Assuming that you are running NG, here is what you have to do:
1) Edit $FWDIR/conf/object_5_0.c
Change ike_use_largest_possible_subnets true to false
2) You have to edit $FWDIR/lib/user.def
Add the maximum subnets to this file. I have added a "sample of how this
file should look like". Also as a "gotcha" if you are running your
management server on a windows platform, modify this file in a UNIX
environment and then bring it over. I had problems with WinPad and Notepad.
#ifndef __user_def__
#define __user_def__
//
// User defined INSPECT code
//
max_subnet_for_range = {
<192.168.40.0, 192.168.50.255; 255.255.255.255>,
<192.168.51.0, 255.255.255.255; 255.255.0.0>
};
#endif /* __user_def__ */
3) Save the files.
4) Push policy.
I hope this will help you out.
On 1/21/04 3:25 PM, "Peter Pramberger" <[EMAIL PROTECTED]>
wrote:
> Hi,
>
> is there a solution to prevent VPN-1 NG FP3 from summarizing
> networks in the encryption domain on IKE negotiation in simpli-
> fied mode (except not using simplified mode ;-)?
>
>
> The following setup (from VPN-1's view):
>
> Net_A: 192.168.0.0/25
> Net_B: 192.168.0.128/25
> Net_C: 192.168.10.0/24
>
> ---------- ---------- ---------
> | | | |-----| Net_A |
> | Peer A |---...---| Peer B |-----| Net_B |
> | | | |-----| Net_C |
> ---------- ---------- ---------
>
> Peer A: Cisco, defined as "interoperable device"
> VPN domain set to "based on topology"
> Topology defined as one internal interface (some
> network) and one external interface (10.2.3.4/32)
>
> Peer B: Checkpoint NG FP3 (VPN-1 Pro)
> VPN domain set to "based on topology"
> Topology defined as three internal interfaces
> (Net_A-C) and one external interface
>
>
> Rulebase:
>
> Net_A -> "Some network behind Peer B" via VPN-Community
> (Star) service ssh,telnet,ftp ACCEPT
>
>
> IKE negotiation:
>
> Peer A has configured Net_A in its encryption domain. IKE
> Negotiation fails on Cisco with "no proposal choosen" because
> VPN-1 is not sending the two networks but is summarizing them
> to 192.168.0.0/24 even if I use only the first network in the
> rulebase!
>
> The same applies if I define two hosts (eg. 1.2.3.4/32+1.2.3.5/32)
> in Peer B's topology. Checkpoint is sending them as Net 1.2.3.4/31!
>
> Has anyone else seen this behavior?
>
>
> Regards,
> Peter Pramberger
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [EMAIL PROTECTED]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [EMAIL PROTECTED]
> =================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
