From: [EMAIL PROTECTED]
Reply-To: Mailing list for discussion of Firewall-1
<[email protected]>
To: [email protected]
Subject: Re: [FW-1] Simplified & Traditional VPN
Date: Tue, 20 Sep 2005 14:24:01 +0100
Ray,
Thanks for the reply.
I have R55 and all appears to be OK except the VPN: the Edge box connects
to the SmartCentre successfully, and logging appears centrally.
But VPN doesn't function at all: no proposal chosen showing up on the Edge
reports (the time setting is correct on the Edge box), and on the central
gateway in complains about missing IKE information.
Any other pointers?
Thanks!
Huiqi
Ray
<[EMAIL PROTECTED]
IL.COM> To
Sent by: Mailing [EMAIL PROTECTED]
list for INT.COM
discussion of cc
Firewall-1
<FW-1-MAILINGLIST Subject
@AMADEUS.US.CHECK Re: [FW-1] Simplified & Traditional
POINT.COM> VPN
17/09/2005 15:04
Please respond to
Mailing list for
discussion of
Firewall-1
<FW-1-MAILINGLIST
@AMADEUS.US.CHECK
POINT.COM>
SmartCenter on R54 needs to have the Sofaware AddIn installed to manage
Edge
boxes. It comes pre-installed with R55. You also need 4.1 Backward
Compatibily installed on R54 or R55.
After you get on a compatible version of SmartCenter, Edge will pull the
certificate from SmartCenter. SmartCenter will be set up as the Edge's
"Service Center."
Note that an Edge does not understand Perfect Forward Secrecy or
Site-to-Site IP COmpression, so they must be disabled in the community. It
can be made to understand PFS but only via a CLI command, not the web GUI.
HTH,
Ray
>From: [EMAIL PROTECTED]
>Reply-To: Mailing list for discussion of Firewall-1
><[email protected]>
>To: [email protected]
>Subject: Re: [FW-1] Simplified & Traditional VPN
>Date: Fri, 16 Sep 2005 14:40:10 +0100
>
>Thank you all for the replies on this.
>
>The problem is I think I've done pretty much everything as suggested
(apart
>from upgrading to the latest version - the box is relatively new, and the
>version is 5.0.73x).
>
>I manage the box and the box logs to the management server but when
trying
>to establish a VPN I got
>
>On the Edge box:
>
>Failed to establish VPN tunnel with x.x.x.x: no proposal chosen
>
>In SmartTracker:
>
>Rejected by central gateway with this message:
>
>IKE: Main Mode Missing IKE configuration for peer (authentication or
>encryption or hash).
>
>I have checked and double-checked the IKE properties: all set to various
>combinations on both ends (the one I want to work is 3DES and SHA1).
>
>Any suggestions?
>
>Thanks,
>
>Huiqi Liu
>
>
>
>
> Bob Grabbe
> <[EMAIL PROTECTED]
> U>
To
> Sent by: Mailing
[EMAIL PROTECTED]
> list for INT.COM
> discussion of
cc
> Firewall-1
> <FW-1-MAILINGLIST
Subject
> @AMADEUS.US.CHECK Re: [FW-1] Simplified &
Traditional
> POINT.COM> VPN
>
>
> 16/09/2005 14:06
>
>
> Please respond to
> Mailing list for
> discussion of
> Firewall-1
> <FW-1-MAILINGLIST
> @AMADEUS.US.CHECK
> POINT.COM>
>
>
>
>
>
>
>Your answer confirms my worst fears.
>Support has expired on my firewall and I think I might have to pay for
help
>
>with it. I've inserted the reasons below.
>Thanks, though, for the help so far.
>Bob Grabbe
>[EMAIL PROTECTED]
>
>----- Original Message -----
>From: "Lino Eduardo Avila Rodríguez" <[EMAIL PROTECTED]>
>To: <[email protected]>
>Sent: Thursday, September 15, 2005 12:42 PM
>Subject: Re: [FW-1] Simplified & Traditional VPN
>
>
>
> >>Try www.sofaware.com there are configuration documents and knowlegde
>base
> >>that will help you.
>I did loook in their faqs, but the only docs I cvould find had to do with
>connecting two edge boxes, to a cisco firewall, and I think one to a
>Windows
>server.
>
> >>The things you should check un your edge are this
> >>Check the correct time
>Have done this, and it's correct.
> >>Update to the current versión.
>Might not be an option, my contract is up and I don't know if I can get
>clearance to pay for more support.
>
> >>I can tell you that first your management has to have a valid IP
address
> >>because you edge device looks for it and tries to connect to it.
>It does.
>
> >>For the configuration is like this
> >>Enter to the smartcenter server
> >>Create a profile for the Edge (new checkpoint->profile->vpn-1edge )
>This I don't get. When I go to create->Checkpoint I don't have the option
>to
>create a profile. I can create either a new Gateway or an Embedde3d
Device,
>
>but the only type of Embedded Device I can create is a Nokia 5X. I'd
figure
>
>that I should be creating a new Gateway, though.
>
> >>The create a new VPN-1 Edge Gateway, associate the profile to it, set
up
> >>the
> >>Registration Key (like a password) do not check Externally managed,
set
>it
> >>up if it will have dynamic or static Ip and the press ok, the
>certificate
> >>then will be generated, then enter to the gateway again and in the vpn
>tab
> >>there's a certficiate list right click it and then export it to a
file.
>I think if I can get the registration key, though, I might be able to do
>this. Just having a hard time getting it from the vendor. So far, they
>haven't given me the Gateway ID and Registration Key to connect to the
>Sofaware User Center. Hopefully getting this will help.
> >> This certificate should be automatically imported to your gateway
when
> >> you
> >>connect it to your service center (smart center server). If not import
>it
> >>manually.
>
> >>When you want to install a rule policy to the edge you'll have to
>install
>
> >>It
> >>in the profile. The edge every 20 min updates it's policy and looks
for
> >>this
> >>profilein the smartcenter. Also look in the install on tab on your
>rules,
> >>you'll have to specify to install on your cluster or in your edge
>profile,
> >>if you don't do this there will be errors on your policy and it won't
> >>install.
>
>
>Best Regards,
>
>
>Lino E. Avila
>
>
>-----Original Message-----
>From: Mailing list for discussion of Firewall-1
>[mailto:[EMAIL PROTECTED] On Behalf Of Bob
Grabbe
>Sent: Thursday, September 15, 2005 10:59 AM
>To: [email protected]
>Subject: Re: [FW-1] Simplified & Traditional VPN
>
>Along these same lines, I have a firewall R54 running Secure Platform.
I'm
>trying to add an Edge X16 box for a remote site, but having problems
>getting
>the two to communicate.
>I think one of the problems I'm having is that I've been unable to find
how
>to export a certificate from the splat platform to import on to the Edge
>box.
>If anyone has any pointers to any documentation on how to set up a site
to
>site vpn between these two, I'd appreciate it. Everything I can find so
far
>is between two platforms of the same type, i.e. edge to edge, or such.
I'm
>relatively new to the Checkpoint community, so the more simplistic it is
>the
>better.
>Thanks
>Bob Grabbe
>[EMAIL PROTECTED]
>
>----- Original Message -----
>From: "Lino Eduardo Avila Rodríguez" <[EMAIL PROTECTED]>
>To: <[email protected]>
>Sent: Thursday, September 15, 2005 11:41 AM
>Subject: Re: [FW-1] Simplified & Traditional VPN
>
>
> > You don't have to change your community, you have to configure in
>global
> > properties the simplified mode and then create a new policy so you'll
>have
> > your policy in simplified mode and then you create the rules you
> > previously
> > have plus the new rules for the edge.
> >
> > Best regards
> >
> > Lino
> >
> >
> >
> > -----Original Message-----
> > From: Mailing list for discussion of Firewall-1
> > [mailto:[EMAIL PROTECTED] On Behalf Of
> > [EMAIL PROTECTED]
> > Sent: Thursday, September 15, 2005 6:07 AM
> > To: [email protected]
> > Subject: [FW-1] Simplified & Traditional VPN
> >
> > Currently all my VPNs are in traditional mode. I have a "star"
>topology:
> > one central management station, one central gateway, a number of
remote
> > gateways. All running NG AI R55.
> >
> > I now have a VPN-1 Edge box which I'd like to manage from the same
> > SmartCentre, and build a VPN between the Edge box and the central
>gateway.
> > I understand that this new policy needs to be in simplified mode.
> > However,
> > does it mean that I have to convert my central gateway into simplified
> > mode,
> > if I want to build a VPN between the two? Or can the central gateway
>stay
> > in traditional mode?
> >
> > Thanks!
> >
> > Huiqi Liu
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages, send an email to
> > [EMAIL PROTECTED]
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your subscription options,
> > email
> > [EMAIL PROTECTED]
> > =================================================
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to [EMAIL PROTECTED]
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > [EMAIL PROTECTED]
> > =================================================
> >
> >
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to [EMAIL PROTECTED]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[EMAIL PROTECTED]
>=================================================
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to [EMAIL PROTECTED]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[EMAIL PROTECTED]
>=================================================
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to [EMAIL PROTECTED]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[EMAIL PROTECTED]
>=================================================
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to [EMAIL PROTECTED]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[EMAIL PROTECTED]
>=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
