Did you put the IPSEC service group in the excluded services for that
community ? That is going to be the easies way to make this work with the
implied rules disabled
On 9/12/07, pkc_mls <[EMAIL PROTECTED]> wrote:
>
> pkc_mls a écrit :
> > hello,
> >
> I had a better look at the rule indicated below, and this was the point.
>
> Is there a way not to use the implied rules for the VPN ?
> (I tried, but the rule #24 was part of the try ...).
>
> thanks
>
> > I'd like to setup a site to site vpn with another box.
> > I set up the community, the other box as interoperable device, the vpn
> > domains, preshared key.
> >
> > but I cannot see any IKE packet out from my firewall.
> >
> > the fw ctl zdebug drop shows the following :
> > fw_log_drop: Packet proto=17 193.251.184.55:500 -> 213.30.137.178:500
> > dropped by vpn_encrypt_chain Reason: No error
> >
> > the vpnd.elg doesn't show any error.
> >
> > the ike.elg only shows packets from the other gateway.
> >
> > the smartview tracker shows that the firewall is trying to encrypt
> > it's own IKE packets :
> > Number: 3186
> > Date: 12Sep2007
> > Time: 11:19:42
> > Product: VPN-1 Power/UTM
> > Interface: pppoe0
> > Origin: x.x.x.x
> > Type: Log
> > Action: Encrypt
> > Protocol: udp
> > Service: IKE (500)
> > Source: fwlocal (x.y.z.t)
> > Destination: vpnremote (a.b.c.d)
> > Rule: 24
> > Current Rule Number: 24-Standard
> > Rule UID: {89E973FA-DDAC-482A-9563-C1FEC7907978}
> > Source Port: IKE (500)
> > Encryption Scheme: IKE
> > VPN Peer Gateway: vpnremote (a.b.c.d)
> > Encryption Methods: ESP: AES-128 + MD5 + PFS
> > Community: my_site_2_site
> > Subproduct: VPN
> > VPN Feature: VPN
> > SmartDefense Profile: Default_Protection
> > Information: service_id: IKE
> >
> > any idea ?
> >
> >
> > thanks
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to [EMAIL PROTECTED]
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > [EMAIL PROTECTED]
> > =================================================
> >
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [EMAIL PROTECTED]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [EMAIL PROTECTED]
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
