Hi!
I've been debugging the following setup for the last couple of
days:
policy pvt net pvt net internet
server -------- fw-1 A ------- fw-1 B -------- fw-1 C ---
The policy server is for all three firewalls (in fact, it serves
many more and in HA mode, but that doesn't matter).
I've managed to get A, B working with the policy server issuing
the putkey commands in this way
fwstop everything
delete the putkey related files everywhere
mgmt> putkey fwB
mgmt> putkey fwA
A> putkey mgmt
B> putkey mgmt
mgmt> fwstart
A> fwstart
B> fwstart
If in the policy sever (mgmt) I issue the putkey first for A and
then for B then the mgmt server can not push the policies to the fws but
the fws can load the policies. Very weird.
For the C firewall, I've create a NAT for the mgmt server which
the C fw can even ping, so there's no routing issue.
The process I did was exactly the same as before, but issuing the
key for C before everything. However, it didn't work for C. It did for A &
B though.
There's no problem with fwa1 because they both agree to
authentificate on it. I also issue the correct putkey -n command. The
clocks are also synced.
So my questions are:
1) What does a putkey command really do?
What files does it change? I guess all these:
$FWDIR/conf/fwauth.keys
$FWDIR/conf/serverkeys.*
$FWDIR/database/authkeys.C
$FWDIR/database/opsec_authkeys.C
What does it really do with all of them. I seems to me that in
fwauth.keys it stores the hashed password with the date and so on. No
changes made after the putkey command.
What about the other 3? What happens when two firewalls with fresh
putkey files try to communicate with each other? What do they exchange?
What files do they change? Does it only change the files mentioned above?
2) As the -1- has too many questions, does anybody know how to get this
working? Please state exactly the other of the commands and which files to
erase. Thanks!
3) Is there any doc/book/whatever that explains the inner workings of
FW-1? I'm relatively new to this product and I find that is relatively
easy to set everything up and do simple stuff..., but when you try to do
something complex, or when ftp stops working, on when you want to take a
look at the defines, nothing's documented!!!
Well, I guess that's it for today.
Thanks!!!
-- p.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
