NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] IKE mode for Secure Client connections





   Aggressive mode is the default option for remote access environments
regardless if the aggressive mode option is selected through FWPolicy or
not.

  The reason for this goes way back to issues with IKE and remote access
when the IP of the remote peer is not known
 ahead of time. This made it impossible to use main mode because SKEYID_e
must be generated before the hash is built.

   The solution to your problem is to turn on Hybrid mode IKE in FireWall-1.
This is true even if you have no plans to utilize 3RD part credentials. The
other option requires the use of certificates, but that means you must
change your authentication use from pre-shared secrets to certificates. Main
mode is the default for both Hybrid mode and certificates due to the extra
information that needs to be exchanged in Phase I.

  Therefore, enable Hybrid mode IKE on FireWall-1. Please follow the proper
documentation for doing this. Next, keep your users pre-shared secrets as
is. This configuration does not require any changes to the user definition.

   Next, after Hybrid mode IKE is enabled, update the site for a given
client. From the topology download the client will acquire information that
states Hybrid mode IKE should be used for Phase I key installs. The tunnel
will then function as normal while using Main mode for the exchange. The
only thing this alters is the clients username and password will now be
supplied encrypted in the transaction mode exchange which sits between Phase
I and Phase II. This differs from non Hybrid mode IKE in which all
credentials are supplied in Phase I.

  The firewall will be authenticated in Phase I according the X.509
certificate supplied. Again, there will be no difference in the end user
experience when using Hybrid mode IKE in this manner.

   If you require any additional information please contact me outside of
the list. ~DG

-----Original Message-----
From: [email protected]
[mailto:[email protected]]On Behalf Of
[email protected]
Sent: Monday, July 30, 2001 12:04 AM
To: [email protected]
Subject: [FW1] IKE mode for Secure Client connections



Hi again folks,

After having another go at tackling the IPSec RFC's i've answered a few of
my own questions...  But still remaining is:

How do I make my secure client connections negotiate the Security
Association with Main Mode (Identity Protection) IKE?
I'm not too keen to have my User Names passed in cleartext when they
shouldn't need to be.

On my Firewall object, VPN Tab, under 'IKE' - I have unticked "Supports
Aggresive Mode", yet the Secure Client connections still negotiate the
security association with this mode.

I've tried updating the Client topology, restarting Secure Remote - but no
joy.  The only thing left to try (which i'm not entirely prepared to try)
is a complete firewall restart.
Maybe Secure Client only supports Aggressive Mode?

Can anyone help??

Thanks,
-jonny


--

Jonny Robertson
Wellington
New Zealand





============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.