In VPN-1/FireWall-1 NG, by default, the option: "ike_use_largest_possible_subnets" is set to true, which will cause the VPN-1 gateway to summarize subnet information sent in phase 2 of IKE key exchange. This occurs when two subnets exist in VPN domain configured on firewall module, resulting in a calculated summary, a "supernet" mask will be sent.
Solution This behavior can be modified by adjusting the option that governs this function: "ike_use_largest_possible_subnets" and setting it to false in objects_5_0.C file. There are two methods to make this modification, either with the Check Point Database tool or commandline with dbedit. ---------------------------------------------------------------------------- ----- Check Point Database tool: To download and install Check Point database tool, select URL: http://www.checkpoint.com/techsupport/downloadsng/utilities.html#dbtool Procedure: 1) Close all SmartDashboard sessions and connect to Management Server with Database Tool 2) Select firewall_properties option: "ike_use_largest_possible_subnets" and change it from true to false 3) Save and exit 4) Install policy ---------------------------------------------------------------------------- - Dbedit Method Procedure: 1) Close all SmartDashboard sessions 2) Run command: "dbedit" on Management Server 3) Issue following commands: modify properties firewall_properties ike_use_largest_possible_subnets false update properties firewall_properties quit 4) Install policy -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Diego F. Lastra S. Sent: Friday, April 15, 2005 12:50 PM To: [email protected] Subject: [FW-1] Site to Site VPN ( Checkpoint and PIX) Do you have any idea what is going on in this SITE TO SITE VPN with a Cisco PIX. Number: 55466 Date: 15Apr2005 Time: 13:25:43 Product: VPN-1 & FireWall-1 Interface: eth-s4p1c0 Origin: FWMasnegocio (200.57.89.105) Type: Log Action: Drop Source: Masnegocio_FS2 (172.20.4.39) Destination: 10.142.65.13 Protocol: icmp Rule: 3 Destination Key ID: 0x00000000 Encryption Scheme: IKE VPN Peer Gateway: FW_Royal (200.79.33.100) Encryption Methods: ESP: AES-256 + MD5 Community: Masnegocio_Royal Information: ICMP: Echo Request ICMP Type: 8 ICMP Code: 0 encryption fail reason: Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more information >From hosts behind the checkpoint cannot open any connection to the internal network of the PIX. And the hosts behind the PIX firewall they can only open ICMP and nothing else... Thank you. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
