OK, in fact I can see the certificate used for the edge <-> smartcenter connection. However the community used for edge <-> pix (only those) should be able to use a shared secret anyway ? Maybe I'll investigate how to setup the pix with a certifacte generated by the SmartCenter, and use that instead of a shared secret.
Heiko -- -- PREVINET S.p.A. www.previnet.it -- Heiko Herold [EMAIL PROTECTED] [EMAIL PROTECTED] -- +39-041-5907073 ph -- +39-041-5907472 fax > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[EMAIL PROTECTED] Behalf Of Ray > Sent: Saturday, June 11, 2005 12:50 AM > To: [email protected] > Subject: Re: [FW-1] VPN EdgeX to pix, managed by smartcenter ? > > > I believe Edge boxes managed by a SmartCenter server must use > a certificate > or they can't be managed. > > Ray > > >From: Charalambos Klitiropoulos <[EMAIL PROTECTED]> > >Reply-To: Mailing list for discussion of Firewall-1 > ><[email protected]> > >To: [email protected] > >Subject: Re: [FW-1] VPN EdgeX to pix, managed by smartcenter ? > >Date: Fri, 10 Jun 2005 20:56:00 +0300 > > > >Yes, all members must share the same authenctication method, but that > >doesn't mean it can not be shared secret key. > > > >On 6/10/05, Ray <[EMAIL PROTECTED]> wrote: > > > > > > I don't think that's going to work. When an Edge is managed by > > > SmartCenter, > > > certificate authentication has to be used. But the PIX > requires a shared > > > secret. In a community, all members must chare the same > authentication > > > scheme, don't they? > > > > > > Ray > > > > > > >From: Herold Heiko <[EMAIL PROTECTED]> > > > >Reply-To: Mailing list for discussion of Firewall-1 > > > ><[email protected]> > > > >To: [email protected] > > > >Subject: [FW-1] VPN EdgeX to pix, managed by smartcenter ? > > > >Date: Fri, 10 Jun 2005 12:41:28 +0200 > > > > > > > >I have a Sofaware Edge X, firmware 4.5.64x. > > > >Management center R55 HFA13. > > > > > > > >I'm trying to configure a vpn edge to pix, no nat > involved, using > >shared > > > >secret, 3des, sha. > > > > > > > >While connected to the management center if I try to > configure a vpn > > > >profile > > > >from dashboard, install, "update" on edge, in debug > crypto isakmp I see > > > the > > > >pix won't accept any proposal. > > > >I checked the usual things (network mismatch, parameter mismatch, > > > >renegotiation periods), everything seems ok. > > > >The configuration was done in simplified mode, star > community using > > > shared > > > >secrets. > > > > > > > >However if on the edge I add manually another vpn site with same > > > parameters > > > >from the edge web interface, the vpn comes up nicely and works. > >Obviously > > > >in > > > >that way rules can't be configured centrally, it seems > either I use > >"vpn > > > >does bypass firewall" and let flow everything or I don't and get > >nothing. > > > >At > > > >least I know the pix stuff should be ok. > > > > > > > >Are there any specific known gotchas around ? Or some > documentation or > > > >sample configurations more specific than the usual > "checkpoint to pix > > > >configuration sample" ? I didn't find anything useful yet :( > > > >Thanks > > > >Heiko > > > > > > > >-- > > > >-- PREVINET S.p.A. www.previnet.it <http://www.previnet.it> > > > >-- Heiko Herold [EMAIL PROTECTED] [EMAIL PROTECTED] > > > >-- +39-041-5907073 ph > > > >-- +39-041-5907472 fax > > > > > > > >================================================= > > > >To set vacation, Out-Of-Office, or away messages, > > > >send an email to [EMAIL PROTECTED] > > > >in the BODY of the email add: > > > >set fw-1-mailinglist nomail > > > >================================================= > > > >To unsubscribe from this mailing list, > > > >please see the instructions at > > > >http://www.checkpoint.com/services/mailing.html > > > >================================================= > > > >If you have any questions on how to change your > > > >subscription options, email > > > >[EMAIL PROTECTED] > > > >================================================= > > > > > > ================================================= > > > To set vacation, Out-Of-Office, or away messages, > > > send an email to [EMAIL PROTECTED] > > > in the BODY of the email add: > > > set fw-1-mailinglist nomail > > > ================================================= > > > To unsubscribe from this mailing list, > > > please see the instructions at > > > http://www.checkpoint.com/services/mailing.html > > > ================================================= > > > If you have any questions on how to change your > > > subscription options, email > > > [EMAIL PROTECTED] > > > ================================================= > > > > > > >================================================= > >To set vacation, Out-Of-Office, or away messages, > >send an email to [EMAIL PROTECTED] > >in the BODY of the email add: > >set fw-1-mailinglist nomail > >================================================= > >To unsubscribe from this mailing list, > >please see the instructions at > >http://www.checkpoint.com/services/mailing.html > >================================================= > >If you have any questions on how to change your > >subscription options, email > >[EMAIL PROTECTED] > >================================================= > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
