[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] CPFW1-4.1.2 and IPFilter+RACOON working but ....
Hi guys, Please disregard this post, I've already fixed it. I had to modify the setkey commands in FreeBSD and also had to add a NAT rule for the encryption domains so that it won't be NATed. ----- Original Message ----- From: "Onie Camara" <[email protected]> To: <[email protected]> Sent: Thursday, March 21, 2002 10:02 PM Subject: [FW-1] CPFW1-4.1.2 and IPFilter+RACOON working but .... > Hi guys, > > It's me again. :-) > > Here is my configuration: > > Checkpoint 4.1.2 on Debian 2.2r5 > external = 192.168.0.122/24 > internal = 172.17.0.0/16 > > IPfilter + IPsec +Racoon on FreeBSD 4.5-Stable. > external = 192.168.0.115/24 > internal = 172.16.0.0/16 > > This is the document that I followed, > http://restricted.dyndns.org/cpbsd.html > > Here is my lab setup: > > SITE A SITE B > External Interface External Interface > 192.168.0.122 192.168.0.115 > | | > +--> Firewall-1 <--> Internet <--> FreeBSD GW <--+ > | | > FW-1 Protected Nets FreeBSD Protext Nets > 172.17.0.0/16 172.16.0.0/16 > > I have workstations on both firewalls. > > 172.17.0.12 on SITE A > 172.16.0.100 on SITE B > > 1. Exchange of keys is ok. > 2. The FreeBSD gw can ping 172.17.0.12 and I can see decrypt/encrypt in Log > Viewer > 3. From the 172.17.0.12 workstation on SITE A, it can ping the FreeBSD GW. > > My problem is that: > 1. From 172.16.0.100 workstation, it cannot ping 172.17.0.12 workstation. > So that means, FW-1 Protected Nets is not able to talk to FreeBSD Protected > Nets. > > And on the Log Viewer, it shows there the packet from 192.168.0.115 to > 172.17.0.12 gets rejected. > > I have already disabled spoofing but still doesn't work. Will that document > be applicable to my lab setup or is there anything that I should modify on > Checkpoint? > > I have also tried creating another network object, and that is the > freebsd-net and > instead change the rule 2 to freebsd-net instead of freebsd-gw. And with > this rule, > the freebsd-gw no longer can communicate with 172.17.0.12. > > Any help will be greatly appreciated. > > Thank you very much. > > > neil camara ([email protected]) - cc{na|sa}, mcse - pgp 0x777777B2 > network/security engineer - dl := +1(847)2.21.0.224 cn := +1(847)9.80.17.53 > echo "I love windows" | sed -e 's/wi/u/g' | cut -f1 -dd | \ > awk '/u/ {printf("%s %s %six\n",$1,$2,$3)}' > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|