Hi folks, we are having a tough time here trying to get SecureRemote to talk using IKE, so we're hoping someone can lend a hand.
We have a Nokia IP 330 box runnning on IPS0 v3.4. The package installed is CheckPoint FW1 sp4. The box uses all three interfaces eth3=x.8.247.6 eth4=x.8.242.1 eth3=x.95.8.199 Of which eth3 and eth4 are using REAL public ip address. eth3 has no natting enabled, yet. We've generated the license based on the private ip address of x.95.8.199. The Policy 1.ruvpn-grp (src) Any (dest) Any (svc) Client Encrypt(Action) 2.any (src) fw1 (dest) http/ssh (svc) accept (action) We've Defined the following parameters - FW object * Encrytion Domain (x.95.8.0/24) * Exportable for SecuRemote * IKE encryption scheme * VPN-1 & FW1 Password - IKE Properties *DES, CAST, 3DES *MD5, SHA1 *Pre-Shared Secret *Support Aggressive Mode *Support Keys exchange Desktop Security - Uncheck Respond to Unauthenticate Topology Request User Object -Authentication Scheme * Undefined -Encryption *IKE IKE propertieis * Authentication Password * Transform ( ESP) * Data Integrity (SHA1) * Encryption Algorithm(3des) Observations : * We could ping x.x.247.6 and x.x.242.1 from internet. * We could access (via telnet,ssh,http) to x.x.242.1 from internet. *We couldn't access (via telnet, ssh, http) to x.x.247.6 from internet. Here's the strange behaviour : [We could actually see the login banner(telnet,ssh) and the web authorization box ( http), but we just couldn't log on successfully] We were told that this is actually a nokia behaviour. We've created the Firewall Object as x.8.247.6. Our Headache : * We've decided to create a new site in SecuRemote by entering in the x.8.247.6. But the VPN-1 SecuRemote reported "Error: Communication with site x.x.247.6 has failed" * When we try to create a new site using the other public ip x.x.242.1, it seem to work intially another new windows appear confirming the Nickname, IP and LastUpdate. When we try to ping the internal lan via the x.x.8.199 a window pop up as we proceed to enter the user name and password. SecuRemote reported : "Negotation with Firewall at site 61.8.242.1 has failed" Our question : * Should SecureRemote's New site be pointed at x.8.247.6 or x.8.242.1 ? * Say our SecuRemote's New site is pointed to x.8.242.1, why did it ".. failed" ? * Any problem if we gen the license using the fake ip x.95.8.199 ? Rgds, Simon _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
