[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] Linksys BEFVP41 VPN Router...can't seem to get traffic thru the t unnel
I've just received a Linksys BEFVP41 VPN router and am attempting to create a site to site IKE link with FW1 4.1 3des SP5. My previous experience with vpns has only been with the SecuRemote software. This box claims that it can create an IKE tunnel with the likes of Checkpoint/Cisco etc. I have read through the "Site to Site VPN" chapter in Dameon D. Welch-Abernathy's "Essential Checkpoint Firewall-1" (which I highly recommend to relative newcomers like myself), and on the firewall have created: Encryption domain for main fw1 firewall (pretty much 10.0.0.0/255.0.0.0) Encryption domain for linsys box (9.99.1.0/255.255.255.0...for test purposes) Enabled IKE on the firewall object, with the appropriate encryption domain (all done when setting up SecuRemote users...they work fine) 3des support MD5 and SHA1 data integrity preshared secrets supports aggresive mode support key exchange for subnets Created an object for the Linkys box with its public address defined as a gateway appropriate encryption domain (9.99.1.0) ike encryption support md5 + sha1 pre-shared secrets (and put in a secret) supports aggressive mode Created 2 rules on the firewall Source Dest Service Action ---------- ------- ----------- ---------- fw1 encrypt domain linsys encrypt Any Encrypt linksys encrypt fw1 encrypt domain Any Encrypt Edited the properties of the encryption action on both rules Transform = Encryption + Data Integrity (ESP) Encryption Algorithm= 3des Data Integrity = SHA1 Allowed Peer Gateway= Any use perfect forward Secrecy is checked I then went to the linksys and attempted to match parameters as much as possible Local Secure Group = subnet 9.99.1.0 Remote Secure Group = subnet 10.0.0.0 /255.0.0.0 Remote Gateway (public address of firewall) Encryption=3des Authentication=SHA1 Key Management=Auto(IKE) Perfect Forward Secrecy is checked Preshared secret=matches fw secret Key lifetime 3600 seconds (matches fw parameters) When I attempt to connect the tunnel from the linksys box it records a success. I see Phase 1 and Phase 2 IKE completion on the firewall logs. However when I sit on a pc behind the linksys router and ping something within the fw1 encryption domain I receive the following error on the firewall: decryption failiure: Warning: possible replay attach scheme: IKE The linksys box vpn log shows some sort of identifier error (not on my screen at the moment unfortunately), then the key exchange happens once again successfully. I'm afraid that I'm pretty much stumped from here....waiting to hear from Linksys tech support (if they'll help!) Has anyone else created a successful tunnel with this device? Malcolm McDuff ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|