[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW1] SecuRemote & ISAKMP precisions
Hi,
My licenses are
fw ver command result
- VPN-1 & FW-1 version 4.0 build 4037 [VPN]
fw printlic command result
- sr super
- encul ca skip isakmp
- control pfm
I have the FW-1 installed on an NT4 SP4 box.
I have DMZ, Internal network and I do NAT.
I have a Microsoft Proxy server between my internal network and FW-1.
I use cable modem to connect my Firewall to Internet.
I use RTC to an ISP to connect my SecuRemote Client to Internet
My goal is to make VPN using SecuRemote client.
Cordially,
Emmanuel Lucas.
----- Original Message -----
From: Michel Toussaint <Michel.Toussaint@eonic.com>
To: 'Emmanuel LUCAS' <elucas@ville-orleans.fr>;
<fw-1-mailinglist@lists.us.checkpoint.com>
Sent: Monday, April 03, 2000 6:24 PM
Subject: RE: [FW1] SecuRemote & ISAKMP precisions
> How's your license ?
> What features do you have ?
>
> Regards,
>
> ----------------- FROM : ---------------
> Michel Toussaint,MCSE
> System Administrator
> Eonic Systems NV
> Mailto:Michel.Toussaint@eonic.com
> Vcard http://www.eonic.com/vcards/mto.vcf
> - From Deep Space To Deep Sea -
> Web site: http://www.eonic.com
> -----------------------------------------
>
>
>
>
> -----Original Message-----
> From: Emmanuel LUCAS [mailto:elucas@ville-orleans.fr]
> Sent: Monday, April 03, 2000 4:18 PM
> To: Michel Toussaint; fw-1-mailinglist@lists.us.checkpoint.com
> Subject: Re: [FW1] SecuRemote & ISAKMP precisions
>
>
>
> So, I begin to understand ...
>
> Now when I try to connect my SecuRemot client to my Firewall, I have the
> error message:
>
> Error: Site xxx.xxx.xxx.xxx says that it is not a Certificate Authority.
> Check whether you have got the right IP address for xxx.xxx.xxx.xxx, and
> check with the FW-1 system manager there whether xxx.xxx.xxx.xxx is indeed
a
> FW-1 control station.
>
> 1- I am sure of the IP address.
> 2- All the Firewall modules are installed on the same station.
> 3- I use ISAKMP with pre-shred secret so normally I don't use CA.
>
> I have read lot of things on the PhoneBoys site but nothing seems to
correct
> the problem.
>
> Any Idees about what's wrong ?
>
> Cordially
>
> Emmanuel Lucas.
>
> ----- Original Message -----
> From: Michel Toussaint <Michel.Toussaint@eonic.com>
> To: 'Emmanuel LUCAS' <elucas@ville-orleans.fr>;
> <fw-1-mailinglist@lists.us.checkpoint.com>
> Sent: Monday, April 03, 2000 2:12 PM
> Subject: RE: [FW1] SecuRemote & ISAKMP precisions
>
>
> > IKE is just the new name for ISAKMP/OAKLEY
> > The lasts version of Securemote refers actually to IKE. (Build 4118 but
> I'm
> > not sure)
> > And last but not least, if you user "Shared secret", you do not need CA.
> >
> > Have fun,
> >
> > ----------------- FROM : ---------------
> > Michel Toussaint,MCSE
> > System Administrator
> > Eonic Systems NV
> > Mailto:Michel.Toussaint@eonic.com
> > Vcard http://www.eonic.com/vcards/mto.vcf
> > - From Deep Space To Deep Sea -
> > Web site: http://www.eonic.com
> > -----------------------------------------
> >
> >
> >
> >
> >
> > -----Original Message-----
> > From: Emmanuel LUCAS [mailto:elucas@ville-orleans.fr]
> > Sent: Monday, April 03, 2000 12:20 PM
> > To: fw-1-mailinglist@lists.us.checkpoint.com
> > Subject: Tr: [FW1] SecuRemote & ISAKMP precisions
> >
> >
> >
> > Hi,
> >
> > On my Firewall (user definition and Firewall object) I can only check
> SKIP
> > or ISAKMP/OAKLEY, not IKE
> > On my SecuRemote Client, I can select only FWZ or ISAKMP not IKE.
> >
> > If I have ISAKMP checked on the both end, normally it should works.
Isn't
> it
> > ?
> > In that case, does CA mandatory ?
> >
> > Cordially,
> >
> > Emmanuel Lucas.
> >
> >
> > > ----- Original Message -----
> > > From: Account SC-SEC3 AI/DI-D (Tel 34943) <account.sc-sec3@airbus.fr>
> > > To: owner-fw-1-mailinglist (Non Receipt Notification Requested) (IPM
> > Return
> > > Requested) <owner-fw-1-mailinglist@lists.us.checkpoint.com>
> > > Cc: fw-1-mailinglist (Non Receipt Notification Requested) (IPM Return
> > > Requested) <fw-1-mailinglist@lists.us.checkpoint.com>
> > > Sent: Friday, March 31, 2000 5:14 PM
> > > Subject: Re: [FW1] SecuRemote & ISAKMP precisions
> > >
> > >
> > > >
> > > >
> > > > >>-A~
> > > > >>Hi,
> > > > >>
> > > > >>Thank for your respons.
> > > > >>
> > > > >>Another questions:
> > > > >>
> > > > >>> If you're using IKE, you have to have a CA generated.
> > > > >>Where do I find if I use IKE ? On the Firewall or on the
SecuRemote
> > > > Client ?
> > > >
> > > > Both have to be checked :
> > > > On Firewall (firewall object and User definition)
> > > > On Securemote client (Tools menu -> select IKE)
> > > >
> > > > >>
> > > > >>> SecuRemote is using DH for key exchange, so you have to have DH
> > > > >generated
> > > > >>on the firewall.
> > > > >>I want to use Firewall-1 password. So DH key is the password,
isn't
> > > > it ?
> > > > DH keys are generated transparently. They are used to create an
> > > > encrypted channel without any authentication. Then the password
(also
> > > > called pre-shared secret) is transmitted through this encrypted
> > > > channel. This will authenticate retroactively the first exchange.
> > > > This process is IKE phase 1. Keys are derived from this phase to
enter
> > > > phase 2 which create the true VPN channel.
> > > >
> > > >
> > > > Mat
> > > >
> > > >
> > > > >>
> > > > >>Cordially,
> > > > >>
> > > > >>Emmanuel Lucas.
> > > > >>
> > > > >>
> > > > >>----- Original Message -----
> > > > >>From: Dallas Bishoff <dallas_bishoff@hotmail.com>
> > > > >>To: <elucas@ville-orleans.fr>
> > > > >>Sent: Thursday, March 30, 2000 6:10 PM
> > > > >>Subject: Re: [FW1] SecuRemote & ISAKMP precisions
> > > > >>
> > > > >>
> > > > >>> Howdy:
> > > > >>>
> > > > >>> First, none of this is trivial for any of us. Here's your
answer
> > > > and some
> > > > >>> references..the RFC stuff is located at:
> > > > >>>
> > > > >>> www.isi.edu
> > > > >>>
> > > > >>> RFC 2401: Security Architecture for the Internet Protocol
> > > > >>> RFC 2401 obsoletes RFC 1825
> > > > >>> RFC 2404: IP Authentication Header
> > > > >>> RFC 2402 obsoletes RFC 1826
> > > > >>> RFC 2406: IP Encapsulating Security Payload (ESP)
> > > > >>> RFC 2406 obsoletes RFC 1827
> > > > >>> RFC 2407: The Internet IP Security Domain of Interpretation for
> > > > ISAKMP
> > > > >>> RFC 2408: Internet Security Assoc. & Key Management Protocol
> > > > (ISAKMP)
> > > > >>> RFC 2409: The Internet Key Exchange (IKE)
> > > > >>> RFC 2412: The OAKLEY Key Determination Protocol
> > > > >>> RFC 1828: IP Authentication using Keyed MD5
> > > > >>> RFC 2085: HMAC-MD5 IP Authentication with Replay Prevention
> > > > >>> RFC 2104: HMAC: Keyed-hashing for Message Authentication
> > > > >>> RFC 2403: The Use of HMAC-MD5-96 within ESP and AH
> > > > >>> RFC 2404: The Use of HMAC-SHA-1-96 within ESP and AH
> > > > >>> RFC 1829: The ESP DES-CBC Transform
> > > > >>> RFC 2410: The NULL Encryption Algorithm and its Use with IPsec
> > > > >>> RFC 2451: The ESP CBC-Mode Cipher Algorithms
> > > > >>> RFC 2405: The ESP DES-CBC Cipher Algorithms with Explicit IV
> > > > >>>
> > > > >>>
> > > > >>> If you're using IKE, you have to have a CA generated.
> > > > >>>
> > > > >>> The key exchange and definitions are taken care of in the
> > > > configuration of
> > > > >>> the firewall and SecuRemote, then the interaction is controlled
by
> > > > the RFC
> > > > >>> standards.
> > > > >>>
> > > > >>> Regards!!!
> > > > >>>
> > > > >>> Dallas N. Bishoff
> > > > >>> MCSE+I, MCT, CCA, ICE, CCSE,
> > > > >>> Nokia Security Administrator,
> > > > >>> RSA ACE/Server Engineer
> > >
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
|
