[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] AW: [FW-1] Auto-Summarize in Encryption domain
We found something: There is a value in the objects_5_0.C file that will attempt to use a supernetted address. When multiple networks are in the encryption domain and the firewall can supernet it and will make the attempt on the subnet key exchange with the larger network ID. The value is ike_use_largest_possible_subnets (true) Setting this to false in the objects_5_0.C file should resolve this issue. Obviously there is an open issue in FP3 and changing this value, please check it first internaly... -----Ursprüngliche Nachricht----- Von: Mailing list for discussion of Firewall-1 [mailto:[email protected]] Im Auftrag von Roelandts, Guy Gesendet: Dienstag, 12. November 2002 08:36 An: [email protected] Betreff: Re: [FW-1] Auto-Summarize in Encryption domain Martin, We have seen this too and found no work-around as of today. We were setting up a vpn-to-vpn between a Cisco with IOS 12.1. In the output of a debug crypto session we could see : src_proxy= x.y.x.0/255.255.254.0/0/0 (type=4) We checked the complete CheckPoint config and found nowhere this mask defined ... anyone else seen this and solved it? Met vriendelijke groeten - Bien à vous - Kind regards Guy ROELANDTS EMEA GS Internet Expertise Centre - CCSE-NG Compaq BeLux - now part of the New HP E-mail : [email protected] Tel: +32(02)729.77.44 (options 3 - 3 - 1) Fax: +32(02)729.77.65 ========================================================== This message may contain confidential and/or proprietary information, and is intended only for the person/entity to whom it was originally addressed. The content of this message may contain private views and opinions which do not constitute a formal disclosure or commitment unless specifically stated. Should you receive this message by mistake please inform the sender immediately. ========================================================== -----Original Message----- From: Martin Christen [mailto:[email protected]] Sent: 12 November 2002 07:53 To: [email protected] Subject: [FW-1] Auto-Summarize in Encryption domain Hello We use NG FP 2 on a solaris 8 box. In the our Group "Encryption_Domain"we have two networks 192.168.8.0/24 and 192.168.9.0/24. On the other site we use a cisco vpn concentrator from which we try to connect to 192.168.8.0/24 network. On the cisco device we see that the network is recognized as 192.168.8.0/23 what meens that no vpn connection can be established. If we remove the 192.168.9.0/24 from the Group "Encryption_Domain" it works fine. Is there a switch to disable this auto-summarizing? Regards Martin __________________________________http://www.clounet.ch Martin Christen NMS/Security Consultant Phone: +41(0)31 950 55 83 ClouNet AG Fax: +41(0)31 950 55 90 Ammannstrasse 1 [email protected] CH-3074 Muri b. Bern ________________________________________________________ ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|