[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Solved - Hybrid IKE breaks Site-to-Site VPN?
I'm not happy with the way i discovered it, or the fact the agressive mode is the only way to get it to work. The up side is that at least they have fixed this in SP4 (which is why it was mentioned in the release notes). -----Original Message----- From: Dallas Bishoff [mailto:[email protected]] Sent: 19 July 2001 12:18 To: [email protected] Cc: [email protected] Subject: Re: [FW1] Solved - Hybrid IKE breaks Site-to-Site VPN? Richard: Thanks for sharing that...however, I'm not sure the recommendation should be that casual. Aggressive Mode signficantly changes the integrity of mutual authentication under IPSec...as in, should I trust the other end before I agree to establish the connection. I'd prefer if the vendors are going to make a recommendation like this to achieve functionality, they indicate (1) they are working towards full functionality still, and (2) an explanation of the impacts of what they just recommended you do. Let me explain it slightly differently, Microsoft doesn't setup IPSec using Aggressive Mode...they use Main Mode with W2K now. It's not that computationally difficult (6 packets versus 3 packets and some math) with the current generation of processors. So, what's the problem with Check Point here. Regards!!! Dallas N. Bishoff CISSP, MCSE+I, MCT, CCA, Internet Security Systems Engineer (ICE) Check Point Certified Security Engineer (CCSE) Nokia Security Administrator (NSA) Nokia VPN Gateway Administrator Nokia Security Instructor RSA Certified Systems Engineer - SecurID (RSA/CSE - 4.0 & 5.0) RSA Certified Instructor - SecurID (RSA/CI - 4.0 & 5.0) From: "Richard Marshall" <[email protected]> Reply-To: <[email protected]> To: <[email protected]> Subject: [FW1] Solved - Hybrid IKE breaks Site-to-Site VPN? Date: Wed, 18 Jul 2001 12:14:35 +0100 I have found the answer to the following question by looking throught the release notes of SP-4. (Which makes me think, if they knew about it, then why was there no mention of it on the Knowledgebase.........) from the release notes... "28) An IKE VPN would fail if Hybrid IKE was implemented without Aggressive Mode." so there you have it. enable Aggressive Mode. I have and it works... thanks Check Point. ---------Original Message--------- Hi Gurus Still having problems with Hybrid IKE... The system is as follows: mngmnt server behind IP440 cluster. public webservers on DMZ and intranet/other servers on LAN net. head-office site behind IP330 (no cluster) also with DMZ and LAN four other sub-offices each behind IP330's. LAN only, no DMZ's. When the cluster wall (but no others) has Hybrid IKE support checked in it's VPN IKE properties, then hybrid SR clients can access this encryption domain without problems, but get 'IKE not properly defined for user' when trying to access the other encryption domains, which is expected. The main (site-to-site) VPN works without problems. When i check the hybrid IKE box for the other gateway objects then hybrid SR users can access all the encryption domains but the main site to site VPN gets errors. (it doesn't completly fail, but it does have major problems.) The main site to site VPN uses pre-shared secrects. I have also checked the Public Key box and selected the Certificate for each wall. (i use the certificate that the internalCA command on the mngmnt server produces). But from the documentation i understand that the preshared secrects over-ride this option. I seem to get different 'levels' of VPN failure at different sites when the hybrid box is checked. The head-office VPN seems to fail almost completly. sites in germany, austria and sweden have problems on some rules but not others. the UK site works regardless of how the hybrid box is checked, as does the 'cluster' site. All Firewalls are running IPSO 3.2.1 FCS1 w/ FW4.1 SP2, except UK which is IPSO 3.3-FCS8 FW4.1 SP3. If it wern't for the fact the cluster works properley i'd blame this... I have checked all the encryption properties of the rules to see if they are misconfigured but they all check out. (i.e. there is no pattern between vpn problems and rules, so i can rule out the rule-base as the problem....) Please can someone out there help? I have looked through the Nokia and Checkpoint KB's along with the phoneboy site and any other docs I can get my hands on and have never seen this mentioned before. thanks again for your help rich :) -----Original Message----- From: Crazy Horse [mailto:[email protected]] Sent: 13 July 2001 11:44 To: [email protected] Subject: RE: Hybrid IKE - got this running with SecurID We may have crossed wires. >From what you have said you have (1) Securemote Users - Client to Firewall VPN's and (2) (your)Firewall to (some other)Firewall VPN's. If you change the props on your firewall to have Securemote connections supported for hybrid IKE, any VPN's to other firewalls must also have this this prop set. TCH >From: "Richard Marshall" <[email protected]> >Reply-To: <[email protected]> >To: "'Crazy Horse'" <[email protected]> >Subject: RE: Hybrid IKE - got this running with SecurID >Date: Fri, 13 Jul 2001 11:22:12 +0100 > >When you say 'is IKE enabled on the remote firewall' what do you mean >exactly? The only place that i can see that you can define it is the check >box that is causing the problems. > >-----Original Message----- >From: Crazy Horse [mailto:[email protected]] >Sent: 13 July 2001 11:21 >To: [email protected] >Subject: RE: Hybrid IKE - got this running with SecurID > > >Is hybrid IkE enabled on the remote firewall? If not, the Key Exchange will >be affected and this will break your VPN. The properties on each side have >to be identical. > > > >From: "Richard Marshall" <[email protected]> > >Reply-To: <[email protected]> > >To: "'Crazy Horse'" <[email protected]> > >Subject: RE: Hybrid IKE - got this running with SecurID > >Date: Fri, 13 Jul 2001 09:35:25 +0100 > > > >no, but that is pretty much the situation. :( > > > >I'm starting to get the impression that it could actually be down to the > >control.map file. I'll look today and let you know if i get lucky. > > > >:) > > > > > >-----Original Message----- > >From: Crazy Horse [mailto:[email protected]] > >Sent: 13 July 2001 09:29 > >To: [email protected] > >Subject: RE: Hybrid IKE - got this running with SecurID > > > > > > > >Let me get this right, enabling "Hybrid IKE" fixes your SecuRemote users > >but > >breaks your main VPN? > > > >I'm afraid you've trumped me there ..... any other symptoms? > > > >TCH > > > > >From: "Richard Marshall" <[email protected]> > > >Reply-To: <[email protected]> > > >To: "'Crazy Horse'" <[email protected]> > > >Subject: RE: Hybrid IKE - got this running with SecurID > > >Date: Thu, 12 Jul 2001 17:30:34 +0100 > > > > > >Hi, > > > > > >thanks for your mail! :) > > > > > > > > >I've the the system 99% running now. it's just that 1% that's making it > >all > > >fail.... > > > > > >We are using hybrid mode IKE with RADIUS auth. (a win2k server running > > >IAS). > > > > > >I will explain the problem. > > > > > >The system will work for all my encryption domains except one, the most > > >important (of course). It is centered around one thing. When I go to >edit > > >the IKE properties under the VPN tab of the gateway object there is a > >check > > >box saying 'VPN-1 & FireWall-1 authentication for SecuRemote (Hybrid > > >Mode)'. > > > > > >I know that i need to check this box to allow hybrid users to access >the > > >encryption domain. ( I have tried without and get 'IKE not properley > > >defined > > >for user' - though i'm sure i'm telling you stuff you already know...) > > > > > >The problem is that when i check this box for the encryption domain of > >the > > >head office, SecuRemote works fine, but the main VPN fails for this > >domain. > > >The error in the log says 'encryption failure: error occurred scheme: > >IKE'. > > >When the box is not checked it is all fine again. > > > > > >What i find particurlarly confusing is that the other sites have this > > >checkbox marked, but don't get this problem. I have the same policy on > >all > > >of the firewalls in question. > > > > > >If you have any ideas what i'm doing wrong i'd love to hear. > > > > > >thanks again, > > > > > >rich > > > > > > > > > > > > > > >-----Original Message----- > > >From: Crazy Horse [mailto:[email protected]] > > >Sent: 12 July 2001 16:50 > > >To: [email protected] > > >Subject: Hybrid IKE - got this running with SecurID > > > > > > > > >Whats the problem? Is this your first time configuration? > > > > > >I've got this going with Securemote and IKE encryption coming from >behind > > >differing NAT devices. The authentication scheme uses Ace Server's > >Securid. > > > > > >I read a couple of docs from Phoneboy and got it up and running. > > > > > >TCH > > > >_________________________________________________________________________ > > >Get Your Private, Free E-mail from MSN Hotmail at >http://www.hotmail.com. > > > > > > >_________________________________________________________________________ > >Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. > > > > > >_________________________________________________________________________ >Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. > > _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|