It would be advised to set the FW general IP to the exteranl IP, the VPN link selection should be set to main(general) IP, then update the topo at the client, with this setup all traffic, VPN, ps logon, tunnel test are directed to the external IP. When you do this and can not install the policy you need to investigate why, this could solve your other problem. Next you need to be sure the FW is going to route the OM IP's back out the external interface.
________________________________ From: "Chau, P (Paul)" <[email protected]> To: [email protected] Sent: Thu, October 29, 2009 7:46:31 PM Subject: Re: [FW-1] AW: Seeking help on VPN desktop policy Hi Gary, Tunnel test failed. Check Point Secureclient diagnostics showed: phase1 established Xauth established Office Mode established Phase 2 Established Tunnel Test Error On the log I could see FW1_ps_logon_NG decrypt. The gateway is a Solaris 9 machine. No cluster. Distributed installation. I mistakenly mentioned R60. It was R61 before. Upgrade to R65 seemed to work well for everything but this ps_logon just did not work. Regards, Paul -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]] On Behalf Of Gary Scott Sent: Friday, 30 October 2009 10:22 AM To: [email protected] Subject: Re: [FW-1] AW: Seeking help on VPN desktop policy Does your tunnel test succeed? From the client /status/advanced/connection details. Have you enabled logging on the client and see any problems there? Client version R60-hfa-02, seen with all clients? In the FW logs do you see the ps_logon decrypts from the client (not overly concerned with a separate telnet attempt on port 18213 but during logon attempt)? How is your link VPN selection and general FW IP's defined? Is this a cluster and what platform? Got the correct license and contract? Stand alone or distributed? You were working OK on R60 then after upgrade to R65 it broke? ________________________________ From: "Chau, P (Paul)" <[email protected]> To: [email protected] Sent: Thu, October 29, 2009 6:27:11 PM Subject: Re: [FW-1] AW: Seeking help on VPN desktop policy Hi Gary and Roger, Thanks for you reply. Roger, "Accept Remote Access control connections" was enabled which I think is a default setting. Gary, OM IP was correctly assigned from the pool. All VPN connection to internal network was good and seen on the log. A telnet to 18231 of the internal and external addresses were also seen as encrypted access in the log. However only telnet to external address of gateway was successful. On the other end telnet to the internal address port 18231 was successful from an internal non VPN workstation but not on the external address. Logs show both connections from internal workstation accepted. It was an upgraded installation from R60. Regards, Paul -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]] On Behalf Of Gary Scott Sent: Thursday, 29 October 2009 10:54 PM To: [email protected] Subject: Re: [FW-1] AW: Seeking help on VPN desktop policy Once the client connects to the gateway using the IP you have set in the VPN link selection it will then try to pull the policy from whatever IP you have defined under the general props for that gateway/policy server. Seen this fail when the internal IP of the gateway was not included in the encryption domain, routing for the OM pool was not correct or the client fails to get an OM IP. Are you able to get an OM IP? Can securemote connect and get to the internal IP? I am assuming this is a distributed install. If you define the gateway with it's external IP but can not push a policy to it sounds like a routing/rule issue preventing you from doing this. If you define the gateway with the external IP then do an fw unloadlocal can you push policy then? multiple times? -GS ________________________________ From: Roger De Jonckheere <[email protected]> To: [email protected] Sent: Thu, October 29, 2009 5:09:50 AM Subject: [FW-1] AW: Seeking help on VPN desktop policy Hi Paul Have you turned on "Accept VPN-1 Power/UTM control connections" and then "Accept Remote Access control connections" in the Golbal Properties of you Management Server? Even when creating the necessary rules manually, I was experiencing problems with connectivity from the Secure Clients to the gateway. Hope this helps, Roger -----Ursprüngliche Nachricht----- Von: Mailing list for discussion of Firewall-1 [mailto:[email protected]] Im Auftrag von Chau, P (Paul) Gesendet: Donnerstag, 29. Oktober 2009 01:32 An: [email protected] Betreff: [FW-1] Seeking help on VPN desktop policy Hi, We have a problem here with desktop policy ( connection issue). Our gateway is on NGX R65 with interface bge0 (inside) and bge1 (outside). VPN logon works but desktop policy is not working and error popped up "SecureClient failed to communicate with Policy Server". I checked the connectivity of 18231. After logon the VPN client can connect to the address on bge1 but not the address on bge0. Internally I can connect to the port on the address of bge0 but not on that of bge1. We tried to change the properties IP address to that of bge1 but could not put policy to the gateway. Can anyone point out any possible solution? Regards, Paul ______________________________________________________________ This email, including any attachments, may be confidential or privileged, and is sent for the personal attention of the intended recipient. If you have received this email in error, please delete it immediately. The views expressed are not necessarily those of the Rabobank Group. The Group is not liable for the effects of any virus which may be contained in this email. If this email contains marketing material and you do not wish to receive such material by email in future, please reply to this email and place the words "Remove My Details - Electronic Messages" in the Subject Header. The Rabobank Group Australia: 1800 025 484 New Zealand: 0800 500 933 ______________________________________________________________ ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= _____________________________________________________________ This email (including any attachments to it) is confidential, legally privileged, subject to copyright and is sent for the personal attention of the intended recipient only. If you have received this email in error, please advise us immediately and delete it. You are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. Although we have taken reasonable precautions to ensure no viruses are present in this email, we cannot accept responsibility for any loss or damage arising from the viruses in this email or attachments. We exclude any liability for the content of this email, or for the consequences of any actions taken on the basis of the information provided in this email or its attachments, unless that information is subsequently confirmed in writing. If this email contains an offer, that should be considered as an invitation to treat. _____________________________________________________________ Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
