Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] AW: [FW-1] Auto-Summarize in Encryption domain

To: [email protected]
Subject: [FW-1] AW: [FW-1] Auto-Summarize in Encryption domain
From: Martin Christen <[email protected]>
Date: Wed, 13 Nov 2002 19:15:35 +0100
Importance: Normal
In-reply-to: <[email protected]>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

We found something:
There is a value in the objects_5_0.C file that will attempt to use a
supernetted address.  When multiple networks are in the encryption
domain and the firewall can supernet it and will make the attempt on the
subnet key exchange with the larger network ID.  The value is

ike_use_largest_possible_subnets (true)

Setting this to false in the objects_5_0.C file should resolve this
issue. Obviously there is an open issue in FP3 and changing this value,
please check it first internaly...


-----Ursprüngliche Nachricht-----
Von: Mailing list for discussion of Firewall-1
[mailto:[email protected]] Im Auftrag von
Roelandts, Guy
Gesendet: Dienstag, 12. November 2002 08:36
An: [email protected]
Betreff: Re: [FW-1] Auto-Summarize in Encryption domain

Martin,

   We have seen this too and found no work-around as of today. We were
 setting up a vpn-to-vpn between a Cisco with IOS 12.1.

   In the output of a debug crypto session we could see :

  src_proxy= x.y.x.0/255.255.254.0/0/0 (type=4)

   We checked the complete CheckPoint config and found nowhere this
 mask defined ... anyone else seen this and solved it?

Met vriendelijke groeten - Bien à vous - Kind regards
Guy ROELANDTS
EMEA GS Internet Expertise Centre - CCSE-NG
Compaq BeLux - now part of the New HP
E-mail : [email protected]
Tel: +32(02)729.77.44 (options 3 - 3 - 1)
Fax: +32(02)729.77.65
==========================================================
This message may contain confidential and/or proprietary information,
and is intended only for the person/entity to whom it was originally
addressed. The content of this message may contain private views and
opinions which do not constitute a formal disclosure or commitment
unless specifically stated. Should you receive this message by mistake
please inform the sender immediately.
==========================================================


-----Original Message-----
From: Martin Christen [mailto:[email protected]]
Sent: 12 November 2002 07:53
To: [email protected]
Subject: [FW-1] Auto-Summarize in Encryption domain


Hello
We use NG FP 2 on a solaris 8 box.
In the our Group "Encryption_Domain"we have two networks 192.168.8.0/24
and
192.168.9.0/24.
On the other site we use a cisco vpn concentrator from which we try to
connect to 192.168.8.0/24 network.
On the cisco device we see that the network is recognized as
192.168.8.0/23
what meens that no vpn connection can be established. If we remove the
192.168.9.0/24 from the Group "Encryption_Domain" it works fine.
Is there a switch to disable this auto-summarizing?

Regards

Martin



 __________________________________http://www.clounet.ch

Martin Christen
NMS/Security Consultant

Phone:    +41(0)31 950 55 83                  ClouNet AG
Fax:      +41(0)31 950 55 90             Ammannstrasse 1
[email protected]          CH-3074 Muri b. Bern
________________________________________________________

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

References:
- Re: [FW-1] Auto-Summarize in Encryption domain
  - From: "Roelandts, Guy" <[email protected]>

Prev by Date: Re: [FW-1] Nokia Clustering vs. Check Point Cluster XL
Next by Date: Re: [FW-1] Blocking web sites
Previous by thread: Re: [FW-1] Auto-Summarize in Encryption domain
Next by thread: [FW-1] Réf. : [FW-1] Secure Remote issues FP3
Index(es):
- Date
- Thread