Chris, This is what we did:
Create two objects, one interoperable device and one network. Let's call it linksys and linksys_encrypted_domain. On the linksys object enter the external ip of the linksys on the general tab, and under the topology setting add the linksys_encrypted_domain object as a manually defined VPN Domain. On the VPN settings and traditional mode check 3DES, MD5 and SHA1, enter a preshared secret. Also, on the Matching Criteria check IP and select the CA of the CP gateway. Then on the NAT tab of the linksys_encryption_domain network check add automatic address translation rules, choose hide as the translation method and hide behind the external ip address of your linksys Then in your ruleset add the following rule Source (CP hide net and linksys_encryption_domain), Destination (CP hide net and linksys_encryption_domain), service (any), action (encrypt), Track (log), Install On (gw), Time (Any), Comment (encryption rule for linksys) On the encrypt action edit properties, select IKE then edit properties and choose Encryption Algorithm(3DES), Data Integrity(SHA1), Compression Method(None), Allowed Peer Gateway(Linksys), Check Perfect Forward Secrecy, Use DH Group (Group 2 (1024 bit)), Peform IP Pool NAT (uncheck) Then finally in the Address Translation tab of your rulebase add Source (CP hide net), Destination (linksys_encryption_domain), Service (Any), Source (Original), Destinatin (Original), Service (Original), Install on (CP FW) Hope this helps, -- B�rge -----Opprinnelig melding----- Fra: Covington, Chris [mailto:[EMAIL PROTECTED] Sendt: 2. april 2003 23:10 Til: [EMAIL PROTECTED] Emne: Re: [FW-1] befvp41 to fp3 - works on linksys side B�rge, Yes I have NAT'ed the two networks to be original. Where do you NAT the encryption domain of the linksys behind its external interface? Interoperable Devices have no NAT tab, unless you mean to create a manual Hide NAT rule for the Linksys such as: Source (linksys encryption domain), Destination (linksys encryption domain) original original Then Source (linksys encryption domain), Destination (any), Source (linksys operable device) I have never seen any documentation point to making a rule like that but I will give it a shot. Thanks, Chris -----Original Message----- From: B�rge Berg-Olsen [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2003 3:01 PM To: [EMAIL PROTECTED] Subject: Re: [FW-1] befvp41 to fp3 - works on linksys side Short question: Have you NAT'ed the two networks so that the net behind your firewall and the linksys is original? Add a rule in the NAT tab of your CP NG firewall, and you should be good. Also, the encryption domain of the linksys need to be NAT'ed behind the external interface of the linksys in your interoperable device in CP NG. If not, it wont work - in traditional mode. -- B�rge Berg-Olsen ------------------------------------------------------------------------ +47 90 62 71 78 DoD#2101, DoDRT#017, NIC#015, PJ#006, OGM#007 [EMAIL PROTECTED], Ducati M600, Audi 100 2.3E Ubesudlet: Aldri eid en J&%#PS > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[EMAIL PROTECTED] On Behalf Of > Covington, Chris > Sent: Wednesday, April 02, 2003 8:43 PM > To: [EMAIL PROTECTED] > Subject: Re: [FW-1] befvp41 to fp3 - works on linksys side > > > Bob, > > Yes as far as I can tell, they are within a minute of each other > time-wise. I'm wondering if it's a FP3 HF2 bug. I wish there was > some way to see exactly what FP3 is doing when the Linksys tells it > "invalid-id-information" > > Chris > > -----Original Message----- > From: Bob Scipioni [mailto:[EMAIL PROTECTED] > Sent: Wednesday, April 02, 2003 12:26 PM > To: [EMAIL PROTECTED] > Subject: Re: [FW-1] befvp41 to fp3 - works on linksys side > > > Chris, > > I don't recall anything being said earlier, but have you made sure > there isn't any significant time offset between the two gateways? > > -Bob > > > Covington, Chris wrote: > > >Sorry for all the postings... Here are the error messages on the > >Linksys (whenever I try to access from behind FW-1): > > > >2003-04-01 21:32:29 IKE[8] Set up ESP tunnel with (MYIP) Success ! > >2003-04-01 21:32:29 2003-04-01 21:34:16 IKE[8] Rx << QM_I1 : (MYIP) > >HASH, SA, NONCE, KE, ID, ID 2003-04-01 21:34:16 IKE[8] **Check your > >Local/Remote Secure Group settings ! 2003-04-01 21:34:16 IKE[8] Tx >> > >Notify : INVALID-ID-INFORMATION 2003-04-01 21:34:37 > >2003-04-01 21:34:37 IKE[8] Tx >> MM_I1 : (MYIP) SA > >2003-04-01 21:34:38 IKE[8] Rx << MM_R1 : (MYIP) SA > >2003-04-01 21:34:38 IKE[8] ISAKMP SA CKI=[a5e2cfae f6359b46] > >CKR=[dd2652ff a064e41c] > >2003-04-01 21:34:38 IKE[8] ISAKMP SA 3DES / MD5 / PreShared > / MODP_1024 > >/ 28800 sec (*28800 sec) > >2003-04-01 21:34:38 IKE[8] Tx >> MM_I2 : (MYIP) KE, NONCE 2003-04-01 > >21:34:38 IKE[8] Rx << MM_R2 : (MYIP) KE, NONCE 2003-04-01 21:34:38 > >IKE[8] Tx >> MM_I3 : (MYIP) ID, HASH 2003-04-01 21:34:39 IKE[8] Rx << > >MM_R3 : (MYIP) ID, HASH 2003-04-01 21:34:39 IKE[8] Tx >> QM_I1 : > >(MYIP) HASH, SA, NONCE, KE, > ID, > >ID > >2003-04-01 21:34:39 IKE[8] Rx << QM_R1 : (MYIP) HASH, SA, NONCE, KE, > ID, > >ID > >2003-04-01 21:34:39 IKE[8] Tx >> QM_I2 : (MYIP) HASH 2003-04-01 > >21:34:39 IKE[8] ESP_SA 3DES / SHA / 3600 sec (*3600 sec) / > >SPI=[c99d6e8b:c47dbb84] 2003-04-01 21:34:39 IKE[8] Set up ESP tunnel > >with (MYIP) Success ! > > > >Chris > > > >-----Original Message----- > >From: Covington, Chris > >Sent: Tuesday, April 01, 2003 5:33 PM > >To: [EMAIL PROTECTED] > >Subject: Re: [FW-1] befvp41 to fp3 - works on linksys side > > > > > >FYI, > > > >I have also tried sk16536 which looks like it describes the problem, > >but that has not fixed the problem. > > > >Chris > > > >-----Original Message----- > >From: Covington, Chris > >Sent: Tuesday, April 01, 2003 3:41 PM > >To: [EMAIL PROTECTED] > >Subject: Re: [FW-1] befvp41 to fp3 - works on linksys side > > > > > >Bob, > > > >Thanks for the followup. I don't think that applies in my > case though; > > >since the remote gateway is an Interoperable device (a > Linksys) and not > > >a Check Point Externally Management Gateway. > > > >Has anyone gotten a VPN working with a BEFVP41? What kind of tunnel > >settings did you use? > > > >Chris > > > >-----Original Message----- > >From: Bob Scipioni [mailto:[EMAIL PROTECTED] > >Sent: Tuesday, April 01, 2003 1:51 PM > >To: [EMAIL PROTECTED] > >Subject: Re: [FW-1] befvp41 to fp3 - works on linksys side > > > > > >Chris, > > > >In Solution ID: 55.0.7778402.2722456 it states: > > > ># The remote firewall object is defined with the wrong > version in the > >General tab > > > >as one possible cause. > > > >-Bob > > > > > >Covington, Chris wrote: > > > > > > > >>Hi All, > >> > >>I've setup a traditional main mode 3DES MD5 site-to-site vpn with a > >>linksys BEFVP41 to my Secureplatform FP3 HF2 box. Everything works > >>fine on the linksys side, but if I try to access anything on the > >>linksys's network from behind FW-1, I get the following errors: > >> > >>IKE: Quick Mode Received Notification from Peer: invalid id > >>information > >> > >> > > > > > > > >>encryption failure: Error occured encryption fail reason: Packet is > >>dropped because there is no valid SA > >> > >>I've tried turning on and off Perfect Forward Secrecy, Aggressive > >>mode, > >> > >> > > > > > > > >>etc. and it seems to not make any difference. The IKE settings are > >>identical on both ends. > >> > >>Is there anything I should I try differently? > >> > >>thanks, > >>Chris > >> > >>================================================= > >>To set vacation, Out Of Office, or away messages, > >>send an email to [EMAIL PROTECTED] > >>in the BODY of the email add: > >>set fw-1-mailinglist nomail > >>================================================= > >>To unsubscribe from this mailing list, > >>please see the instructions at > >>http://www.checkpoint.com/services/mailing.html > >>================================================= > >>If you have any questions on how to change your subscription > >>options, email [EMAIL PROTECTED] > >>================================================= > >> > >> > >> > >> > > > >-- > >Bob Scipioni <[EMAIL PROTECTED]> > >Vice President, Product Development > >Lucid Security > >Research & Product Development > >www.lucidsecurity.com > > > > > > > >================================================= > >To set vacation, Out Of Office, or away messages, > >send an email to [EMAIL PROTECTED] > >in the BODY of the email add: > >set fw-1-mailinglist nomail > >================================================= > >To unsubscribe from this mailing list, > >please see the instructions at > >http://www.checkpoint.com/services/mailing.html > >================================================= > >If you have any questions on how to change your > >subscription options, email > >[EMAIL PROTECTED] > >================================================= > > > >================================================= > >To set vacation, Out Of Office, or away messages, > >send an email to [EMAIL PROTECTED] > >in the BODY of the email add: > >set fw-1-mailinglist nomail > >================================================= > >To unsubscribe from this mailing list, > >please see the instructions at > >http://www.checkpoint.com/services/mailing.html > >================================================= > >If you have any questions on how to change your > >subscription options, email > >[EMAIL PROTECTED] > >================================================= > > > >================================================= > >To set vacation, Out Of Office, or away messages, > >send an email to [EMAIL PROTECTED] > >in the BODY of the email add: > >set fw-1-mailinglist nomail > >================================================= > >To unsubscribe from this mailing list, > >please see the instructions at > >http://www.checkpoint.com/services/mailing.html > >================================================= > >If you have any questions on how to change your > >subscription options, email > >[EMAIL PROTECTED] > >================================================= > > > >================================================= > >To set vacation, Out Of Office, or away messages, > >send an email to [EMAIL PROTECTED] > >in the BODY of the email add: > >set fw-1-mailinglist nomail > >================================================= > >To unsubscribe from this mailing list, > >please see the instructions at > >http://www.checkpoint.com/services/mailing.html > >================================================= > >If you have any questions on how to change your > >subscription options, email > >[EMAIL PROTECTED] > >================================================= > > > > > > -- > Bob Scipioni <[EMAIL PROTECTED]> > Vice President, Product Development > Lucid Security > Research & Product Development > www.lucidsecurity.com > > > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.htm> l > > ================================================= > If you > have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.htm> l > > ================================================= > If you > have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
