NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] CPFW1-4.1.2 and IPFilter+RACOON working but ....



Hi guys,

Please disregard this post, I've already fixed it. I had to modify the
setkey commands in FreeBSD and also had to add a NAT rule for the encryption
domains so that it won't be NATed.


----- Original Message -----
From: "Onie Camara" <[email protected]>
To: <[email protected]>
Sent: Thursday, March 21, 2002 10:02 PM
Subject: [FW-1] CPFW1-4.1.2 and IPFilter+RACOON working but ....


> Hi guys,
>
> It's me again. :-)
>
> Here is my configuration:
>
> Checkpoint 4.1.2 on Debian 2.2r5
> external = 192.168.0.122/24
> internal = 172.17.0.0/16
>
> IPfilter + IPsec +Racoon on FreeBSD 4.5-Stable.
> external = 192.168.0.115/24
> internal = 172.16.0.0/16
>
> This is the document that I followed,
> http://restricted.dyndns.org/cpbsd.html
>
> Here is my lab setup:
>
>              SITE A                               SITE B
>      External Interface                    External Interface
>           192.168.0.122                    192.168.0.115
>                       |                    |
>         +--> Firewall-1 <--> Internet <--> FreeBSD GW <--+
>         |                                                |
>  FW-1 Protected Nets                           FreeBSD Protext Nets
>     172.17.0.0/16                                 172.16.0.0/16
>
> I have workstations on both firewalls.
>
> 172.17.0.12 on SITE A
> 172.16.0.100 on SITE B
>
> 1. Exchange of keys is ok.
> 2. The FreeBSD gw can ping 172.17.0.12 and I can see decrypt/encrypt in
Log
> Viewer
> 3. From the 172.17.0.12 workstation on SITE A, it can ping the FreeBSD GW.
>
> My problem is that:
> 1. From 172.16.0.100 workstation, it cannot ping 172.17.0.12 workstation.
> So that means, FW-1 Protected Nets is not able to talk to FreeBSD
Protected
> Nets.
>
> And on the Log Viewer, it shows there the packet from 192.168.0.115 to
> 172.17.0.12 gets rejected.
>
> I have already disabled spoofing but still doesn't work. Will that
document
> be applicable to my lab setup or is there anything that I should modify on
> Checkpoint?
>
> I have also tried creating another network object, and that is the
> freebsd-net and
> instead change the rule 2 to freebsd-net instead of freebsd-gw. And with
> this rule,
> the freebsd-gw no longer can communicate with 172.17.0.12.
>
> Any help will be greatly appreciated.
>
> Thank you very much.
>
>
> neil camara ([email protected]) - cc{na|sa}, mcse - pgp
0x777777B2
> network/security engineer - dl := +1(847)2.21.0.224 cn :=
+1(847)9.80.17.53
> echo "I love windows" | sed -e 's/wi/u/g' | cut -f1 -dd | \
> awk '/u/ {printf("%s %s %six\n",$1,$2,$3)}'
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.