[FW1] 2nd vpn setup ?s

Sat, 21 Apr 2001 11:59:22 -0700

Title: 2nd vpn setup ?s
Hi all

I'm trying to work with a vendor to set up a vpn between our site and theirs but having troubles.  Can anyone tell me what I'm doing wrong?

Versions:   We have a Nokia box running FW1 4.1 SP1.  They are using a Nortel Connectivity box (version unknown).

Background:  Currently we have a vpn setup between this location and one of our other locations.  It works fine.  Both of our sites are using FW1 4.1 SP1.  This new setup is with a vendor.

Objects:
The nortel_FW object is setup with the proper IP and net mask.  On the VPN tab, the following is checked:  Other then a group created for the nokia_lan.   IKE, 3DES, SHA1, Preshared Secret is used.

The nokia_FW object is setup with the proper IP and net mask as well. On the VPN tab, the following is checked: Other then a group created for the nokia_lan.  IKE, DES, CAST, 3DES, MD5, SHA1, preshared secret.

Security Policy Rules:
#       Src             Dest            Service Action
1       nokia_lan               location2               any     encrypt "VPN between our locations"
        location2               nokia_lan

2       nokia_FW                nortel_FW       IKE     accept  "between firewalls"
        nortel_FW       nokia_FW

3       nokia_lan               nortel_lan      any     encrypt "VPN between us & the vendor"
        nortel_lan      nokia_lan      

4       any             nokia_FW                any     drop   

5       nokia_lan               any             any     accept

6       any             any             any     drop

Rule one is for the vpn already working.  Rule two was suggested as needed by the nortel folks so that the key only gets exchanged by the firewalls.  I thought that happened anyway and I didn't have to write a rule for it.  Rule three is to allow the new vpn in with the vendor.  Rule four is drop anything going directly to the firewall.  Rule five is to allow anything from our network outbound (for the sake of simplicity here).  Rule 6 drops anything else not covered above. 

NAT Rules:
#       Src             Dest            Service Src     Dest    Service
1       nokia_lan               location2               any     original        original        original
        location2               nokia_lan

2       nokia_FW                nortel_FW       any     original        original        original               
        nortel_FW       nokia_FW

3       nokia_lan               nortel_lan      any     original        original        original       
        nortel_lan      nokia_lan      

4       nokia_lan               nokia_lan               any     original        original        original

5       nokia_lan               any             any     nokia_FW        original        original

Everything stays original here except whatever leaves the local lan would be nat'd behind the firewall.

So what am I forgetting?  In the log, I can see my key being pushed out to them but I'm not seeing anything from their side.

thanks for any help you can give me.

cee

Reply via email to