I'd appreciate a copy. Our Check Point SE in the Cleveland area has been
super-helpful. I got the demo box last Friday and we've been exchanging
emails and phone calls so I can get it figured out. They did get me the
latest beta firmware to test with as well.
Since I'm on R55, the Sofaware connector is already installed but only
partially activated. You have to run "smsstart.bat" to get the rest of it
running.
I haven't tried LSM yet although I do have the Edge X working as a remote
gateway. I also haven't gotten the part about getting it to talk to
SmartCenter figured out yet either. :-) I will admit that I prefer to read
and experiment, though.
One issue is that it's dropping some service as being in a different
community ID. I think it's SWTP_SMS. There's supposed to be a new implied
rule in R55 so you don't have to manually exclude it from the VPN community.
I even manually excluded it but it's still getting dropped.
The main issues I've run into has to do with how we have our main gateway
set up with regard to routing and its encryption domain set up. We've got
about 22 subnets behind the gateway and will be moving most of them to VPNs
hopefully. This, of course, means I can no longer use my gateway static
route of
192.168.0.0/17 -> internal router
and I have to add individual static routes for each internal network.
Otherwise when I throw a packet at the Edge gateway's internal network from
the main internal network, it comes right back. And to think I never could
make a boomerang work...
I have to do the same thing with the encryption domain, otherwise packets
coming from the test Edge box get dropped as "being decrypted when the
policy says they don't have to be."
The issue I'm working on now is that I can ping everything on the internal
network from a laptop behind the Edge box, but when I try to ping the Edge
box from some of the subnets, but not all, I get a "no valid SA" error. I
now have a one-and-a-half VPN!
Ray
From: "Stala" <stala AT tampabay.rr DOT com>
To: "Mailing list for discussion of Firewall-1"
<FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
CC: <sixsigma44 AT HOTMAIL DOT COM>
Subject: Re: [FW-1] VPN-1 Edge device
Date: Tue, 22 Jun 2004 16:54:27 -0400
Well I finally have the VPN edge device working with LSM. It works pretty
slick but there was very limited help from CheckPoint on getting this setup
and working correctly, I am actually going to be giving it a live test
tomorrow.
I am working on a doc with the steps needed, when I am absolutely sure I
have it all correct I will be glad to share it out.
----- Original Message -----
From: "Ray" <sixsigma44 AT HOTMAIL DOT COM>
To: <FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
Sent: Friday, June 18, 2004 6:35 AM
Subject: Re: [FW-1] VPN-1 Edge device
I did'nt know about the backwards compatibility requirement, either. Our
Check Point SE is supposed to be at our local user group meeting this
morning. If I remember I'll ask him.
Thanks for reporting what worked,
Ray
>From: Stala <stala AT TAMPABAY.RR DOT COM>
>Reply-To: Mailing list for discussion of Firewall-1
><FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
>To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
>Subject: Re: [FW-1] VPN-1 Edge device
>Date: Fri, 18 Jun 2004 00:42:58 -0400
>
>No Problem but the lack of documentation, I fiunally got this working
today
>with LSM.
>
>I did not realize that you need backwards compatability runing for the
>SOFAWARE.
>
>I am going to go through the whole setup again tomorrow,
>
>our management is on UNIX Provider-1
>
>But we will be using LSM to manage the VPN Edge.
>It seems to be simple enough to setup now but if oyu go by the very few
>docs
>it does not work well.
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to LISTSERV AT amadeus.us.checkpoint DOT com
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>fw-1-owner AT ts.checkpoint DOT com
>=================================================
_________________________________________________________________
Get fast, reliable Internet access with MSN 9 Dial-up - now 3 months FREE!
http://join.msn.click-url.com/go/onm00200361ave/direct/01/
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
_________________________________________________________________
Watch the online reality show Mixed Messages with a friend and enter to win
a trip to NY
http://www.msnmessenger-download.click-url.com/go/onm00200497ave/direct/01/
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
