Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] VPN with only firewall's ip public address

To: [email protected]
Subject: Re: [FW-1] VPN with only firewall's ip public address
From: Russell Washington <[email protected]>
Date: Mon, 17 Jun 2002 07:18:50 -0700
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Title: Message

Elena,

It looks like Phase 2 negotiation between the firewalls is failing. Since it isn't completing successfully, pings will not be encrypted and will not even get as far as the other side.

Do you know what kind of firewall is on the other side and do you know anything about how it is configured? No response from peer would tend to suggest that it doesn't like what it's getting; given the nature of your original Q, I'd guess that it doesn't think you're supposed to have access to the host you're trying to hit, and consequently isn't responding.

A log from the other firewall would definitely help you out, if you can get your hands on it.

-----Original Message-----
From: Elena Zabala [mailto:[email protected]]
Sent: Monday, June 17, 2002 3:19 AM
To: [email protected]
Subject: Re: [FW-1] VPN with only firewall's ip public address

Hi Russell,

    The scenario you are describing is exactly the one I have. The thing is that when I try to establish a connection with a machine in the other network, I receive the following errors in my log (I will include all lines referring to this connection):

Service    Source           Destination            Protocol    Info.

key-install my_firewall    remote_firewall                    IKE log: Phase 1 completion.DES/MD5/Pre Shared Secrets Negociation Id:xxxxxxx

nbname    my_pc           remote_machine    udp        encryption failure: no response from peer. scheme:IKE

telnet        my_pc           remote_machine    tcp        encryption failure: no response from peer. scheme:IKE

    Also, when I try to ping the remote machine, I receive an "Host unreachable" error message. I d'ont know if this can be due to the fact that icmp packets are not encryted, and so they are not routed through the remote firewall.

Thanks,

Elena

----- Mensaje original -----

De: Russell Washington

Para: [email protected]

Enviado: viernes, 14 de junio de 2002 17:31

Asunto: Re: [FW-1] VPN with only firewall's ip public address

The scenario you're describing (your new one) is fairly typical in my experience, and is referred to as a LAN-to-LAN VPN. The scenario you describe where your FW establishes a VPN with the public IP of a host on their side, with addressing translation taking place through some unseen magic at their end, is atypical (again, only speaking from my experience).

Arguably, your "new scenario" is simpler than your old one, so that's good news. :)

All you do is set up a VPN between the two firewalls, with traffic through the tunnel (your encryption domains) defined in terms of the private ranges. In terms of FW-1 objects, you have one for your firewall, whose encryption domain includes workstation/network objects specifying your private addresses that you want to talk to them. You have an object for their firewall, and its encryption domain should include objects corresponding to their workstation/network objects, specified using their private addresses that you want to talk to.

Make sense? Or did I totally miss your Q? :)

-----Original Message-----
From: Elena Zabala [mailto:[email protected]]
Sent: Friday, June 14, 2002 7:04 AM
To: [email protected]
Subject: [FW-1] VPN with only firewall's ip public address

Hello,

    I'm trying to change our firewall's configuration to make a new VPN with another network (let's call it network B) but don't know how to do it.

    The thing is that the only public IP address I have from network B is its firewall's public address, the rest of the machines in network B only have private addresses. Up to know, every VPN I have made worked in a different way, thats to say, I always established a communication with the other network's machine's IP public address, and it was this other network's firewall which using NAT, translated this public adress to its corresponding private one.

    The case I'm facing now is a little bit different, just because I should establish my connection directly using the other network machine's private addresses. How can this be done?

Thanks in advance,

Elena

Prev by Date: Re: [FW-1] Solaris 2.6 will not be supported on VPN-1/FireWall-1 4.1 SP6 and beyond
Next by Date: [FW-1] embedded system ???
Previous by thread: Re: [FW-1] VPN with only firewall's ip public address
Next by thread: [FW-1] Problems informing the FW-1 driver
Index(es):
- Date
- Thread