From: [EMAIL PROTECTED]
Reply-To: Mailing list for discussion of Firewall-1
<[email protected]>
To: [email protected]
Subject: Re: [FW-1] Simplified & Traditional VPN
Date: Thu, 22 Sep 2005 14:13:47 +0100
Guy
Thats interesting - I thought I was the only one suffering from this!
However, I was on R55 HFA-13 to start with, then upgraded to HFA-16 but the
problem remains. I'd like to try HFA-14 but it is no longer available for
download.
Just want to confirm, your central gateway, which establishes VPN to the
Edge device, is running Traditional mode VPN policy, right?
Thanks!
Huiqi
Mailing list for discussion of Firewall-1
<[email protected]> wrote on 21/09/2005 19:46:11:
> Huiqi-
>
> I had the same problem (Edge X16 showing "connected" and logging to
> SmartCenter, but couldn't create VPN) until I installed R55 HFA14 on the
my
> SmartCenter server and re-pushed the policy. Have you tried this?
>
>
>
>
> >From: [EMAIL PROTECTED]
> >Reply-To: Mailing list for discussion of Firewall-1
> ><[email protected]>
> >To: [email protected]
> >Subject: Re: [FW-1] Simplified & Traditional VPN
> >Date: Wed, 21 Sep 2005 10:05:49 +0100
> >
> >Ray
> >
> >Thanks again.
> >
> >Site-to-site compression is disabled and not using PFS.
> >
> >The error messages are:
> >
> >On the Edge box:
> >
> >Failed to establish VPN tunnel with x.x.x.x: no proposal chosen
> >
> >In SmartTracker:
> >
> >Rejected by central gateway with this message (central gateway is
running
> >Traditional mode policy):
> >
> >IKE: Main Mode Missing IKE configuration for peer (authentication or
> >encryption or hash).
> >
> >Thanks!
> >
> >Huiqi
> >
> >
> >
> >
> > Ray
> > <[EMAIL PROTECTED]
> > IL.COM>
To
> > Sent by: Mailing
[EMAIL PROTECTED]
> > list for INT.COM
> > discussion of
cc
> > Firewall-1
> > <FW-1-MAILINGLIST
Subject
> > @AMADEUS.US.CHECK Re: [FW-1] Simplified &
Traditional
> > POINT.COM> VPN
> >
> >
> > 21/09/2005 00:55
> >
> >
> > Please respond to
> > Mailing list for
> > discussion of
> > Firewall-1
> > <FW-1-MAILINGLIST
> > @AMADEUS.US.CHECK
> > POINT.COM>
> >
> >
> >
> >
> >
> >
> >Make sure you have site-to-site compression disabled and perfect
forward
> >secrecy disabled, unless you specifically enabled PFS via the command
line
> >interface on the Edge box itself.
> >
> >What's the error messaeg say specifically?
> >
> >Ray
> >
> > >From: [EMAIL PROTECTED]
> > >Reply-To: Mailing list for discussion of Firewall-1
> > ><[email protected]>
> > >To: [email protected]
> > >Subject: Re: [FW-1] Simplified & Traditional VPN
> > >Date: Tue, 20 Sep 2005 14:24:01 +0100
> > >
> > >Ray,
> > >
> > >Thanks for the reply.
> > >
> > >I have R55 and all appears to be OK except the VPN: the Edge box
connects
> > >to the SmartCentre successfully, and logging appears centrally.
> > >
> > >But VPN doesn't function at all: no proposal chosen showing up on the
> >Edge
> > >reports (the time setting is correct on the Edge box), and on the
central
> > >gateway in complains about missing IKE information.
> > >
> > >Any other pointers?
> > >
> > >Thanks!
> > >
> > >Huiqi
> > >
> > >
> > >
> > >
> > >
> > > Ray
> > > <[EMAIL PROTECTED]
> > > IL.COM>
> >To
> > > Sent by: Mailing
> >[EMAIL PROTECTED]
> > > list for INT.COM
> > > discussion of
> >cc
> > > Firewall-1
> > > <FW-1-MAILINGLIST
> >Subject
> > > @AMADEUS.US.CHECK Re: [FW-1] Simplified &
> >Traditional
> > > POINT.COM> VPN
> > >
> > >
> > > 17/09/2005 15:04
> > >
> > >
> > > Please respond to
> > > Mailing list for
> > > discussion of
> > > Firewall-1
> > > <FW-1-MAILINGLIST
> > > @AMADEUS.US.CHECK
> > > POINT.COM>
> > >
> > >
> > >
> > >
> > >
> > >
> > >SmartCenter on R54 needs to have the Sofaware AddIn installed to
manage
> > >Edge
> > >boxes. It comes pre-installed with R55. You also need 4.1 Backward
> > >Compatibily installed on R54 or R55.
> > >
> > >After you get on a compatible version of SmartCenter, Edge will pull
the
> > >certificate from SmartCenter. SmartCenter will be set up as the
Edge's
> > >"Service Center."
> > >
> > >Note that an Edge does not understand Perfect Forward Secrecy or
> > >Site-to-Site IP COmpression, so they must be disabled in the
community.
> >It
> > >can be made to understand PFS but only via a CLI command, not the web
> >GUI.
> > >
> > >HTH,
> > >
> > >Ray
> > >
> > > >From: [EMAIL PROTECTED]
> > > >Reply-To: Mailing list for discussion of Firewall-1
> > > ><[email protected]>
> > > >To: [email protected]
> > > >Subject: Re: [FW-1] Simplified & Traditional VPN
> > > >Date: Fri, 16 Sep 2005 14:40:10 +0100
> > > >
> > > >Thank you all for the replies on this.
> > > >
> > > >The problem is I think I've done pretty much everything as
suggested
> > >(apart
> > > >from upgrading to the latest version - the box is relatively new,
and
> >the
> > > >version is 5.0.73x).
> > > >
> > > >I manage the box and the box logs to the management server but when
> > >trying
> > > >to establish a VPN I got
> > > >
> > > >On the Edge box:
> > > >
> > > >Failed to establish VPN tunnel with x.x.x.x: no proposal chosen
> > > >
> > > >In SmartTracker:
> > > >
> > > >Rejected by central gateway with this message:
> > > >
> > > >IKE: Main Mode Missing IKE configuration for peer (authentication
or
> > > >encryption or hash).
> > > >
> > > >I have checked and double-checked the IKE properties: all set to
> >various
> > > >combinations on both ends (the one I want to work is 3DES and
SHA1).
> > > >
> > > >Any suggestions?
> > > >
> > > >Thanks,
> > > >
> > > >Huiqi Liu
> > > >
> > > >
> > > >
> > > >
> > > > Bob Grabbe
> > > > <[EMAIL PROTECTED]
> > > > U>
> > >To
> > > > Sent by: Mailing
> > >[EMAIL PROTECTED]
> > > > list for INT.COM
> > > > discussion of
> > >cc
> > > > Firewall-1
> > > > <FW-1-MAILINGLIST
> > >Subject
> > > > @AMADEUS.US.CHECK Re: [FW-1] Simplified &
> > >Traditional
> > > > POINT.COM> VPN
> > > >
> > > >
> > > > 16/09/2005 14:06
> > > >
> > > >
> > > > Please respond to
> > > > Mailing list for
> > > > discussion of
> > > > Firewall-1
> > > > <FW-1-MAILINGLIST
> > > > @AMADEUS.US.CHECK
> > > > POINT.COM>
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >Your answer confirms my worst fears.
> > > >Support has expired on my firewall and I think I might have to pay
for
> > >help
> > > >
> > > >with it. I've inserted the reasons below.
> > > >Thanks, though, for the help so far.
> > > >Bob Grabbe
> > > >[EMAIL PROTECTED]
> > > >
> > > >----- Original Message -----
> > > >From: "Lino Eduardo Avila Rodríguez" <[EMAIL PROTECTED]>
> > > >To: <[email protected]>
> > > >Sent: Thursday, September 15, 2005 12:42 PM
> > > >Subject: Re: [FW-1] Simplified & Traditional VPN
> > > >
> > > >
> > > >
> > > > >>Try www.sofaware.com there are configuration documents and
knowlegde
> > > >base
> > > > >>that will help you.
> > > >I did loook in their faqs, but the only docs I cvould find had to
do
> >with
> > > >connecting two edge boxes, to a cisco firewall, and I think one to
a
> > > >Windows
> > > >server.
> > > >
> > > > >>The things you should check un your edge are this
> > > > >>Check the correct time
> > > >Have done this, and it's correct.
> > > > >>Update to the current versión.
> > > >Might not be an option, my contract is up and I don't know if I can
get
> > > >clearance to pay for more support.
> > > >
> > > > >>I can tell you that first your management has to have a valid IP
> > >address
> > > > >>because you edge device looks for it and tries to connect to it.
> > > >It does.
> > > >
> > > > >>For the configuration is like this
> > > > >>Enter to the smartcenter server
> > > > >>Create a profile for the Edge (new
checkpoint->profile->vpn-1edge
)
> > > >This I don't get. When I go to create->Checkpoint I don't have the
> >option
> > > >to
> > > >create a profile. I can create either a new Gateway or an Embedde3d
> > >Device,
> > > >
> > > >but the only type of Embedded Device I can create is a Nokia 5X.
I'd
> > >figure
> > > >
> > > >that I should be creating a new Gateway, though.
> > > >
> > > > >>The create a new VPN-1 Edge Gateway, associate the profile to
it,
> >set
> > >up
> > > > >>the
> > > > >>Registration Key (like a password) do not check Externally
managed,
> > >set
> > > >it
> > > > >>up if it will have dynamic or static Ip and the press ok, the
> > > >certificate
> > > > >>then will be generated, then enter to the gateway again and in
the
> >vpn
> > > >tab
> > > > >>there's a certficiate list right click it and then export it to
a
> > >file.
> > > >I think if I can get the registration key, though, I might be able
to
> >do
> > > >this. Just having a hard time getting it from the vendor. So far,
they
> > > >haven't given me the Gateway ID and Registration Key to connect to
the
> > > >Sofaware User Center. Hopefully getting this will help.
> > > > >> This certificate should be automatically imported to your
gateway
> > >when
> > > > >> you
> > > > >>connect it to your service center (smart center server). If not
> >import
> > > >it
> > > > >>manually.
> > > >
> > > > >>When you want to install a rule policy to the edge you'll have
to
> > > >install
> > > >
> > > > >>It
> > > > >>in the profile. The edge every 20 min updates it's policy and
looks
> > >for
> > > > >>this
> > > > >>profilein the smartcenter. Also look in the install on tab on
your
> > > >rules,
> > > > >>you'll have to specify to install on your cluster or in your
edge
> > > >profile,
> > > > >>if you don't do this there will be errors on your policy and it
> >won't
> > > > >>install.
> > > >
> > > >
> > > >Best Regards,
> > > >
> > > >
> > > >Lino E. Avila
> > > >
> > > >
> > > >-----Original Message-----
> > > >From: Mailing list for discussion of Firewall-1
> > > >[mailto:[EMAIL PROTECTED] On Behalf Of
Bob
> > >Grabbe
> > > >Sent: Thursday, September 15, 2005 10:59 AM
> > > >To: [email protected]
> > > >Subject: Re: [FW-1] Simplified & Traditional VPN
> > > >
> > > >Along these same lines, I have a firewall R54 running Secure
Platform.
> > >I'm
> > > >trying to add an Edge X16 box for a remote site, but having
problems
> > > >getting
> > > >the two to communicate.
> > > >I think one of the problems I'm having is that I've been unable to
find
> > >how
> > > >to export a certificate from the splat platform to import on to the
> >Edge
> > > >box.
> > > >If anyone has any pointers to any documentation on how to set up a
site
> > >to
> > > >site vpn between these two, I'd appreciate it. Everything I can
find
so
> > >far
> > > >is between two platforms of the same type, i.e. edge to edge, or
such.
> > >I'm
> > > >relatively new to the Checkpoint community, so the more simplistic
it
> >is
> > > >the
> > > >better.
> > > >Thanks
> > > >Bob Grabbe
> > > >[EMAIL PROTECTED]
> > > >
> > > >----- Original Message -----
> > > >From: "Lino Eduardo Avila Rodríguez" <[EMAIL PROTECTED]>
> > > >To: <[email protected]>
> > > >Sent: Thursday, September 15, 2005 11:41 AM
> > > >Subject: Re: [FW-1] Simplified & Traditional VPN
> > > >
> > > >
> > > > > You don't have to change your community, you have to configure
in
> > > >global
> > > > > properties the simplified mode and then create a new policy so
> >you'll
> > > >have
> > > > > your policy in simplified mode and then you create the rules you
> > > > > previously
> > > > > have plus the new rules for the edge.
> > > > >
> > > > > Best regards
> > > > >
> > > > > Lino
> > > > >
> > > > >
> > > > >
> > > > > -----Original Message-----
> > > > > From: Mailing list for discussion of Firewall-1
> > > > > [mailto:[EMAIL PROTECTED] On Behalf Of
> > > > > [EMAIL PROTECTED]
> > > > > Sent: Thursday, September 15, 2005 6:07 AM
> > > > > To: [email protected]
> > > > > Subject: [FW-1] Simplified & Traditional VPN
> > > > >
> > > > > Currently all my VPNs are in traditional mode. I have a "star"
> > > >topology:
> > > > > one central management station, one central gateway, a number of
> > >remote
> > > > > gateways. All running NG AI R55.
> > > > >
> > > > > I now have a VPN-1 Edge box which I'd like to manage from the
same
> > > > > SmartCentre, and build a VPN between the Edge box and the
central
> > > >gateway.
> > > > > I understand that this new policy needs to be in simplified
mode.
> > > > > However,
> > > > > does it mean that I have to convert my central gateway into
> >simplified
> > > > > mode,
> > > > > if I want to build a VPN between the two? Or can the central
> >gateway
> > > >stay
> > > > > in traditional mode?
> > > > >
> > > > > Thanks!
> > > > >
> > > > > Huiqi Liu
> > > > >
> > > > > =================================================
> > > > > To set vacation, Out-Of-Office, or away messages, send an email
to
> > > > > [EMAIL PROTECTED]
> > > > > in the BODY of the email add:
> > > > > set fw-1-mailinglist nomail
> > > > > =================================================
> > > > > To unsubscribe from this mailing list,
> > > > > please see the instructions at
> > > > > http://www.checkpoint.com/services/mailing.html
> > > > > =================================================
> > > > > If you have any questions on how to change your subscription
> >options,
> > > > > email
> > > > > [EMAIL PROTECTED]
> > > > > =================================================
> > > > >
> > > > > =================================================
> > > > > To set vacation, Out-Of-Office, or away messages,
> > > > > send an email to [EMAIL PROTECTED]
> > > > > in the BODY of the email add:
> > > > > set fw-1-mailinglist nomail
> > > > > =================================================
> > > > > To unsubscribe from this mailing list,
> > > > > please see the instructions at
> > > > > http://www.checkpoint.com/services/mailing.html
> > > > > =================================================
> > > > > If you have any questions on how to change your
> > > > > subscription options, email
> > > > > [EMAIL PROTECTED]
> > > > > =================================================
> > > > >
> > > > >
> > > >
> > > >=================================================
> > > >To set vacation, Out-Of-Office, or away messages,
> > > >send an email to [EMAIL PROTECTED]
> > > >in the BODY of the email add:
> > > >set fw-1-mailinglist nomail
> > > >=================================================
> > > >To unsubscribe from this mailing list,
> > > >please see the instructions at
> > > >http://www.checkpoint.com/services/mailing.html
> > > >=================================================
> > > >If you have any questions on how to change your
> > > >subscription options, email
> > > >[EMAIL PROTECTED]
> > > >=================================================
> > > >
> > > >=================================================
> > > >To set vacation, Out-Of-Office, or away messages,
> > > >send an email to [EMAIL PROTECTED]
> > > >in the BODY of the email add:
> > > >set fw-1-mailinglist nomail
> > > >=================================================
> > > >To unsubscribe from this mailing list,
> > > >please see the instructions at
> > > >http://www.checkpoint.com/services/mailing.html
> > > >=================================================
> > > >If you have any questions on how to change your
> > > >subscription options, email
> > > >[EMAIL PROTECTED]
> > > >=================================================
> > > >
> > > >=================================================
> > > >To set vacation, Out-Of-Office, or away messages,
> > > >send an email to [EMAIL PROTECTED]
> > > >in the BODY of the email add:
> > > >set fw-1-mailinglist nomail
> > > >=================================================
> > > >To unsubscribe from this mailing list,
> > > >please see the instructions at
> > > >http://www.checkpoint.com/services/mailing.html
> > > >=================================================
> > > >If you have any questions on how to change your
> > > >subscription options, email
> > > >[EMAIL PROTECTED]
> > > >=================================================
> > > >
> > > >=================================================
> > > >To set vacation, Out-Of-Office, or away messages,
> > > >send an email to [EMAIL PROTECTED]
> > > >in the BODY of the email add:
> > > >set fw-1-mailinglist nomail
> > > >=================================================
> > > >To unsubscribe from this mailing list,
> > > >please see the instructions at
> > > >http://www.checkpoint.com/services/mailing.html
> > > >=================================================
> > > >If you have any questions on how to change your
> > > >subscription options, email
> > > >[EMAIL PROTECTED]
> > > >=================================================
> > >
> > >=================================================
> > >To set vacation, Out-Of-Office, or away messages,
> > >send an email to [EMAIL PROTECTED]
> > >in the BODY of the email add:
> > >set fw-1-mailinglist nomail
> > >=================================================
> > >To unsubscribe from this mailing list,
> > >please see the instructions at
> > >http://www.checkpoint.com/services/mailing.html
> > >=================================================
> > >If you have any questions on how to change your
> > >subscription options, email
> > >[EMAIL PROTECTED]
> > >=================================================
> > >
> > >=================================================
> > >To set vacation, Out-Of-Office, or away messages,
> > >send an email to [EMAIL PROTECTED]
> > >in the BODY of the email add:
> > >set fw-1-mailinglist nomail
> > >=================================================
> > >To unsubscribe from this mailing list,
> > >please see the instructions at
> > >http://www.checkpoint.com/services/mailing.html
> > >=================================================
> > >If you have any questions on how to change your
> > >subscription options, email
> > >[EMAIL PROTECTED]
> > >=================================================
> >
> >=================================================
> >To set vacation, Out-Of-Office, or away messages,
> >send an email to [EMAIL PROTECTED]
> >in the BODY of the email add:
> >set fw-1-mailinglist nomail
> >=================================================
> >To unsubscribe from this mailing list,
> >please see the instructions at
> >http://www.checkpoint.com/services/mailing.html
> >=================================================
> >If you have any questions on how to change your
> >subscription options, email
> >[EMAIL PROTECTED]
> >=================================================
> >
> >=================================================
> >To set vacation, Out-Of-Office, or away messages,
> >send an email to [EMAIL PROTECTED]
> >in the BODY of the email add:
> >set fw-1-mailinglist nomail
> >=================================================
> >To unsubscribe from this mailing list,
> >please see the instructions at
> >http://www.checkpoint.com/services/mailing.html
> >=================================================
> >If you have any questions on how to change your
> >subscription options, email
> >[EMAIL PROTECTED]
> >=================================================
>
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today - it's
FREE!
> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [EMAIL PROTECTED]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [EMAIL PROTECTED]
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
