Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] VPN using IKE

To: [email protected]
Subject: Re: [FW-1] VPN using IKE
From: Sheri Dougherty <[email protected]>
Date: Mon, 22 Oct 2001 17:57:53 -0400
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Title: RE: [FW-1] VPN using IKE

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paul,

Check in your policy Properties to ensure "Accept ICMP" is set to
"Before Last".

As far as rule order, put your VPN rules first in your rule base.
You don't need a rule to specifically allow ICMP if you have a rule
accepting
traffic from his net to your firewall....

Run a trace (like tcpdump) on your firewall's interfaces to watch
your ping requests and see if replies are coming back...

A tip: the object you created for the two nets, is that a domain
object? I've recently heard about issues with using these, so you
may want to
break them up into separate entities again...keeping your objects and
rules simple will ease troubleshooting:

His Net / Your Net / Encrypt
Your Net/ His Net / Encrypt

Sheri Dougherty
Security Integration Analyst
work:
cell:
email:   [email protected]

- -----Original Message-----
From: Chinnery Paul [mailto:[email protected]]
Sent: Monday, October 22, 2001 4:59 PM
To: [email protected]
Subject: [FW-1] VPN using IKE

I'm trying to set up a VPN between our network and another network
that has Linux. Right now, we've got key install working.

He can also ping a machine on my network and, checking the log, it
comes through encrypted and then is duly decrypted.

However, when I try to do the same thing to his network, it doesn't
work.

I've configued the firewall gateway's VPN settings and then created
settings for his network (his gateway and network).

I've added both networks to an object called, HDS.

The rule I've implemented is:

Hds TO/FROM HDS Encrypt

Like I said, key install works and he can ping me with the packets
being encrypted but I can't ping him.

This really has me stumped. Could it be where I have the rule placed?

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBO9SWYZhMw/5HjIWhEQITOwCcCYoqsJGJF7GCjKfL/LfEqqMuXP0AmwXq
kq+qMAEOVXmdeR9F/hxJO0Ge
=FDnG
-----END PGP SIGNATURE-----

-----
This message was scanned by AT&T Canada IES (Security Provisioning) for
viruses. This protection does not ensure this message is virus free, however
every precaution possible has been taken on our part.

Prev by Date: [FW-1] VPN using IKE
Next by Date: Re: [FW-1] SecuRemote, NAT Pool,Everyone gets same NAT pool IP address assigned to them
Previous by thread: [FW-1] VPN using IKE
Next by thread: [FW-1] Using Security Processor in a large campus site
Index(es):
- Date
- Thread