Yeah, hybrid mode works great. You must be running 4.1 SP1 in order to use
it though. We have set up many sites using Hybrid mode and SecurID, with
100% success.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Friday, July 14, 2000 11:16 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: RE: [FW1] Secure Remote & Secure ID
Importance: High
How's about hybrid mode auth with IKE? available in 4.1
Thomas Poole
-----Original Message-----
From: Aylton Souza [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 13, 2000 10:15 PM
To: Martin, Andy; Fw-1-Mailinglist (E-mail)
Subject: Re: [FW1] Secure Remote & Secure ID
Martin,
IKE only supports authentication using pre-shared secret or certificates.
To rely on ACE/Securid auth., you must use FWZ.
Best wishes
Aylton
-----Mensagem original-----
De: Martin, Andy <[EMAIL PROTECTED]>
Para: Fw-1-Mailinglist (E-mail) <[EMAIL PROTECTED]>
Data: Terca-feira, 11 de Julho de 2000 07:07
Assunto: RE: [FW1] Secure Remote & Secure ID
>
>Hiya,
>
>Cheers for that Tim. CP 2000 looks like it should be the way forward for us
>bu I have 10 remote modules and it causes a few headaches trying to do the
>migration :-).
>
>I have narrowed the problem down to the FWZ encryption settings or keys on
>the Firewall. ISAKMP works fine with a pre shared secret whereas FWZ does
>not even with a Firewall Internal Password. Ive checked that both sets of
>keys are created and that the user defined can authenticate with a telnet
>to port 259. Sumfinks B0rk3d big time.
>
>I am running FW1 VPN Version 4 sp 6 with the secure remote client release
>4005.
>
>Any Ideas ??
>
>Cheers
>
>Andy
>
>-----Original Message-----
>From: Frost, Timothy E [mailto:[EMAIL PROTECTED]]
>Sent: 10 July 2000 23:43
>To: 'Martin, Andy'; Fw-1-Mailinglist (E-mail)
>Subject: RE: [FW1] Secure Remote & Secure ID
>
>
>Andy,
>
>You won't get SecurID (or anything other than shared secrets or PKI
>Certificates) working with IKE unless you have ALL OF the following:
>1: CP2000 on the firewall (and the management station, if that is separate)
>2: Hybrid mode set up, as per pages 21-24 of the Getting Started Guide
>(create the Internal CA, generate the firewall certificates, and enable
>hybrid mode on the IKE encryption for the firewall).
>
>When I was testing, I found that you ALSO have to have FWZ enabled, and the
>FWZ CA and DH keys generated, because otherwise SR 4157 will report an
error
>when you add/update the site. The error message is
>
>Error: Site <management station> says that it is not a Certificate
>Authority. Check whether you have the right IP address for <management
>station>, and check with the FW-1 system manager there whether <management
>station> is indeed a FW-1 control station.
>
>
>
>
>
>Tim
>--
>Timothy Frost mailto:[EMAIL PROTECTED]
>EDS New Zealand Fax: +64-4-495-0473
>8 Gilmer Terrace Phone: +64-4-495-0504
>P O Box 3647
>Wellington
>New Zealand
>
>> -----Original Message-----
>> From: Martin, Andy [SMTP:[EMAIL PROTECTED]]
>> Sent: Tuesday, July 11, 2000 2:49 AM
>> To: Fw-1-Mailinglist (E-mail)
>> Subject: [FW1] Secure Remote & Secure ID
>>
>>
>> Hiya,
>>
>> I have an issue with secure remote authenticating with secure ID tokens.
>> The
>> authentication works fine when I use Client or User Authentication on the
>> rule but when I swap it out for Client Encrypt the Secure Remote client
>> says
>> that the site at xxx.xxx.xxx.xxx does not like my password. The Firewall
>> Log
>> says Topology Download Request Refused: User not defined properly. If I
>> swap
>> the encryption scheme to ISAKMP and use a pre shared secret it works
>> loverly.
>>
>>
>> Cheers
>>
>> Andy
>> **********************************************************************
>> This email and any files transmitted with it are confidential and
>> intended solely for the use of the individual or entity to whom they
>> are addressed. If you have received this email in error please notify
>> the sender immediately.
>>
>> This footnote also confirms that this email message has been swept for
>> the presence of computer viruses.
>> **********************************************************************
>>
>>
>>
==========================================================================
>> ======
>> To unsubscribe from this mailing list, please see the instructions
at
>> http://www.checkpoint.com/services/mailing.html
>>
==========================================================================
>> ======
>**********************************************************************
>This email and any files transmitted with it are confidential and
>intended solely for the use of the individual or entity to whom they
>are addressed. If you have received this email in error please notify
>the sender immediately.
>
>This footnote also confirms that this email message has been swept for
>the presence of computer viruses.
>**********************************************************************
>
>
>===========================================================================
=====
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>===========================================================================
=====
>
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
