[prev in list] [next in list] [prev in thread] [next in thread]
List: firewall-1
Subject: Re: [FW1] VPN troubles
From: "Rick McMaster" <Rick_McMaster () freddiemac ! com>
Date: 2000-07-31 17:46:17
[Download RAW message or body]
Here are two suggestions:
1. You need two rules for this to work:
SOURCE DESTINATION SERVICE ACTION
---------------------------------------------------------------------------
their_router our_firewall ICMP accept
our_firewall their_router IPSEC group
---------------------------------------------------------------------------
their_network our_network any encrypt
our_network their_network
2. Make sure all of the routing tables are correct and that all of the traffic
destined for the other side of the VPN is being routed through tht firewall.
Rick McMaster
CCSE
|--------+------------------------------>
| | "Craig Limber" |
| | <craig.limber@west.g|
| | ecems.com> |
| | |
| | 07/31/2000 01:14 PM |
| | |
|--------+------------------------------>
>----------------------------------------------------------------------------|
| |
| To: fw-1-mailinglist@lists.us.checkpoint.com |
| cc: (bcc: Rick McMaster/ISS/HQ/FHLMC) |
| Subject: [FW1] VPN troubles |
>----------------------------------------------------------------------------|
Hi there;
I am attempting to set up a VPN from FW version 4.1 build 41489 on Solaris
2.6 to a CISCO PIX. We see that the keys are being exchanged and
everything but traffic through the firewall is not being tunneled.
I created the following objects:
our_network
their_network
our_firewall (external IP number of our firewall)
their_router (IP number of their cisco box)
And have the following rules:
SOURCE DESTINATION SERVICE ACTION
---------------------------------------------------------------------------
their_router our_firewall ICMP accept
our_firewall their_router IPSEC group
---------------------------------------------------------------------------
their_network our_network any encrypt
their_router our_firewall
---------------------------------------------------------------------------
our_network their_network any encrypt
our_firewall their_router
---------------------------------------------------------------------------
We have verified that the preshared keys match (even the case) and we are
using matching schemes. I downloaded many documents from checkpoint,
phoneboy and other sites that describe how to set up the VPN but every
permutation we have tried has failed. The rules above are the closest
we have gotten.
A snoop on the external interface shows that UDP 500 packets are going
back and forth and an fw tab shows that the keys are being exchanged.
We are getting log entries like this:
;IKE;Combined ESP: DES + MD5 (phase 2 completion) for subnet: their_network
(mask= 255.255.255.0) and for subnet: our_network (mask= 255.255.0.0);;;
Which would imply that parts are working.
However, when I try to send any form of traffic to a host within
their_network I can see with the snoop that the outgoing packets are
NOT encrypted. They are going out straight (and being dropped by a router
between us).
Any suggestions?
Thanks.
Craig
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic