Hello all, Here's an interesting 'bug' that I've come across.
Setup: Site to site vpn between nokia vrrp cluster and cisco router. Disable nat inside vpn. ftp security server configured for user authentication which results in all ftp connections being intercepted by is. Presence of Check Point ftp banner in ftp connections. Problem: The vpn is was working fine until we enable securexl on the firewalls. With SecureXL enabled, doing a ftp toward the remote peer through the vpn fails, unless we disable the ftp user auth rule, or if we place the vpn rule above the ftp user auth rule. The error it fails with is: "encryption fail reason: Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more information". If we disable securexl, with "fwaccel off" the connection works again. Doing a debug on the vpn in the ike.elg log I see that with fwaccel enabled, the firewall is trying to open the vpn between the external vrrp ip and the remote subnet, rather then between the local subnet and the remote subnet. Since the firewall is not part of the encryption domain, the vpn will fail. Question: Could we add the firewall object to the encryption domain? We're using communities and I've always add service 'IKE' to the list of excluded services. Doing some further investigation, I came across the parameter "ftp_transparent_server_connection" which is used to configure the ftp security server to 'fold' the connection or make the connection look transparent. This setting is already true, which I assume means it's already folding the connection, and therefore should make the ftp look transparent. If you read sk26822 it says that it's doing this by doing nat on the outbound connection. Personally I feel this is a bug since everything is working fine with securexl disabled. Anybody else have any comments or experience with a similar problem? Regards, Werner ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
