RE: [FW1] Manual IPSEC question

Sun, 29 Oct 2000 23:19:33 -0800 


Rick,

Did you try to alter the AH and the ESP of the IPSec encryption scheme?
I've faced the same problem, the tunnel wasn't working with 3DES ESP and SHA1 AH, but
with MD5 AH everything worked just fine.

Looks like a bug to me,

Regards, Andre



----------
From:   Rick Camp[SMTP:[EMAIL PROTECTED]]
Sent:   Friday, October 27, 2000 7:51 PM
To:     '[EMAIL PROTECTED]'
Subject:        [FW1] Manual IPSEC question


I am having an issue with a Manual IPSEC between two firewall-1 boxes.  Both
are NT, one is 4.0 SP7 the other is 4.1 SP2.  

The encryption works, but is seems like it needs to be primed.  If I
initiate a connection (ping, nbtstat, web browsing, etc) from only one side,
it will be encrypted outbound, but there will be no response.  this is the
same no matter which network I initiate the connection from.  However if I
initiate a connection from both sides the encryption kicks in and works just
fine even if everything else is initiated from only one network.  The next
day it will need to be primed from both sides again even though the firewall
was not reset and no security policy changes were made.

My rulebase looks like this:

my internal network - other internal network - any - encrypt
other internal network - my internal network - any - encrypt

If I combined these 2 rules into 1 would it solve the problem?

I was initially trying to set up IKE or ISAKMP between the two, but this
seemed to complicated until the 4.0 box was upgraded to 4.1 because 4.0
won't do entire subnets with IKE yet.

Any suggestions would be greatly appreciated.

Thanks,

Rick


_______________________________________
Rick Camp
Welsh Consulting, Inc. 
31 Milk Street, Suite 805 
Boston, MA 02109 
617-695-9800 Tel 
617-695-0350 Fax 
[EMAIL PROTECTED] 
www.welsh.com



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

______________________________________________________________________________
This message has been checked for all known viruses by KPN IV-Scan, 
Powered by MessageLabs. 
For further information visit:
http://www.veiliginternet.nl
______________________________________________________________________________





================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to