Hiya,
Cheers for that Tim. CP 2000 looks like it should be the way forward for us
bu I have 10 remote modules and it causes a few headaches trying to do the
migration :-).
I have narrowed the problem down to the FWZ encryption settings or keys on
the Firewall. ISAKMP works fine with a pre shared secret whereas FWZ does
not even with a Firewall Internal Password. Ive checked that both sets of
keys are created and that the user defined can authenticate with a telnet
to port 259. Sumfinks B0rk3d big time.
I am running FW1 VPN Version 4 sp 6 with the secure remote client release
4005.
Any Ideas ??
Cheers
Andy
-----Original Message-----
From: Frost, Timothy E [mailto:[EMAIL PROTECTED]]
Sent: 10 July 2000 23:43
To: 'Martin, Andy'; Fw-1-Mailinglist (E-mail)
Subject: RE: [FW1] Secure Remote & Secure ID
Andy,
You won't get SecurID (or anything other than shared secrets or PKI
Certificates) working with IKE unless you have ALL OF the following:
1: CP2000 on the firewall (and the management station, if that is separate)
2: Hybrid mode set up, as per pages 21-24 of the Getting Started Guide
(create the Internal CA, generate the firewall certificates, and enable
hybrid mode on the IKE encryption for the firewall).
When I was testing, I found that you ALSO have to have FWZ enabled, and the
FWZ CA and DH keys generated, because otherwise SR 4157 will report an error
when you add/update the site. The error message is
Error: Site <management station> says that it is not a Certificate
Authority. Check whether you have the right IP address for <management
station>, and check with the FW-1 system manager there whether <management
station> is indeed a FW-1 control station.
Tim
--
Timothy Frost mailto:[EMAIL PROTECTED]
EDS New Zealand Fax: +64-4-495-0473
8 Gilmer Terrace Phone: +64-4-495-0504
P O Box 3647
Wellington
New Zealand
> -----Original Message-----
> From: Martin, Andy [SMTP:[EMAIL PROTECTED]]
> Sent: Tuesday, July 11, 2000 2:49 AM
> To: Fw-1-Mailinglist (E-mail)
> Subject: [FW1] Secure Remote & Secure ID
>
>
> Hiya,
>
> I have an issue with secure remote authenticating with secure ID tokens.
> The
> authentication works fine when I use Client or User Authentication on the
> rule but when I swap it out for Client Encrypt the Secure Remote client
> says
> that the site at xxx.xxx.xxx.xxx does not like my password. The Firewall
> Log
> says Topology Download Request Refused: User not defined properly. If I
> swap
> the encryption scheme to ISAKMP and use a pre shared secret it works
> loverly.
>
>
> Cheers
>
> Andy
> **********************************************************************
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the sender immediately.
>
> This footnote also confirms that this email message has been swept for
> the presence of computer viruses.
> **********************************************************************
>
>
> ==========================================================================
> ======
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ==========================================================================
> ======
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender immediately.
This footnote also confirms that this email message has been swept for
the presence of computer viruses.
**********************************************************************
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
