Ray
Thanks again.
Site-to-site compression is disabled and not using PFS.
The error messages are:
On the Edge box:
Failed to establish VPN tunnel with x.x.x.x: no proposal chosen
In SmartTracker:
Rejected by central gateway with this message (central gateway is running
Traditional mode policy):
IKE: Main Mode Missing IKE configuration for peer (authentication or
encryption or hash).
Thanks!
Huiqi
Ray
<[EMAIL PROTECTED]
IL.COM> To
Sent by: Mailing [EMAIL PROTECTED]
list for INT.COM
discussion of cc
Firewall-1
<FW-1-MAILINGLIST Subject
@AMADEUS.US.CHECK Re: [FW-1] Simplified & Traditional
POINT.COM> VPN
21/09/2005 00:55
Please respond to
Mailing list for
discussion of
Firewall-1
<FW-1-MAILINGLIST
@AMADEUS.US.CHECK
POINT.COM>
Make sure you have site-to-site compression disabled and perfect forward
secrecy disabled, unless you specifically enabled PFS via the command line
interface on the Edge box itself.
What's the error messaeg say specifically?
Ray
>From: [EMAIL PROTECTED]
>Reply-To: Mailing list for discussion of Firewall-1
><[email protected]>
>To: [email protected]
>Subject: Re: [FW-1] Simplified & Traditional VPN
>Date: Tue, 20 Sep 2005 14:24:01 +0100
>
>Ray,
>
>Thanks for the reply.
>
>I have R55 and all appears to be OK except the VPN: the Edge box connects
>to the SmartCentre successfully, and logging appears centrally.
>
>But VPN doesn't function at all: no proposal chosen showing up on the Edge
>reports (the time setting is correct on the Edge box), and on the central
>gateway in complains about missing IKE information.
>
>Any other pointers?
>
>Thanks!
>
>Huiqi
>
>
>
>
>
> Ray
> <[EMAIL PROTECTED]
> IL.COM>
To
> Sent by: Mailing
[EMAIL PROTECTED]
> list for INT.COM
> discussion of
cc
> Firewall-1
> <FW-1-MAILINGLIST
Subject
> @AMADEUS.US.CHECK Re: [FW-1] Simplified &
Traditional
> POINT.COM> VPN
>
>
> 17/09/2005 15:04
>
>
> Please respond to
> Mailing list for
> discussion of
> Firewall-1
> <FW-1-MAILINGLIST
> @AMADEUS.US.CHECK
> POINT.COM>
>
>
>
>
>
>
>SmartCenter on R54 needs to have the Sofaware AddIn installed to manage
>Edge
>boxes. It comes pre-installed with R55. You also need 4.1 Backward
>Compatibily installed on R54 or R55.
>
>After you get on a compatible version of SmartCenter, Edge will pull the
>certificate from SmartCenter. SmartCenter will be set up as the Edge's
>"Service Center."
>
>Note that an Edge does not understand Perfect Forward Secrecy or
>Site-to-Site IP COmpression, so they must be disabled in the community. It
>can be made to understand PFS but only via a CLI command, not the web GUI.
>
>HTH,
>
>Ray
>
> >From: [EMAIL PROTECTED]
> >Reply-To: Mailing list for discussion of Firewall-1
> ><[email protected]>
> >To: [email protected]
> >Subject: Re: [FW-1] Simplified & Traditional VPN
> >Date: Fri, 16 Sep 2005 14:40:10 +0100
> >
> >Thank you all for the replies on this.
> >
> >The problem is I think I've done pretty much everything as suggested
>(apart
> >from upgrading to the latest version - the box is relatively new, and
the
> >version is 5.0.73x).
> >
> >I manage the box and the box logs to the management server but when
>trying
> >to establish a VPN I got
> >
> >On the Edge box:
> >
> >Failed to establish VPN tunnel with x.x.x.x: no proposal chosen
> >
> >In SmartTracker:
> >
> >Rejected by central gateway with this message:
> >
> >IKE: Main Mode Missing IKE configuration for peer (authentication or
> >encryption or hash).
> >
> >I have checked and double-checked the IKE properties: all set to various
> >combinations on both ends (the one I want to work is 3DES and SHA1).
> >
> >Any suggestions?
> >
> >Thanks,
> >
> >Huiqi Liu
> >
> >
> >
> >
> > Bob Grabbe
> > <[EMAIL PROTECTED]
> > U>
>To
> > Sent by: Mailing
>[EMAIL PROTECTED]
> > list for INT.COM
> > discussion of
>cc
> > Firewall-1
> > <FW-1-MAILINGLIST
>Subject
> > @AMADEUS.US.CHECK Re: [FW-1] Simplified &
>Traditional
> > POINT.COM> VPN
> >
> >
> > 16/09/2005 14:06
> >
> >
> > Please respond to
> > Mailing list for
> > discussion of
> > Firewall-1
> > <FW-1-MAILINGLIST
> > @AMADEUS.US.CHECK
> > POINT.COM>
> >
> >
> >
> >
> >
> >
> >Your answer confirms my worst fears.
> >Support has expired on my firewall and I think I might have to pay for
>help
> >
> >with it. I've inserted the reasons below.
> >Thanks, though, for the help so far.
> >Bob Grabbe
> >[EMAIL PROTECTED]
> >
> >----- Original Message -----
> >From: "Lino Eduardo Avila Rodríguez" <[EMAIL PROTECTED]>
> >To: <[email protected]>
> >Sent: Thursday, September 15, 2005 12:42 PM
> >Subject: Re: [FW-1] Simplified & Traditional VPN
> >
> >
> >
> > >>Try www.sofaware.com there are configuration documents and knowlegde
> >base
> > >>that will help you.
> >I did loook in their faqs, but the only docs I cvould find had to do
with
> >connecting two edge boxes, to a cisco firewall, and I think one to a
> >Windows
> >server.
> >
> > >>The things you should check un your edge are this
> > >>Check the correct time
> >Have done this, and it's correct.
> > >>Update to the current versión.
> >Might not be an option, my contract is up and I don't know if I can get
> >clearance to pay for more support.
> >
> > >>I can tell you that first your management has to have a valid IP
>address
> > >>because you edge device looks for it and tries to connect to it.
> >It does.
> >
> > >>For the configuration is like this
> > >>Enter to the smartcenter server
> > >>Create a profile for the Edge (new checkpoint->profile->vpn-1edge )
> >This I don't get. When I go to create->Checkpoint I don't have the
option
> >to
> >create a profile. I can create either a new Gateway or an Embedde3d
>Device,
> >
> >but the only type of Embedded Device I can create is a Nokia 5X. I'd
>figure
> >
> >that I should be creating a new Gateway, though.
> >
> > >>The create a new VPN-1 Edge Gateway, associate the profile to it, set
>up
> > >>the
> > >>Registration Key (like a password) do not check Externally managed,
>set
> >it
> > >>up if it will have dynamic or static Ip and the press ok, the
> >certificate
> > >>then will be generated, then enter to the gateway again and in the
vpn
> >tab
> > >>there's a certficiate list right click it and then export it to a
>file.
> >I think if I can get the registration key, though, I might be able to do
> >this. Just having a hard time getting it from the vendor. So far, they
> >haven't given me the Gateway ID and Registration Key to connect to the
> >Sofaware User Center. Hopefully getting this will help.
> > >> This certificate should be automatically imported to your gateway
>when
> > >> you
> > >>connect it to your service center (smart center server). If not
import
> >it
> > >>manually.
> >
> > >>When you want to install a rule policy to the edge you'll have to
> >install
> >
> > >>It
> > >>in the profile. The edge every 20 min updates it's policy and looks
>for
> > >>this
> > >>profilein the smartcenter. Also look in the install on tab on your
> >rules,
> > >>you'll have to specify to install on your cluster or in your edge
> >profile,
> > >>if you don't do this there will be errors on your policy and it won't
> > >>install.
> >
> >
> >Best Regards,
> >
> >
> >Lino E. Avila
> >
> >
> >-----Original Message-----
> >From: Mailing list for discussion of Firewall-1
> >[mailto:[EMAIL PROTECTED] On Behalf Of Bob
>Grabbe
> >Sent: Thursday, September 15, 2005 10:59 AM
> >To: [email protected]
> >Subject: Re: [FW-1] Simplified & Traditional VPN
> >
> >Along these same lines, I have a firewall R54 running Secure Platform.
>I'm
> >trying to add an Edge X16 box for a remote site, but having problems
> >getting
> >the two to communicate.
> >I think one of the problems I'm having is that I've been unable to find
>how
> >to export a certificate from the splat platform to import on to the Edge
> >box.
> >If anyone has any pointers to any documentation on how to set up a site
>to
> >site vpn between these two, I'd appreciate it. Everything I can find so
>far
> >is between two platforms of the same type, i.e. edge to edge, or such.
>I'm
> >relatively new to the Checkpoint community, so the more simplistic it is
> >the
> >better.
> >Thanks
> >Bob Grabbe
> >[EMAIL PROTECTED]
> >
> >----- Original Message -----
> >From: "Lino Eduardo Avila Rodríguez" <[EMAIL PROTECTED]>
> >To: <[email protected]>
> >Sent: Thursday, September 15, 2005 11:41 AM
> >Subject: Re: [FW-1] Simplified & Traditional VPN
> >
> >
> > > You don't have to change your community, you have to configure in
> >global
> > > properties the simplified mode and then create a new policy so you'll
> >have
> > > your policy in simplified mode and then you create the rules you
> > > previously
> > > have plus the new rules for the edge.
> > >
> > > Best regards
> > >
> > > Lino
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: Mailing list for discussion of Firewall-1
> > > [mailto:[EMAIL PROTECTED] On Behalf Of
> > > [EMAIL PROTECTED]
> > > Sent: Thursday, September 15, 2005 6:07 AM
> > > To: [email protected]
> > > Subject: [FW-1] Simplified & Traditional VPN
> > >
> > > Currently all my VPNs are in traditional mode. I have a "star"
> >topology:
> > > one central management station, one central gateway, a number of
>remote
> > > gateways. All running NG AI R55.
> > >
> > > I now have a VPN-1 Edge box which I'd like to manage from the same
> > > SmartCentre, and build a VPN between the Edge box and the central
> >gateway.
> > > I understand that this new policy needs to be in simplified mode.
> > > However,
> > > does it mean that I have to convert my central gateway into
simplified
> > > mode,
> > > if I want to build a VPN between the two? Or can the central gateway
> >stay
> > > in traditional mode?
> > >
> > > Thanks!
> > >
> > > Huiqi Liu
> > >
> > > =================================================
> > > To set vacation, Out-Of-Office, or away messages, send an email to
> > > [EMAIL PROTECTED]
> > > in the BODY of the email add:
> > > set fw-1-mailinglist nomail
> > > =================================================
> > > To unsubscribe from this mailing list,
> > > please see the instructions at
> > > http://www.checkpoint.com/services/mailing.html
> > > =================================================
> > > If you have any questions on how to change your subscription options,
> > > email
> > > [EMAIL PROTECTED]
> > > =================================================
> > >
> > > =================================================
> > > To set vacation, Out-Of-Office, or away messages,
> > > send an email to [EMAIL PROTECTED]
> > > in the BODY of the email add:
> > > set fw-1-mailinglist nomail
> > > =================================================
> > > To unsubscribe from this mailing list,
> > > please see the instructions at
> > > http://www.checkpoint.com/services/mailing.html
> > > =================================================
> > > If you have any questions on how to change your
> > > subscription options, email
> > > [EMAIL PROTECTED]
> > > =================================================
> > >
> > >
> >
> >=================================================
> >To set vacation, Out-Of-Office, or away messages,
> >send an email to [EMAIL PROTECTED]
> >in the BODY of the email add:
> >set fw-1-mailinglist nomail
> >=================================================
> >To unsubscribe from this mailing list,
> >please see the instructions at
> >http://www.checkpoint.com/services/mailing.html
> >=================================================
> >If you have any questions on how to change your
> >subscription options, email
> >[EMAIL PROTECTED]
> >=================================================
> >
> >=================================================
> >To set vacation, Out-Of-Office, or away messages,
> >send an email to [EMAIL PROTECTED]
> >in the BODY of the email add:
> >set fw-1-mailinglist nomail
> >=================================================
> >To unsubscribe from this mailing list,
> >please see the instructions at
> >http://www.checkpoint.com/services/mailing.html
> >=================================================
> >If you have any questions on how to change your
> >subscription options, email
> >[EMAIL PROTECTED]
> >=================================================
> >
> >=================================================
> >To set vacation, Out-Of-Office, or away messages,
> >send an email to [EMAIL PROTECTED]
> >in the BODY of the email add:
> >set fw-1-mailinglist nomail
> >=================================================
> >To unsubscribe from this mailing list,
> >please see the instructions at
> >http://www.checkpoint.com/services/mailing.html
> >=================================================
> >If you have any questions on how to change your
> >subscription options, email
> >[EMAIL PROTECTED]
> >=================================================
> >
> >=================================================
> >To set vacation, Out-Of-Office, or away messages,
> >send an email to [EMAIL PROTECTED]
> >in the BODY of the email add:
> >set fw-1-mailinglist nomail
> >=================================================
> >To unsubscribe from this mailing list,
> >please see the instructions at
> >http://www.checkpoint.com/services/mailing.html
> >=================================================
> >If you have any questions on how to change your
> >subscription options, email
> >[EMAIL PROTECTED]
> >=================================================
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to [EMAIL PROTECTED]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[EMAIL PROTECTED]
>=================================================
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to [EMAIL PROTECTED]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[EMAIL PROTECTED]
>=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
