[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] FW: Linksys BEFVP41 VPN Router...can't seem to get traffic thru t he tunnel
I'm re-sending this message as it appears that it didn't make it to the list...my apologies if some have seen it already! > I've just received a Linksys BEFVP41 VPN router and am attempting to > create a site to site IKE link with FW1 4.1 3des SP5. My previous > experience with vpns has only been with the SecuRemote software. This box > claims that it can create an IKE tunnel with the likes of Checkpoint/Cisco > etc. > > I have read through the "Site to Site VPN" chapter in Dameon D. > Welch-Abernathy's "Essential Checkpoint Firewall-1" (which I highly > recommend to relative newcomers like myself), and on the firewall have > created: > > Encryption domain for main fw1 firewall (pretty much > 10.0.0.0/255.0.0.0) > Encryption domain for linsys box (9.99.1.0/255.255.255.0...for test > purposes) > Enabled IKE on the firewall object, with the appropriate encryption > domain (all done when setting up SecuRemote users...they work fine) > 3des > support MD5 and SHA1 data integrity > preshared secrets > supports aggresive mode > support key exchange for subnets > Created an object for the Linkys box with its public address > defined as a gateway > appropriate encryption domain (9.99.1.0) > ike encryption > support md5 + sha1 > pre-shared secrets (and put in a secret) > supports aggressive mode > > Created 2 rules on the firewall > Source Dest Service > Action > ---------- ------- > ----------- ---------- > fw1 encrypt domain linsys encrypt Any > Encrypt > linksys encrypt fw1 encrypt domain Any > Encrypt > > Edited the properties of the encryption action on both rules > Transform = Encryption + Data Integrity (ESP) > Encryption Algorithm= 3des > Data Integrity = SHA1 > Allowed Peer Gateway= Any > use perfect forward Secrecy is checked > > > I then went to the linksys and attempted to match parameters as much as > possible > > Local Secure Group = subnet 9.99.1.0 > Remote Secure Group = subnet 10.0.0.0 /255.0.0.0 > Remote Gateway (public address of firewall) > Encryption=3des > Authentication=SHA1 > Key Management=Auto(IKE) > Perfect Forward Secrecy is checked > Preshared secret=matches fw secret > Key lifetime 3600 seconds (matches fw parameters) > > When I attempt to connect the tunnel from the linksys box it records a > success. I see Phase 1 and Phase 2 IKE completion on the firewall logs. > However when I sit on a pc behind the linksys router and ping something > within the fw1 encryption domain I receive the following error on the > firewall: > > decryption failiure: Warning: possible replay attach scheme: IKE > > The linksys box vpn log shows some sort of identifier error (not on my > screen at the moment unfortunately), then the key exchange happens once > again successfully. > I've tried every combination of unchecking checkboxes, and have tried MD5 authentication instead of SHA1 to no effect. > I'm afraid that I'm pretty much stumped from here....waiting to hear from > Linksys tech support (if they'll help!) > > Has anyone else created a successful tunnel with this device? > > > Malcolm McDuff > > > > ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|