on the Watchguard, and can ONLY be DES and SHA1.  Once I made the changes on my config to reflect this, the VPN negotiation worked fine.  However, I have a new problem:  when I try to get packets back and forth between the two networks I've defined, I get an "encryption failure: gateway connected to both endpoints scheme: IKE" error message. I've looked at everything I can think of to resolve this, no luck.  Any thoughts on my problem?  Oh and hey, let me know if what I've put down above re: the hard-coded Phase 1 values solves your problems!

 

Dave Millier, CISSP

-----Original Message-----
From: owner-fw-1-mailinglist@lists.us.checkpoint.com [mailto:owner-fw-1-mailinglist@lists.us.checkpoint.com]On Behalf Of James Clarke
Sent: Wednesday, June 13, 2001 4:11 AM
To: 'Goetz, Jarrett'
Cc: FW-1 Mailing List (E-mail)
Subject: RE: [FW1] Setting up VPN tunnel from FW-1 to Watchguard Firebox..

Hi Jarret

 

So far, no news.  Am about to escalate to Checkpoint support through our reseller....  I will post info once I get anything worth posting.

 

Thanks,

James.

-----Original Message-----
From: Goetz, Jarrett [mailto:JGoetz@Jenzabar.net]
Sent: 13 June 2001 05:14
To: James Clarke
Subject: RE: [FW1] Setting up VPN tunnel from FW-1 to Watchguard Firebox..

Jim, I will have to do the same thing shortly, did you get any good answers to this?

Thanks.

Jarrett

-----Original Message-----
From: James Clarke [mailto:James.Clarke@Dataroam.com]
Sent: Thursday, June 07, 2001 03:59
To: FW-1 Mailing List (E-mail)
Subject: [FW1] Setting up VPN tunnel from FW-1 to Watchguard Firebox..

Hi

I am trying to establish a VPN between a Firewall-1 4.1 to a Watchguard
Firebox II.  All appears to be configured correctly, but when I try to bring
the VPN up, the Checkpoint log file shows "no response from peer" and the
Firebox shows "from <FW-1_ip_address>. Sending INVALID_COOKIE message."

Does anyone have any experience of setting this type of connection up?  I
have followed a tech note from Watchguard, and this has proved
inconclusive...

Thanks in advance,
James Clarke

================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================