[Dshield] Checkpoint 4.1

Willy, Andrew AWilly at eSMIL.net
Tue Oct 5 18:49:31 GMT 2004


Thank guys.  Below is the email I sent to their list, just in case a
Checkpoint wizard lurks around DShield and is feeling generous with his/her
expertise ..

-----------------------------

Good morning,

I am not a FW1 expert. I apologize in advance if I fumble with terminology
or leave out obviously pertinent information (obvious to an expert).

Recently, I was assigned the task of building a new Checkpoint 4.1 firewall.
Our existing box runs wonderfully, however, it is aging. We decided to move
the installation to a new machine. After a frustrating day of getting
objects and rules and other aspects transferred, I discovered everything
seemed to work on the new box as well as it did on the old one, except for
VPN. We have several methods of establishing tunnels, but since I believe
the problem is a general one, I will discuss just the method that is easiest
for me to try and troubleshoot, SecuRemote.

I am able with the SecuRemote client to 'Update Site', however when
establishing the tunnel, the client hangs on, "Exchanging Keys", and then
reports, "Communication with site : <ip address> has failed."

Assuming that this was because of some configuration issue related to moving
the installation, I decided to do a brand new install of Checkpoint on the
new machine. The new installation comes up and runs as I would expect, the
few rules I created work, except that I still cannot get VPN going in our
test environment. The SecuRemote client 'Update Site' works, but when the
tunnel pops, I get the same, "Communication with site : <ip address> has
failed."  The firewall logs don't show a failed connection or anything else
that may reveal a clue.  SecuRemote only offeres it's communication failed
explanation.

Considering that I can't get VPN to fire up if I use an old installation, or
a new one, I assume the problem lies with some crucial component that I'm
unaware of.  

Advice appreciated. 

Regards

Andrew

-----Original Message-----
From: MikeMackrill at BC.com [mailto:MikeMackrill at BC.com]
Sent: Tuesday, October 05, 2004 6:34 AM
To: list at lists.dshield.org
Subject: RE: [Dshield] Checkpoint 4.1


Try

 http://www.phoneboy.com/

Mike Mackrill, CISSP
Boise Cascade Corporation

-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of Willy, Andrew
Sent: Monday, October 04, 2004 5:42 PM
To: 'General DShield Discussion List'
Subject: [Dshield] Checkpoint 4.1


Hello everyone,

Do any of you know of a quality CheckPoint resource site?  I'm having a
problem that I can't figure out on my own, and the sites I did find
didn't have the information I needed.

Thanks in advance

Andrew

_______________________________________________
DShield and the Internet Storm Center are sponsored by the SANS Institute.
To learn more about current SANS training, see http://www.sans.org .

_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
NOTICE OF CONFIDENTIALITY-The information in this email, including
attachments, may be confidential and/or privileged and may contain
confidential health information. This email is intended to be reviewed only
by the individual or organization named as addressee. If you have received
this email in error please notify Scottsdale Medical Imaging, an affiliate
of Southwest Diagnostic Imaging, LTD immediately - by return message to the
sender or to support at esmil.com - and destroy all copies of this message and
any attachments. Please note that any views or opinions presented in this
email are solely those of the author and do not necessarily represent those
of Scottsdale Medical Imaging. Confidential health information is protected
by state and federal law, including, but not limited to, the Health
Insurance Portability and Accountability Act of 1996 and related
regulations.



More information about the list mailing list