Peter Addy <[email protected]> wrote:
>
> Would this message occur if we did not have ike udp exluded from the
> services in the vpn community, did see a ike encrypted but ike should
> not be encrypted, so if we did not exclude this would it be right to
> see this IKE no valid SA?
You've reminded me that I did see some problems with IKE, in the case
where a firewall was required to forward IKE packets from one firewall
to another (in other words, the firewall itself was not the original
sender nor the final receiver of the IKE, but the traffic was "routing
through" the firewall in question).
In that case, I had to add IKE as an excluded service for the VPN,
because otherwise the firewall believed that the IKE should be encrypted
("Cleartext packet received in encrypted context" error).
But that is not the situation you are seeing. Offhand, I am not sure
why you have put IKE in your excluded services list. Normally IKE is
already implicitly excluded by the Implied Rules. If something has
gone wrong with those, perhaps you have a problem in your .def files
(corrupted or pulled from a previous upgrade)? It is pretty hard to
guess from here. But maybe all this discussion will remind you of
something about the history of your environment.
--
David DeSimone == Network Admin == [email protected]
"I don't like spinach, and I'm glad I don't, because if I
liked it I'd eat it, and I just hate it." -- Clarence Darrow
This email message is intended for the use of the person to whom it has been
sent, and may contain information that is confidential or legally protected. If
you are not the intended recipient or have received this message in error, you
are not authorized to copy, distribute, or otherwise use this message or its
attachments. Please notify the sender immediately by return e-mail and
permanently delete this message and any attachments. Verio, Inc. makes no
warranty that this email is error or virus free. Thank you.
Scanned by Check Point Total Security Gateway.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
Scanned by Check Point Total Security Gateway.
