Thanks all, Well the first issue is that we do not have fw1 control connections set, so we have rules allowing all the services each way, indeed this is a config from a previous provider1 but now managed by a smartcenter, all works fine apart from the vpn. So I have allowed all the services and excluded ike in the vpn community, it should all work, but now I'm starting to think as its from a previous manager this could be the issue, if all is the same config, roting and no def files modified, then surely phase1 should work next time as now taken alook at the implied rules and simply included the services required, fingers crossed, will a ike debug in ike view show me exactly why this would fail? If so will make sure I run this next time
On Fri, 15 Jul 2011 01:41 BST David DeSimone wrote: >Peter Addy <[email protected]> wrote: >> >> Would this message occur if we did not have ike udp exluded from the >> services in the vpn community, did see a ike encrypted but ike should >> not be encrypted, so if we did not exclude this would it be right to >> see this IKE no valid SA? > >You've reminded me that I did see some problems with IKE, in the case >where a firewall was required to forward IKE packets from one firewall >to another (in other words, the firewall itself was not the original >sender nor the final receiver of the IKE, but the traffic was "routing >through" the firewall in question). > >In that case, I had to add IKE as an excluded service for the VPN, >because otherwise the firewall believed that the IKE should be encrypted >("Cleartext packet received in encrypted context" error). > >But that is not the situation you are seeing. Offhand, I am not sure >why you have put IKE in your excluded services list. Normally IKE is >already implicitly excluded by the Implied Rules. If something has >gone wrong with those, perhaps you have a problem in your .def files >(corrupted or pulled from a previous upgrade)? It is pretty hard to >guess from here. But maybe all this discussion will remind you of >something about the history of your environment. > >-- >David DeSimone == Network Admin == [email protected] > "I don't like spinach, and I'm glad I don't, because if I > liked it I'd eat it, and I just hate it." -- Clarence Darrow > > >This email message is intended for the use of the person to whom it has been >sent, and may contain information that is confidential or legally protected. >If you are not the intended recipient or have received this message in error, >you are not authorized to copy, distribute, or otherwise use this message or >its attachments. Please notify the sender immediately by return e-mail and >permanently delete this message and any attachments. Verio, Inc. makes no >warranty that this email is error or virus free. Thank you. > >Scanned by Check Point Total Security Gateway. > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to [email protected] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[email protected] >================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= Scanned by Check Point Total Security Gateway.
