| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] NG FP4 VPN does not work bi-directionally
- To: [email protected]
- Subject: Re: [FW-1] NG FP4 VPN does not work bi-directionally
- From: "Covington, Chris" <[email protected]>
- Date: Tue, 16 Sep 2003 12:16:30 -0400
- Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
- Sender: Mailing list for discussion of Firewall-1 <[email protected]>
- Thread-index: AcN8Xoc7kwCpnM0kTQCcwsbOqPbZSgADIXpg
- Thread-topic: [FW-1] NG FP4 VPN does not work bi-directionally
Look in the archives for ike_use_largest_possible_subnets. You might've
set that value to false with FP3 using guidbedit.exe, but FP3 didn't use
the value. In AI, the value is used and will break tunnels because the
Checkpoint is supernetting the networks in the VPN. If your VPN
contains two or more contiguous networks (192.168.0.0/24 +
192.168.1.0/24 + 192.168.2.0/24 +
192.168.3.0/24 = 192.168.0.0/22), the Checkpoint will represent them as
1 supernetwork in the IKE negotiation. If you change the value of
ike_use_largest_possible_subnets and push a policy it might fix the
problem.
Chris
-----Original Message-----
Brendan Laws <[email protected]> wrote:
> Hi people,
>
> I have been looking at this for a while now and I
> can't see anything out
> of the obvious.
>
> I had a FP3 install that had a VPN running between a
> Nokia+FP3 and a
> little Linksys router, it worked fine for many
> months.
>
> I have recently upgraded to FP4 and since then the
> VPN tunnel only works
> when the Linksys contacts my internal networks, I
> can not contact the
> internal network behind the Linksys router now that
> I have upgraded to
> FP4.
>
> Looking at the log viewer I can see that if I pass
> of a connection it
> matches the vpn community rule but then I see in the
> logs a reject under
> rule 0 with "encryption failure: error occurred"
> then directly after
> that message comes the log
>
> Mypc --> pc-behind-linksys DROP --> Packet is drop
> because there is now
> valid SA.
>
> Now if the PC behind the Linksys can bring up the
> tunnel with no
> problems, I can't see anything obvious that should
> be stopping my pc
> from bringing uo the tunnel.
>
> Added to that it all worked in FP3 its only died
> since the upgrade to
> FP4.
>
> Can anyone recommend anything out of the ordinary to
> review?
>
> Cheers,
> Brendan
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
|
|
