Andy,
You won't get SecurID (or anything other than shared secrets or PKI
Certificates) working with IKE unless you have ALL OF the following:
1: CP2000 on the firewall (and the management station, if that is separate)
2: Hybrid mode set up, as per pages 21-24 of the Getting Started Guide
(create the Internal CA, generate the firewall certificates, and enable
hybrid mode on the IKE encryption for the firewall).
When I was testing, I found that you ALSO have to have FWZ enabled, and the
FWZ CA and DH keys generated, because otherwise SR 4157 will report an error
when you add/update the site. The error message is
Error: Site <management station> says that it is not a Certificate
Authority. Check whether you have the right IP address for <management
station>, and check with the FW-1 system manager there whether <management
station> is indeed a FW-1 control station.
Tim
--
Timothy Frost mailto:[EMAIL PROTECTED]
EDS New Zealand Fax: +64-4-495-0473
8 Gilmer Terrace Phone: +64-4-495-0504
P O Box 3647
Wellington
New Zealand
> -----Original Message-----
> From: Martin, Andy [SMTP:[EMAIL PROTECTED]]
> Sent: Tuesday, July 11, 2000 2:49 AM
> To: Fw-1-Mailinglist (E-mail)
> Subject: [FW1] Secure Remote & Secure ID
>
>
> Hiya,
>
> I have an issue with secure remote authenticating with secure ID tokens.
> The
> authentication works fine when I use Client or User Authentication on the
> rule but when I swap it out for Client Encrypt the Secure Remote client
> says
> that the site at xxx.xxx.xxx.xxx does not like my password. The Firewall
> Log
> says Topology Download Request Refused: User not defined properly. If I
> swap
> the encryption scheme to ISAKMP and use a pre shared secret it works
> loverly.
>
>
> Cheers
>
> Andy
> **********************************************************************
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the sender immediately.
>
> This footnote also confirms that this email message has been swept for
> the presence of computer viruses.
> **********************************************************************
>
>
> ==========================================================================
> ======
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ==========================================================================
> ======
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
