From: [EMAIL PROTECTED]
Reply-To: Mailing list for discussion of Firewall-1
<[email protected]>
To: [email protected]
Subject: Re: [FW-1] Simplified & Traditional VPN
Date: Fri, 16 Sep 2005 14:40:10 +0100
Thank you all for the replies on this.
The problem is I think I've done pretty much everything as suggested
(apart
from upgrading to the latest version - the box is relatively new, and the
version is 5.0.73x).
I manage the box and the box logs to the management server but when trying
to establish a VPN I got
On the Edge box:
Failed to establish VPN tunnel with x.x.x.x: no proposal chosen
In SmartTracker:
Rejected by central gateway with this message:
IKE: Main Mode Missing IKE configuration for peer (authentication or
encryption or hash).
I have checked and double-checked the IKE properties: all set to various
combinations on both ends (the one I want to work is 3DES and SHA1).
Any suggestions?
Thanks,
Huiqi Liu
Bob Grabbe
<[EMAIL PROTECTED]
U>
To
Sent by: Mailing
[EMAIL PROTECTED]
list for INT.COM
discussion of
cc
Firewall-1
<FW-1-MAILINGLIST
Subject
@AMADEUS.US.CHECK Re: [FW-1] Simplified &
Traditional
POINT.COM> VPN
16/09/2005 14:06
Please respond to
Mailing list for
discussion of
Firewall-1
<FW-1-MAILINGLIST
@AMADEUS.US.CHECK
POINT.COM>
Your answer confirms my worst fears.
Support has expired on my firewall and I think I might have to pay for
help
with it. I've inserted the reasons below.
Thanks, though, for the help so far.
Bob Grabbe
[EMAIL PROTECTED]
----- Original Message -----
From: "Lino Eduardo Avila Rodríguez" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Thursday, September 15, 2005 12:42 PM
Subject: Re: [FW-1] Simplified & Traditional VPN
>>Try www.sofaware.com there are configuration documents and knowlegde
base
>>that will help you.
I did loook in their faqs, but the only docs I cvould find had to do with
connecting two edge boxes, to a cisco firewall, and I think one to a
Windows
server.
>>The things you should check un your edge are this
>>Check the correct time
Have done this, and it's correct.
>>Update to the current versión.
Might not be an option, my contract is up and I don't know if I can get
clearance to pay for more support.
>>I can tell you that first your management has to have a valid IP
address
>>because you edge device looks for it and tries to connect to it.
It does.
>>For the configuration is like this
>>Enter to the smartcenter server
>>Create a profile for the Edge (new checkpoint->profile->vpn-1edge )
This I don't get. When I go to create->Checkpoint I don't have the option
to
create a profile. I can create either a new Gateway or an Embedde3d
Device,
but the only type of Embedded Device I can create is a Nokia 5X. I'd
figure
that I should be creating a new Gateway, though.
>>The create a new VPN-1 Edge Gateway, associate the profile to it, set
up
>>the
>>Registration Key (like a password) do not check Externally managed, set
it
>>up if it will have dynamic or static Ip and the press ok, the
certificate
>>then will be generated, then enter to the gateway again and in the vpn
tab
>>there's a certficiate list right click it and then export it to a
file.
I think if I can get the registration key, though, I might be able to do
this. Just having a hard time getting it from the vendor. So far, they
haven't given me the Gateway ID and Registration Key to connect to the
Sofaware User Center. Hopefully getting this will help.
>> This certificate should be automatically imported to your gateway when
>> you
>>connect it to your service center (smart center server). If not import
it
>>manually.
>>When you want to install a rule policy to the edge you'll have to
install
>>It
>>in the profile. The edge every 20 min updates it's policy and looks for
>>this
>>profilein the smartcenter. Also look in the install on tab on your
rules,
>>you'll have to specify to install on your cluster or in your edge
profile,
>>if you don't do this there will be errors on your policy and it won't
>>install.
Best Regards,
Lino E. Avila
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Bob
Grabbe
Sent: Thursday, September 15, 2005 10:59 AM
To: [email protected]
Subject: Re: [FW-1] Simplified & Traditional VPN
Along these same lines, I have a firewall R54 running Secure Platform.
I'm
trying to add an Edge X16 box for a remote site, but having problems
getting
the two to communicate.
I think one of the problems I'm having is that I've been unable to find
how
to export a certificate from the splat platform to import on to the Edge
box.
If anyone has any pointers to any documentation on how to set up a site to
site vpn between these two, I'd appreciate it. Everything I can find so
far
is between two platforms of the same type, i.e. edge to edge, or such. I'm
relatively new to the Checkpoint community, so the more simplistic it is
the
better.
Thanks
Bob Grabbe
[EMAIL PROTECTED]
----- Original Message -----
From: "Lino Eduardo Avila Rodríguez" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Thursday, September 15, 2005 11:41 AM
Subject: Re: [FW-1] Simplified & Traditional VPN
> You don't have to change your community, you have to configure in
global
> properties the simplified mode and then create a new policy so you'll
have
> your policy in simplified mode and then you create the rules you
> previously
> have plus the new rules for the edge.
>
> Best regards
>
> Lino
>
>
>
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:[EMAIL PROTECTED] On Behalf Of
> [EMAIL PROTECTED]
> Sent: Thursday, September 15, 2005 6:07 AM
> To: [email protected]
> Subject: [FW-1] Simplified & Traditional VPN
>
> Currently all my VPNs are in traditional mode. I have a "star"
topology:
> one central management station, one central gateway, a number of remote
> gateways. All running NG AI R55.
>
> I now have a VPN-1 Edge box which I'd like to manage from the same
> SmartCentre, and build a VPN between the Edge box and the central
gateway.
> I understand that this new policy needs to be in simplified mode.
> However,
> does it mean that I have to convert my central gateway into simplified
> mode,
> if I want to build a VPN between the two? Or can the central gateway
stay
> in traditional mode?
>
> Thanks!
>
> Huiqi Liu
>
> =================================================
> To set vacation, Out-Of-Office, or away messages, send an email to
> [EMAIL PROTECTED]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your subscription options,
> email
> [EMAIL PROTECTED]
> =================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [EMAIL PROTECTED]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [EMAIL PROTECTED]
> =================================================
>
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
