| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FW-1] Linksys BEFVP41 VPN Router...can't seem to get traffic thru the t unnel
I've just received a Linksys BEFVP41 VPN router and am attempting to create
a site to site IKE link with FW1 4.1 3des SP5. My previous experience with
vpns has only been with the SecuRemote software. This box claims that it
can create an IKE tunnel with the likes of Checkpoint/Cisco etc.
I have read through the "Site to Site VPN" chapter in Dameon D.
Welch-Abernathy's "Essential Checkpoint Firewall-1" (which I highly
recommend to relative newcomers like myself), and on the firewall have
created:
Encryption domain for main fw1 firewall (pretty much
10.0.0.0/255.0.0.0)
Encryption domain for linsys box (9.99.1.0/255.255.255.0...for test
purposes)
Enabled IKE on the firewall object, with the appropriate encryption
domain (all done when setting up SecuRemote users...they work fine)
3des
support MD5 and SHA1 data integrity
preshared secrets
supports aggresive mode
support key exchange for subnets
Created an object for the Linkys box with its public address
defined as a gateway
appropriate encryption domain (9.99.1.0)
ike encryption
support md5 + sha1
pre-shared secrets (and put in a secret)
supports aggressive mode
Created 2 rules on the firewall
Source Dest Service
Action
---------- -------
----------- ----------
fw1 encrypt domain linsys encrypt Any
Encrypt
linksys encrypt fw1 encrypt domain Any
Encrypt
Edited the properties of the encryption action on both rules
Transform = Encryption + Data Integrity (ESP)
Encryption Algorithm= 3des
Data Integrity = SHA1
Allowed Peer Gateway= Any
use perfect forward Secrecy is checked
I then went to the linksys and attempted to match parameters as much as
possible
Local Secure Group = subnet 9.99.1.0
Remote Secure Group = subnet 10.0.0.0 /255.0.0.0
Remote Gateway (public address of firewall)
Encryption=3des
Authentication=SHA1
Key Management=Auto(IKE)
Perfect Forward Secrecy is checked
Preshared secret=matches fw secret
Key lifetime 3600 seconds (matches fw parameters)
When I attempt to connect the tunnel from the linksys box it records a
success. I see Phase 1 and Phase 2 IKE completion on the firewall logs.
However when I sit on a pc behind the linksys router and ping something
within the fw1 encryption domain I receive the following error on the
firewall:
decryption failiure: Warning: possible replay attach scheme: IKE
The linksys box vpn log shows some sort of identifier error (not on my
screen at the moment unfortunately), then the key exchange happens once
again successfully.
I'm afraid that I'm pretty much stumped from here....waiting to hear from
Linksys tech support (if they'll help!)
Has anyone else created a successful tunnel with this device?
Malcolm McDuff
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
|
|
