[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] RES: Re: [FW-1] Ping and VPN problems

To: [email protected]
Subject: Re: [FW-1] RES: Re: [FW-1] Ping and VPN problems
From: Diego Notonica <[email protected]>
Date: Fri, 13 Sep 2002 10:08:40 -0300
Reply-To: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Jochen,

I try your changes, but I drop the reply with the same message

               type 0 code 0 encryption failure: error occurred scheme: IKE

I use echo-reply, echo-tcp, echo-udp, icmp-proto, any, etc. but nothing
changes.Thanks you anyway.

But, I see something strange in the log when I do a ping to de SAP net:

Action         Serv Source         Dest       proto     info
accept         IKE  my-gateway     sap-gateway     udp  len 192
key Install         my-gateway     sap-gateway          IKE Log: Phase 1
completion. 3DES/SHA1/Pre shared secret Negotiation Id: bla bla
key Install         my-gateway     sap-gateway          IKE Log: Received
Notification from Peer: Negotiation Id: bla bla
key Install         my-gateway     sap-gateway          scheme: IKE
methods: Combined ESP: 3DES+MD5 (phase 2 completion) for host: bla bla
encrypt             my-internal-srv      sap-appserver  icmp      icmp-type
8 icmp-cpde 0 scheme: IKE methods: Combined ESP: 3DES+MD5
key Install         my-gateway     sap-gateway          IKE Log: Received
Notification from Peer: no proposal chosen Negotiation Id: bla bla**
drop           sap-appserver  my-internal-srv           icmp-type 0
icmp-code 0 encryption failure: error occurred scheme: IKE

I never see the log reg with the ** whats that?
Thanks very much and sorry for my english

Diego







Jochen H�chner <[email protected]> con fecha 13/09/2002
04:44:14 a.m.

Por favor, responda a Mailing list for discussion of Firewall-1
      <[email protected]>

Destinatarios: [email protected]
CC:        (cci: DIEGO NOTONICA/BANELCO/AR)
Asunto:   [FW-1] RES:      Re: [FW-1] Ping and VPN problems




ohhh yes, echo-request and echo-reply are pre defined services.
I know
>>> Fabricio_Sim�o <[email protected]> 12.09.2002 22:36:13 >>>
Jochen,
I would suggest you to use as the service: icmp. It would work fine.

Fabricio
-----Mensagem original-----
De: Jochen H�chner [mailto:[email protected]]
Enviada em: quinta-feira, 12 de setembro de 2002 12:24
Para: [email protected]
Assunto: Re: [FW-1] Ping and VPN problems

install two rules for ping to both directions on both vpn endpoints.
1 st rule:
  source-net    dest-net    echo-request   encrypt
2nd rule
   dest-ne        source-net  echo-reply     encrypt
that's it.
Best Rgds
Jochen
>>> Diego Notonica <[email protected]> 12.09.2002 15:09:27 >>>
Hi, does anybody make a VPN with SAP? Im using a Nokia 650 FW-1 4.1 SP4
and
works fine, BUT (I dont know why!!!) SAP send my a ping every 2 minutes
to
startup the VPN, and I drop every echo-reply with the message
type 0 code 0 encryption failure: error occurred scheme: IKE
Help me please!!!
Diego
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Prev by Date: [FW-1] QoS_Policy_did_not_apply_to_any_...
Next by Date: Re: [FW-1] SecureRemote and VPN-1 mes amours!
Prev by thread: [FW-1] QoS_Policy_did_not_apply_to_any_...
Next by thread: [FW-1] Are 4.1 logs viewable by NG logviewer?
Index(es):
- Date
- Thread