You must use "pre-shared secrets" as version 4.0 of cp will not allow any
other type of auth with IKE except certificates.
If you need this functionality, move to 4.1/2000 and use hybrid mode auth.
Unfortunately, you might never know this, since CP lets you select it
anyways...
Thomas Poole
-----Original Message-----
From: Sam, Garson (CA - Vancouver) [mailto:[EMAIL PROTECTED]]
Sent: Thursday, June 08, 2000 1:08 PM
To: [EMAIL PROTECTED]
Subject: [FW1] Q: Setting Up IKE/ISAKMP Encryption for SecureRemote VPN
I am currently running FW1 4.0 on NT SP 6a. I have the VPN working under
the FWZ protocol. However, right now I am trying to get it to work under
IKE as well.
When I bring up my SecureRemote client, and try to connect to the firewall,
I get the usual prompt asking for the username and password. I enter this
information, and there is a long delay, and it says "Communicaiton to site
_____ has failed". I look in the FW1 long, but there is no instance of any
encryption or authentication like there is with FWZ. (When I startup my
computer, there is a log entry about the "ISAKMP Log: FW-1 ISAKMP daemon:
started".
I have done 2 things to setup IKE/IKMP.
Under the user object (i.e. SecureRemote user),
Authentication Tab: Authentication Scheme is set to "OS Password"
Encryption Tab: Both ISAKMP/OAKLEY and FWZ are checked off.
Properties of ISAKMP/OAKLEY: Authentication Scheme is password (I have
entered a password).
Encryption Properties is "Encryption + Data Integrity", MD5, DES
(I authenticate with FWZ MD5 DES and it works).
Under the firewall object:
Authentication Tab: Enabled Schemes: OS Password
Encryption Tab: Encryption Defined: ISAKMP/OAKLEY and FWZ
Encryption Properties for ISAKMP/OAKLEY: DES, MD5. Authentication Method:
Pre Shared Secret. (There is nothing
under "Edit Secrets" -- I am unable to add anything there). Supports
Aggressive Mode is selected.
(Note: Public Key Signatures is unchecked).
On the client computer, I loaded up SecureRemote and set it to try IKE
before FWZ (so that I can test my ISAKMP encryption).
Does anybody have any suggestions?
Thanks
Garson
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
