"Rule: 0 - Implied Rules"
You have to have a rull, that alows the firewall to send out the vpn
packets.
Ei - Allow outgoing packets from your firewall before last rull. - An
option in "global Properties" i smart Dashboard.
Og make an. rull explicit for the connection.
____________________________________________________
Med venlig hilsen / Best regards
Lars Schmidt-Petersen Tlf. : +45 74 33 53 42
Sønderjyllands Amt - edb-kontoret e-mail : LSP AT SJA DOT DK
Skelbækvej 2
6200 Aabenraa
____________________________________________________
"Schroeer, Waldemar" <Waldemar.Schroeer AT DE.TTIINC DOT COM>
Sendt af: Mailing list for discussion of Firewall-1
<FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
21-11-2003 14:09
Besvar venligst til Mailing list for discussion of Firewall-1
Til: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
cc: (bcc: Lars Schmidt-Petersen/EDB/SjA)
Vedr.: [FW-1] how to snoop
Hi,
i am currently trying to set up vpn between my checkpoint ng+ai, running
on
sparc solaris, and a cisco pix. it does not work at first go. so tried to
use snoop to see whether there are any IKE related packets originated on
my
site or coming from the vpn endpoint. i tried the following (just assume
10.10.105.2 is the external nic of the fw):
snoop -r -V from 10.10.105.2 or to 10.10.105.2
i did a telnet from outsite and snoop showed me this incoming packet
correctly even if the rulebase is blocking such packets. when i try to
make
any connection from a host on my site to a host on the other site of the
vpn
tunnel, nothing happens. snoop remains mute and after a while, about a
minute sometime a little bit more, i get the following error:
--------------------------------------------------------
Number: 1091517
Date: 20Nov2003
Time: 17:43:31
Product: VPN-1 & FireWall-1
Interface: daemon
Origin: eukey003 (10.10.105.2)
Protocol: ip
Action: Reject
Type: Log
Reject Reason: IKE failure
Rule: 0 - Implied Rules
Encryption Scheme: IKE
VPN Peer Gateway: TX__VPN-Gateway (120.50.162.6)
Information: encryption failure: no response from peer.
--------------------------------------------------------
twenty seconds later i get:
--------------------------------------------------------
Number: 1091523
Date: 20Nov2003
Time: 17:43:55
Product: VPN-1 & FireWall-1
Interface: hme1
Origin: eukey003 (10.1.102.31)
Source: eukey003 (10.10.105.2)
Destination: TX__VPN-Gateway (120.50.162.6)
Protocol: udp
Service: IKE (500)
Action: Drop
Type: Log
Rule: 0 - Implied Rules
Source Port: IKE (500)
Destination Key ID: 0x00000000
Encryption Scheme: IKE
VPN Peer Gateway: TX__VPN-Gateway (120.50.162.6)
Encryption Methods: ESP: AES-128 + MD5
Community: TX_EU_VPN_2
Information: encryption fail reason: Packet is dropped
because there is no valid SA - please refer to solution sk19423 in
SecureKnowledge Database for more information
--------------------------------------------------------
thanks,
waldemar
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
