Re: [FW-1] R55 & Cisco 3005 VPN Concentrator: Tunnel establishes one-way

Subject:	Re: [FW-1] R55 & Cisco 3005 VPN Concentrator: Tunnel establishes one-way only.
From:	Will Zegeer <will AT EPLUS DOT COM>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Tue, 21 Sep 2004 10:54:49 -0400

Do a guidbedit or dbedit and change Setting
"ike_use_largest_possible_subnets" to "false" .

If that doesn't work:

Configure the "max_subnet_for_range" table in $FWDIR/lib/user.def on the
management (SmartCenter) - always backup files before editing.

Table name and format:

max_subnet_for_range = {
<first_IP_in_range, last_IP_in_the_range; subnet_mask>,
<first_IP_in_range, last_IP_in_the_range; subnet_mask>,
...
<first_IP_in_range, last_IP_in_the_range; subnet_mask>
};

The network and subnet for IKE negotiation will be determined according
to the table above. Host's IP will be matched on a relevant entry in
this table, entry's subnet will be used for negotiation.
For ranges not specified in the table, the subnet mask will be
determined as if ike_use_largest_possible_subnets were set to "true",
wherever is relevant.

The "ike_use_largest_possible_subnets true" setting is there to cut down
on the number of phase 2 key exchanges but it can cause problems.

-Will


> -----Original Message-----
> From: Geoff Brisbine [mailto:geoffbrisbine AT MI-ASSISTANT DOT COM]
> Sent: Monday, September 20, 2004 4:49 PM
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: [FW-1] R55 & Cisco 3005 VPN Concentrator: Tunnel
> establishes one-way only.
>
> Greetings, all.
>
> I am having a problem with the VPN between our R55 HFA07
> SPLAT box and a Cisco 3005 VPN Concentrator.
>
> I am not able to establish the tunnel nor ping the remote
> server.  The other end can establishing the tunnel and ping
> our servers just fine.
>
> If I attempt to establish the tunnel I get an "IKE: Main mode
> completion"
> (from us to them) and then I get a "IKE: Informational
> Exchange Received Delete IKE-SA from Peer: xxxxxxxx" (from
> them to us).
>
> The one thing that caught me a little off-guard with this
> setup is their VPN Concentrator and the server we're trying
> to hit have the same first 3 octets in their IP address.  I
> created a host (within a group) and added just the server to
> the VPN Domain, which didn't work.  I created a Class C
> network and used that as the VPN Domain, which didn't work either.
>
> The gentleman that I spoke with (at the far side) said that
> in his notes he sees that there was another VPN that was CP
> <--> CP that had this problem, which was solved by making a
> chance on the CP box.  He did not know what change the other
> admin had made on the CP box to make it work.
>
> Here's the rundown on our config...
>  | Interoperable device object
>  | ===========================
>  |  Name = Vendor_X_Device
>  |  IP Address = 111.222.333.4
>  |  VPN Domain = Vendor_X_Network
>  |
>  | Network object
>  | ==============
>  |  Network = Vendor_X_Network - 111.222.333.0/24  |  | Node
> object  | ===========  |  Node = Vendor_X_Server -
> 111.222.333.105  |  | VPN object  | ===========  |
> Participating Gateways = Our firewall and Vendor_X_Device  |
> VPN Properties: 3DES/MD5, 3DES/MD5  |  IKE: DH Group 2, 144
> minutes  |  Using a shared secret
>
> Any ideas?
>
> Geoff Brisbine | Network Administrator
> Direct: 715.287.3225 x190
>
> MI-Assistant - A Division of Fiserv FSC, Inc.
> 26550 West Mondovi Street | Eleva, WI  54738
> Phone: 715.287.4262 | Fax: 715.287.4576
> http://www.mi-assistant.com/
>
> =================================================
> To set vacation, Out-Of-Office, or away messages, send an
> email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your subscription
> options, email fw-1-owner AT ts.checkpoint DOT com
> =================================================
>

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] R55 & Cisco 3005 VPN Concentrator: Tunnel establishes one-way only., Geoff Brisbine Re: [FW-1] R55 & Cisco 3005 VPN Concentrator: Tunnel establishes one-way only., Will Zegeer <= Re: [FW-1] R55 & Cisco 3005 VPN Concentrator: Tunnel establishes one-way only., Geoff Brisbine

Previous by Date:	[FW-1] Are ZNYX ZX346Q quad port ethernet cards supporting by SPLAT? If not, what is?, Alan Choyna
Next by Date:	Re: [FW-1] Are ZNYX ZX346Q quad port ethernet cards supporting by SPLAT? If not, what is?, Michael Schwartzkopff
Previous by Thread:	[FW-1] R55 & Cisco 3005 VPN Concentrator: Tunnel establishes one-way only., Geoff Brisbine
Next by Thread:	Re: [FW-1] R55 & Cisco 3005 VPN Concentrator: Tunnel establishes one-way only., Geoff Brisbine
Indexes:	[Date] [Thread] [Top] [All Lists]