I am not seeing Phase completing. When I look at the VPN Tunnels tab it says "IKE (Phase 1); 3DES/SHA1" .
PFS and compression are NOT enabled. The certificate was pulled. The tunnel is not established until I try to ping the internal IP of the Edge. Stephen W. Stewart -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Ray Sent: Thursday, February 17, 2005 6:17 PM To: [email protected] Subject: Re: [FW-1] VPN-1 Edge X Setup You might want to peruse the HFA12 release notes for all of the Edge fixes after HFA04. I know you have two others working OK, though. Are you seeing Phase 2 completing? Your original post didn't say so. Make sure you do NOT have Perfect Forward Secrecy enabled in the community or site-to-site compression enabled. PFS actually can be enabled on the Edge via a CLI command but it's off by default. Compression isn't supported at all. Did you let the Edge pull the certificate from SmartCenter or did you install it manually? If the latter, try deleting it from the Edge and let it pull it. Installing it manually seems to have caused a lot of people issues. Ray >From: "Stephen W. Stewart" <[EMAIL PROTECTED]> >Reply-To: Mailing list for discussion of Firewall-1 ><[email protected]> >To: [email protected] >Subject: Re: [FW-1] VPN-1 Edge X Setup >Date: Thu, 17 Feb 2005 10:49:49 -0600 > >The Edge is in its own community. Moved it out of the community the >working Edge boxes were in. > >You are correct about SmartCenter. I miss typed. > >I am accepting all encrypted traffic via the check box. I also have a >manual rule setup (as with the working ones) with the source and >destination correctly. > >SmartCenter is on HFA_004. SmartView Status shows the Edge as OK. > >My logs show the Edge from time to time as there is little traffic at >this point but it does not show up in the community column as the >others do. > >Don't know what else to tell you. > >Thanks for the effort. > >Steve > > > >-----Original Message----- >From: Mailing list for discussion of Firewall-1 >[mailto:[EMAIL PROTECTED] On Behalf Of Ray >Sent: Wednesday, February 16, 2005 6:30 PM >To: [email protected] >Subject: Re: [FW-1] VPN-1 Edge X Setup > >Is this Edge in the same community as the ones that are working? > >By "Service Center" I assume you mean "SmartCenter" and not a real >SofaWare Service Center? > >Are you accepting all encrypted traffic via the check box or do you >have a manual VPN rule set up? If the latter, do you have both the R55 >gateway and the Edge box in Source and Destination? > >Is the Edge managed by SmartCenter or did you do a manual shared secret >thing? If SmartCenter, what HFA are you on? There were a lot of >Edge-related fixes around HFA07. > >The only time I had this one-way VPN issue was on an early firmware >(like a year ago almost) and once when I had the NAT settings messed up. > >Ray > > >From: "Stephen W. Stewart" <[EMAIL PROTECTED]> > >Reply-To: Mailing list for discussion of Firewall-1 > ><[email protected]> > >To: [email protected] > >Subject: Re: [FW-1] VPN-1 Edge X Setup > >Date: Wed, 16 Feb 2005 14:32:28 -0600 > > > >Another piece of the puzzle to think about. > > > >When trying to connect to a Service Center my FW-1 log shows the > >following message: > > > >message_info: Implied rule encryption failure: Different community > >ID, possible NAT problem (VPN Error code 02) > > > >Steve > > > > > >-----Original Message----- > >From: Mailing list for discussion of Firewall-1 > >[mailto:[EMAIL PROTECTED] On Behalf Of Ray > >Sent: Wednesday, February 16, 2005 10:12 AM > >To: [email protected] > >Subject: Re: [FW-1] VPN-1 Edge X Setup > > > >Check out 5.0.50. It fixed a bunch of VPN problems in 5.0.43 > >including a memory leak that made me have to reboot mine every few days. > > > >Ray > > > > >From: Russell Aspinwall <[EMAIL PROTECTED]> > > >Reply-To: Mailing list for discussion of Firewall-1 > > ><[email protected]> > > >To: [email protected] > > >Subject: Re: [FW-1] VPN-1 Edge X Setup > > >Date: Wed, 16 Feb 2005 14:15:15 +0000 > > > > > >Hi, > > > > > >I have used a variety of firmware versions on the Edge and found > > >v5.0.43x a vast improvement since v4.0.93x and many in between. > > >Site to > > > > >Site VPNs offer a significantly better level of performance and > > >reliability, primarily NGAI R55 to Edge, Edge to Edge VPNs have not > > >been a problem. > > > > > >Stephen W. Stewart wrote: > > >>Hi All, > > >> > > >>Trying to set up an Edge X box for a remote office in Site to Site > >mode. > > >>I currently have 2 other sites that are working just fine. The > > >>only > > > >>difference with the new X is that it will have a static IP and the > > >>two > > > > >>that are working are using DHCP. > > >> > > >>I can create the site and then look in the reports section at the > > >>VPN Tunnels section and nothing shows up. If I ping the internal > > >>IP > > > >>of the X box a tunnel is established and the X box replies. I > > >>cannot ping the other way into the "home" network behind the FW-1. > > >> > > >>The established tunnel shows IKE (Phase 1): 3DES/SHA1. > > >> > > >>Any ideas? > > >> > > >>Thanks > > >> > > >> > > >>Stephen W. Stewart > > >> > > >>================================================= > > >>To set vacation, Out-Of-Office, or away messages, send an email to > > >>[EMAIL PROTECTED] > > >>in the BODY of the email add: > > >>set fw-1-mailinglist nomail > > >>================================================= > > >>To unsubscribe from this mailing list, please see the instructions > > >>at http://www.checkpoint.com/services/mailing.html > > >>================================================= > > >>If you have any questions on how to change your subscription > > >>options, email [EMAIL PROTECTED] > > >>================================================= > > >> > > > > > > > > >-- > > >Regards > > > > > >Russell > > > > > >================================================= > > >To set vacation, Out-Of-Office, or away messages, send an email to > > >[EMAIL PROTECTED] > > >in the BODY of the email add: > > >set fw-1-mailinglist nomail > > >================================================= > > >To unsubscribe from this mailing list, please see the instructions > > >at > > > >http://www.checkpoint.com/services/mailing.html > > >================================================= > > >If you have any questions on how to change your subscription > > >options, > > > >email [EMAIL PROTECTED] > > >================================================= > > > >================================================= > >To set vacation, Out-Of-Office, or away messages, send an email to > >[EMAIL PROTECTED] > >in the BODY of the email add: > >set fw-1-mailinglist nomail > >================================================= > >To unsubscribe from this mailing list, please see the instructions at > >http://www.checkpoint.com/services/mailing.html > >================================================= > >If you have any questions on how to change your subscription options, > >email [EMAIL PROTECTED] > >================================================= > > > >================================================= > >To set vacation, Out-Of-Office, or away messages, send an email to > >[EMAIL PROTECTED] > >in the BODY of the email add: > >set fw-1-mailinglist nomail > >================================================= > >To unsubscribe from this mailing list, please see the instructions at > >http://www.checkpoint.com/services/mailing.html > >================================================= > >If you have any questions on how to change your subscription options, > >email [EMAIL PROTECTED] > >================================================= > >================================================= >To set vacation, Out-Of-Office, or away messages, send an email to >[EMAIL PROTECTED] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your subscription options, >email [EMAIL PROTECTED] >================================================= > >================================================= >To set vacation, Out-Of-Office, or away messages, send an email to >[EMAIL PROTECTED] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your subscription options, >email [EMAIL PROTECTED] >================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
