[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] IKE mode for Secure Client connections
Aggressive mode is the default option for remote access environments regardless if the aggressive mode option is selected through FWPolicy or not. The reason for this goes way back to issues with IKE and remote access when the IP of the remote peer is not known ahead of time. This made it impossible to use main mode because SKEYID_e must be generated before the hash is built. The solution to your problem is to turn on Hybrid mode IKE in FireWall-1. This is true even if you have no plans to utilize 3RD part credentials. The other option requires the use of certificates, but that means you must change your authentication use from pre-shared secrets to certificates. Main mode is the default for both Hybrid mode and certificates due to the extra information that needs to be exchanged in Phase I. Therefore, enable Hybrid mode IKE on FireWall-1. Please follow the proper documentation for doing this. Next, keep your users pre-shared secrets as is. This configuration does not require any changes to the user definition. Next, after Hybrid mode IKE is enabled, update the site for a given client. From the topology download the client will acquire information that states Hybrid mode IKE should be used for Phase I key installs. The tunnel will then function as normal while using Main mode for the exchange. The only thing this alters is the clients username and password will now be supplied encrypted in the transaction mode exchange which sits between Phase I and Phase II. This differs from non Hybrid mode IKE in which all credentials are supplied in Phase I. The firewall will be authenticated in Phase I according the X.509 certificate supplied. Again, there will be no difference in the end user experience when using Hybrid mode IKE in this manner. If you require any additional information please contact me outside of the list. ~DG -----Original Message----- From: [email protected] [mailto:[email protected]]On Behalf Of [email protected] Sent: Monday, July 30, 2001 12:04 AM To: [email protected] Subject: [FW1] IKE mode for Secure Client connections Hi again folks, After having another go at tackling the IPSec RFC's i've answered a few of my own questions... But still remaining is: How do I make my secure client connections negotiate the Security Association with Main Mode (Identity Protection) IKE? I'm not too keen to have my User Names passed in cleartext when they shouldn't need to be. On my Firewall object, VPN Tab, under 'IKE' - I have unticked "Supports Aggresive Mode", yet the Secure Client connections still negotiate the security association with this mode. I've tried updating the Client topology, restarting Secure Remote - but no joy. The only thing left to try (which i'm not entirely prepared to try) is a complete firewall restart. Maybe Secure Client only supports Aggressive Mode? Can anyone help?? Thanks, -jonny -- Jonny Robertson Wellington New Zealand ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|