Dear sirs, We finally got things to work, after a reinstall. :-/ The probable cause of the problems was that we used the NG upgrade scripts from 4.1 to NG FP3 on the conf files from 4.1. This imported a lot of garbarge that NG probably didn't like very much. We verified by doing a clean install, then set up the firewall as we wanted. Everything worked. A upgrade after that trashed everything.
So I would not recommend the NG upgrade scripts. :-) However now that we've got SecuRemote NG FP3 to work with the new clustering firewall, we are struggling with SecuRemote 4.1 SP5 DES (yeah, we know. DES isn't really a good encryption, but that's what a huge number of users have installed, and we cannot go over to the new firewall before SR 4.1 SP5 DES works). Strangely enough SecuRemote 4.1 SP5 3DES works with the NG FP3 cluster firewall. Anyone got any experience with this kind of problem, or can explain why DES doesn't work with NG FP3 cluster firewall? Cheers! -- Best regards, B�rge Berg-Olsen Senior Consultant WAN/IT-infrastructure Coop Norge IT Process & Developement Emailt: mailto:[EMAIL PROTECTED] Cell: +47 90 01 75 15 Telephone: +47 22 89 76 20 Fax: +47 22 16 52 07 -----Opprinnelig melding----- Fra: Berg-Olsen, B�rge Sendt: 28. desember 2002 09:20 Til: [EMAIL PROTECTED] Emne: [FW-1] Nokia Cluster not working with SecuRemote/SecuClient Hey all, We've been trying to set up a CheckPoint FW-1 NG FP3 cluster and it works nicely. However, it is not possible to get SecuRemote/SecuClient to work with it. We're authenticated just fine, but when the subsequent communications starts the packets drop and we get the following error in the "encryption fail reason: Packet is dropped as there is no valid SA", then right after there is a log entry saying "IKE: Informational Exchange Send Delete IPSEC-SA to Peer: c312cda3 SPI: 3b754a4b", and the sequence ends at last with "encryption failure: Unknown SPI: 0x3b754a4d for IPsec packet". The setup is IPSO 3.6 FCS4, releng 1061 and CheckPoint FW-1 NG FP3 both with all current hotfixes applied, running on Nokia IP530 with a W2K SP3 management server also running CheckPoint FW-1 NG FP3 with all hotfixes. The cluster is running Nokia Clustering with 5 NICs in use. LAN, DMZ, external, sync and another DMZ leg on the optional 4 NIC PCI card. The LAN is NATed behind the external segment. The cluster is otherwise set up as described on digital migration. Anyone had the same problems and were able to fix it? We've tried everything we can think of, not including ditching the installation and start from scratch. Our question: Has anyone got that kind of configuration to work, and are willing to trade the secret with us... we have two really expensive paperweights at the moment. Howtos, hints and tips are very welcome. Thanks! -- B�rge Berg-Olsen ------------------------------------------------------------------------ +47 90 62 71 78 DoD#2101, DoDRT#017, NIC#015, PJ#006, OGM#007 [EMAIL PROTECTED], Ducati M600, Audi 100 2.3E Ubesudlet: Aldri eid en J&%#PS ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
