Edge should work with HFA05 R55. You cannot use vpn community object in the
rulebase if you have an edge device . You have to use implicit vpn rule
(checkbox in the community object). Policy verification can also fail due to
various reasons : anti-spoofing, groups with exclusion, install-on target
with policy targets etc.. That being said, once you connect to the service
center you should get the certificate from the server. No password auth is
required after initial exchange. You can check the cert from the edge device
gui.
fyi,
- yinal ozkan
-----Original Message-----
From: Russell Aspinwall [mailto:russell.aspinwall AT FLOMERICS.CO DOT UK]
Sent: Wednesday, June 23, 2004 1:41 AM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] VPN-1 Edge device
I have be working with an Edge device, I have added a Profile and the Edge
device without LSM.
However, when I try to verify a policy I get a warning that a device does
not support encryption and
policy verification fails, remove the Edge and its Profile there are no
errors and the policy
verifies and installs.
After applying HFA04, I can now at least establish a connection from the
Edge unit to the Update
service on the Management server. However, when entering the name and
password I get the message
that the edge unit is not authorised to connect.
Will HFA05 and HFA06 help in terms of Edge connectivity in the same way
HFA04 for NGAI R55?
Ray wrote:
> I'd appreciate a copy. Our Check Point SE in the Cleveland area has been
> super-helpful. I got the demo box last Friday and we've been exchanging
> emails and phone calls so I can get it figured out. They did get me the
> latest beta firmware to test with as well.
>
> Since I'm on R55, the Sofaware connector is already installed but only
> partially activated. You have to run "smsstart.bat" to get the rest of it
> running.
>
> I haven't tried LSM yet although I do have the Edge X working as a remote
> gateway. I also haven't gotten the part about getting it to talk to
> SmartCenter figured out yet either. :-) I will admit that I prefer to
read
> and experiment, though.
>
> One issue is that it's dropping some service as being in a different
> community ID. I think it's SWTP_SMS. There's supposed to be a new implied
> rule in R55 so you don't have to manually exclude it from the VPN
> community.
> I even manually excluded it but it's still getting dropped.
>
> The main issues I've run into has to do with how we have our main gateway
> set up with regard to routing and its encryption domain set up. We've got
> about 22 subnets behind the gateway and will be moving most of them to
VPNs
> hopefully. This, of course, means I can no longer use my gateway static
> route of
>
> 192.168.0.0/17 -> internal router
>
> and I have to add individual static routes for each internal network.
> Otherwise when I throw a packet at the Edge gateway's internal network
from
> the main internal network, it comes right back. And to think I never could
> make a boomerang work...
>
> I have to do the same thing with the encryption domain, otherwise packets
> coming from the test Edge box get dropped as "being decrypted when the
> policy says they don't have to be."
>
> The issue I'm working on now is that I can ping everything on the internal
> network from a laptop behind the Edge box, but when I try to ping the Edge
> box from some of the subnets, but not all, I get a "no valid SA" error. I
> now have a one-and-a-half VPN!
>
> Ray
>
>> From: "Stala" <stala AT tampabay.rr DOT com>
>> To: "Mailing list for discussion of Firewall-1"
>> <FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
>> CC: <sixsigma44 AT HOTMAIL DOT COM>
>> Subject: Re: [FW-1] VPN-1 Edge device
>> Date: Tue, 22 Jun 2004 16:54:27 -0400
>>
>> Well I finally have the VPN edge device working with LSM. It works pretty
>> slick but there was very limited help from CheckPoint on getting this
>> setup
>> and working correctly, I am actually going to be giving it a live test
>> tomorrow.
>>
>> I am working on a doc with the steps needed, when I am absolutely sure I
>> have it all correct I will be glad to share it out.
>>
>> ----- Original Message -----
>> From: "Ray" <sixsigma44 AT HOTMAIL DOT COM>
>> To: <FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
>> Sent: Friday, June 18, 2004 6:35 AM
>> Subject: Re: [FW-1] VPN-1 Edge device
>>
>>
>> I did'nt know about the backwards compatibility requirement, either. Our
>> Check Point SE is supposed to be at our local user group meeting this
>> morning. If I remember I'll ask him.
>>
>> Thanks for reporting what worked,
>>
>> Ray
>>
>> >From: Stala <stala AT TAMPABAY.RR DOT COM>
>> >Reply-To: Mailing list for discussion of Firewall-1
>> ><FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
>> >To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
>> >Subject: Re: [FW-1] VPN-1 Edge device
>> >Date: Fri, 18 Jun 2004 00:42:58 -0400
>> >
>> >No Problem but the lack of documentation, I fiunally got this working
>> today
>> >with LSM.
>> >
>> >I did not realize that you need backwards compatability runing for the
>> >SOFAWARE.
>> >
>> >I am going to go through the whole setup again tomorrow,
>> >
>> >our management is on UNIX Provider-1
>> >
>> >But we will be using LSM to manage the VPN Edge.
>> >It seems to be simple enough to setup now but if oyu go by the very few
>> >docs
>> >it does not work well.
>> >
>> >=================================================
>> >To set vacation, Out-Of-Office, or away messages,
>> >send an email to LISTSERV AT amadeus.us.checkpoint DOT com
>> >in the BODY of the email add:
>> >set fw-1-mailinglist nomail
>> >=================================================
>> >To unsubscribe from this mailing list,
>> >please see the instructions at
>> >http://www.checkpoint.com/services/mailing.html
>> >=================================================
>> >If you have any questions on how to change your
>> >subscription options, email
>> >fw-1-owner AT ts.checkpoint DOT com
>> >=================================================
>>
>> _________________________________________________________________
>> Get fast, reliable Internet access with MSN 9 Dial-up - now 3 months
>> FREE!
>> http://join.msn.click-url.com/go/onm00200361ave/direct/01/
>>
>> =================================================
>> To set vacation, Out-Of-Office, or away messages,
>> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
>> in the BODY of the email add:
>> set fw-1-mailinglist nomail
>> =================================================
>> To unsubscribe from this mailing list,
>> please see the instructions at
>> http://www.checkpoint.com/services/mailing.html
>> =================================================
>> If you have any questions on how to change your
>> subscription options, email
>> fw-1-owner AT ts.checkpoint DOT com
>> =================================================
>>
>>
>
> _________________________________________________________________
> Watch the online reality show Mixed Messages with a friend and enter to
win
> a trip to NY
>
http://www.msnmessenger-download.click-url.com/go/onm00200497ave/direct/01/
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
--
Regards
Russell
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
Please note that:
1. This e-mail may constitute privileged information. If you are not the
intended recipient, you have received this confidential email and any
attachments transmitted with it in error and you must not disclose, copy,
circulate or in any other way use or rely on this information.
2. E-mails to and from the company are monitored for operational reasons and in
accordance with lawful business practices.
3. The contents of this email are those of the individual and do not
necessarily represent the views of the company.
4. The company does not conclude contracts by email and all negotiations are
subject to contract.
5. The company accepts no responsibility once an e-mail and any attachments is
sent.
http://www.integralis.com
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
