Re: CP NG FP3 to CP 2000 VPN
From: Shireen (sayeeda_shireen_at_yahoo.com)
Date: 09/27/03
- Next message: removevalid: "Go For It"
- Previous message: H. Robert: "Routing between two NetScreen devices on same LAN subnet"
- In reply to: Richard H Miller: "Re: CP NG FP3 to CP 2000 VPN"
- Next in thread: Richard H Miller: "Re: CP NG FP3 to CP 2000 VPN"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 26 Sep 2003 22:13:10 -0700
rick@bcm.tmc.edu (Richard H Miller) wrote in message news:<bl1i4n$emk@gazette.corp.bcm.tmc.edu>...
> Shireen (sayeeda_shireen@yahoo.com) wrote:
> : Hello everyone,
> : I am facing a very peculiar problem with Checkpoint. On my side I
> : have a Checkpoint NG FP3 firewall and I am trying to establish a VPN
> : to a Checkpoint 2000 (4.1) on the remote side. The remote side fw is
> : not in my control.
> : The problem is hosts on my LAN are able to download files from the
> : servers on the remote LAN. But the other side can only ping us. No
> : file transfers can be done , nothinng. The VPN domains are properly
> : defined, NAT is disabled for the VPN traffic. The IKE negotiations go
> : on perfectly. But no transfers are possible form the remote side. One
> : more issue that we are facing is, nobody on our LAN is able to reach
> : the mail server on the other side through the VPN. All other remote
> : servers are accessible.Can somebody help me please ? I have even
> : installed the backward compatibilty patch on FP3 ,though I dont think
> : that was necessary.Any suggestions ?
>
> : Thanks in advance,
> : Shireen
>
> The first and most obviouis questions are
>
> 1) have you looked at the security policy that defines what is allowed. Remember, the VPN tunnel
> and encryption domain only define the mode in which packets will flow. Do you
> have any rules in place that allow encrypted traffic to flow from a machine in your encryption
> domain to a machine in the remote encryption domain.
>
> 2) have you looked at the logs on both sides to see what, if any, errors are being reported.
>
> 3) are you using a simnplified or traditional mode security policy?
>
>
> The same things need to be done at the remote site
>
>
> Richard H. Miller, MCSE, CCSE
> Information Security Manager
> Information Technology Security and Compliance
> Information Technology - Baylor College of Medicine
Yes, I do have rules to allow encrypted traffic to flow between the
VPN domains and so does the other side. On my side , the logs show no
"decrypt" info , only "encrypt" can be seen. Anyone on my side is able
to download files from the remote location.When I put up a cleanup
rule , then the logs say that "packets from the remote location
dropped because decryption method does not match". But what is strange
is IKE negotiations are successful. If they are succesful , then where
is the question of decryption methods not matching ?
I am using traditional mode configuration. Any other suggestions,
please ?
Shireen
- Next message: removevalid: "Go For It"
- Previous message: H. Robert: "Routing between two NetScreen devices on same LAN subnet"
- In reply to: Richard H Miller: "Re: CP NG FP3 to CP 2000 VPN"
- Next in thread: Richard H Miller: "Re: CP NG FP3 to CP 2000 VPN"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
