[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Problem setting up securemote connection to FW-1 SP3
Thanks Matthias and Guy, Your suggestions have definately help get me past the "Encryption failure" error message, however it's still not working. I have the following rules in place now: any smiths_PC FW1 & FW1_topo accept long (had to add this rule, as these services were being rejected). secure_group smiths_PC PCAnywhere client Encrypt long On the properties for Client Encrypt, for the source and destination options l have selected "intersect with user database". What other options are there?, and where would l find them? When l start a securemote session, the log shows the requests for FW and FW_topo are accepted, but then nothing else happens and the securemote session returns the error "Error: communication with site 11.11.11.111 has failed". I was at least hoping for another log entry showing where the breakdown is, but l couldn't find anything. Any other recommendations on securemote options (should l use IKE only, or maybe FWZ as well?). regards, Alan Choyna. -----Original Message----- From: Matthias Leu Sent: Wed 11/14/2001 1:28 AM To: [email protected] Cc: Subject: Re: [FW-1] Problem setting up securemote connection to FW-1 SP3(encrypt ionfailure: No peer gateway found for the destination scheme: Hi, you will need a rule accepting Client Encrypt, because the way you have defined the rule will need a static peer. Try to define a user group in which smith is in. Then try this rule: smithgroup@any smiths_machine PCanywhere ClientEncrypt long So the user has to authenticate (which can also be automated). Check it the properties of ClientEncrypt are set correctly - and then it should work. Hope it helps best regards Matthias Alan Choyna wrote: > Hi folks, > > I'm trying to set up my FW-1 4.1 SP3 to be able to allow securemote > (build 4188) access from external machines. > > The external PC's are each sitting behind a linksys router (firmware > 1.40.1) using either DSL or Cable internet connections, using non static > external ip addresses. > > I installed the encryption license (DES3), and have configured a user > (smith) with the user Authentication scheme VPN-1 & Firewall 1 Password, > with Encryption options IKE & FWZ checked. > > I have created the following rules: > > any Smiths_machine_behind_FW1 PCanywhere encrypt. > > We are using securemote (build 4188) and have checked the IKE option > under tools/Encryption, and Force UPD encapsulation and Support IKE over > TCP under its advanced settings. > > When smith trys to connect from his external PC, the following rejects > appear in the Log "encryption failure: No peer gateway found for the > destination scheme: IKE." > > Is the error because l do not have a domain object as the source? If so, > how would l set up a domain object which doesn't have an static ip? > > What encrytion/logon/securemote services should l allow? > > We wish to use DES3. Have l set the correct options on the user object? > and the securemote client options? > > Anything special to do in the Policy properties? > > Sorry for all the questions, but there are so many variables here, that > l find myself lost. > > Regards, > > Alan. > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|