HI,
I've a problem about a configuration with 2 Nokia IP440. The first one has
the management, firewall and floodgate modules installed and the second only
the firewall and floodgate modules.
When I want to log the floodgate events (with the option 'Turn on Traffic
Control Logging' in the VPN tab) of the second one, i have the following
message : "connection broken while communicating with fw1 for ssl_opsec".
I check the "control.map" but nothing seems strange and i saw an interesting
white paper from Nokia (see below) explaining that the problem could be in
the "fwopsec.conf" but i don't know how to configure each file (the
management and the secondary one).
Any help on this problem would be appreciated.
Vincent ROY
------------------------------------------------
Resolution 3723
Error: Authentication with xxxx
for command ssl_opsec failed
FloodGate,
for version:
last update:
09/21/2000 14:34:28
This error message comes up during 'etmstart'
while fetching bandwidth Policy from Management
Module.
SOLUTION
These messages are generated because you have
selected
"Turn on Traffic Control Logging" under the
VPN tab of the Firewall workstation properties, but have
not setup the 'fwopsec.conf' files in the
proper format for collecting the logs from the Floodgate
Module to the Floodgate Management Module
The FloodGate-1 Management Server can make
one of the following types of
connections with the Floodgate Module :
1. Clear connection
The FloodGate-1 Management Server and the
Floodgate Module can transfer data without any
restrictions.
2. Authenticated connection
The FloodGate-1 Management Server and the
Floodgate Module must verify each other�s identities
before any data can be transferred. A shared
key, exchanged by fw putkey, is used to authenticate the
FloodGate-1 Management Server with the
Floodgate Module.
3. Encrypted connection (using SSL - Secure
Socket Layer)
The data transferred between Floodgate Module
and the FloodGate-1
Management Server is encrypted using a 3DES
key. This is done only after the
Floodgate Module is authenticated with the
FloodGate-1 Management Server.
If Firewall Module does not have 3DES feature
enabled, 'ssl_opsec' method can not be used, hence
you have to modify 'opsec.conf' to use either
'Clear connection' or 'auth_opsec'
Here are examples of 'opsec.conf' file for
all the above 3 types:
1. For an encrypted connection
ela_proxy auth_port 18187
ela_proxy auth_type ssl_opsec
ela_proxy fwd_machine localhost
2. For an authenticated connection
ela_proxy auth_port 18187
ela_proxy auth_type auth_opsec
ela_proxy fwd_machine localhost
3. For a Clear connection
ela_proxy auth_port 18187
ela_proxy fwd_machine localhost
NOTE:
1. If either 'auth_opsec' or 'ssl_opsec'
method is used, make sure you have successful 'putkey'
operation performed on the Modules .
2. ELA Proxy must be restarted on Management
Module after the 'putkey' operation.
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
