Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] SecuRemote problems when connecting to external if

To: [email protected]
Subject: [FW-1] SecuRemote problems when connecting to external if
From: "Haapala, Juuso" <[email protected]>
Date: Mon, 22 Oct 2001 10:45:16 +0300
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Hello,

We have two separate sites both running FW-1 4.1/Sp3 on NT4.0. VPN between
the sites works well.

The problem occurs when trying to establish SecuRemote VPN to the second
site. SecuRemote works well to first site, but it 'times out' all the time
to the second site.
The 2nd firewall is an upgraded version of 4.0.

First the proble was SecuRemote client complained all the time:
        Error: Site x.y.z.w says that it is not a Certificate Authority.
        Check whether you have got the right IP-address for x.y.z.w,
        and check with the FW-1 system manager there whether x.y.z.w is
        indeeda FW-1 control station.

Solved the problem by clearing the checkbox 'Properties/respond to
unauthenticated topology requests (IKE and FWZ).
I also generated DH key with
        fwstop
        fw internalca create -dn "o=org_name, c=fi"
        fw internalca certify -o "o=org_name, c=fi"
        fwstart

When trying to connect the client asks username and password, but then when
trying to get data from the site times out. 'Error: Communication with site
x.y.z.w has failed.'
FW rulebase is about the same in both firewalls, and SecureRemote
connections are allowed there.

Also noticed i have problems using FW policy editor GUI to connecto to
second firewalls external IP. Sometimes it times out and always is very slow
to open the connection. When trying to use log viewer GUI to connect to
external if, it always times out.

However, like i said we have working vpn between two sites: if i try
connecting from the 1st site to 2nd sites' internal iterface, private
address 192.168.x.y log viewer and policy editor works fast and securemote
can get the site information.

I've enable logging for all in- and outbound connections, and there are no
drops/rejections in log file.. seems like it just times out and generally
any i have problems connecting to external if of the 2nd site. Note that
both sites rule base and configuration is are about same.

2nd site has 8 subnets behind it and large private network split by several
routed. Firewall-1 is licensed for 100 internal hosts and log file spams
'FW-1: Only 100 internal hosts allowed'. The internal private network is
controlled by several ISPs and i don't have access to routers there. Is it
possible that because FW-1 polls the internal discoveres beyond local net
and complains the licenses it prevents SecuRemote from working?

Sorry for the long post.

Yours sincerely,

Juuso Haapala

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

Prev by Date: Re: [FW-1] How to convert Single Gateway to Distributed config?
Next by Date: Re: [FW-1] IPSO bigbrother client
Previous by thread: [FW-1] hostaddr(cfwc1n1) failed: Bad file number
Next by thread: Re: [FW-1] IPSO bigbrother client
Index(es):
- Date
- Thread