PDA

View Full Version : Managing VPN without VPN-1 Pro/Express Control Connections



Yasushi Kono
2006-11-17, 13:15
Hi eXperts,

I am trying to create a Site-to-Site VPN rule without using any of the VPN-1 Pro/Express Control Connections (or VPN-1 Power/UTM Control Connections).

To make it short: I did not succeed in doing that. If you click the option within the Global Properties mentioned above, you will noticed that the following implied rule will be created:

Source: MemberGW.EncDom@MyIntranet
Destination: MemberGW.EncDom@MyIntranet
Service: EncryptedServices@MyIntranet
Action: Encrypt&Continue

How could you create this rule as an explicit one?

It is challenging for me to figure out the Action "Encrypt&Continue".

Thank you in advance.

By the way: If you do not use VPN at all, I can manage it without any implied rules! Not challenging at all, as you might have experienced already.

Kind regards,
Yasushi

wujido
2006-11-18, 18:45
The specific implied rule you are mentioning I believe has nothing to do with the implied rules enabled via global properties, but is a property in the VPN community itself. If enabled, will accept all encrypted traffic between domains of the peers in question. However, even with this enabled, you would still need allow for IKE in the rulebase amongst other services if you disable the global implied rules.

There should be an SK about how to create rules for implied connections.

Porter
2006-11-19, 06:23
I always run into problems when I disable the implied rules with current releases, in the past e.g. V4.1 or NG it was fine when creating the rules manually that are needed

Yasushi Kono
2006-11-19, 09:53
Hi Wujido,

of course I tried several options before posting this problem here. I created the rules for IKE, IPSec, FW1_key because it did not work.
The implied VPN rule I mentioned could be make visible by clicking on View -> VPN Rules. I tested that without creating a VPN Community so it must be an implied rule created by "Accept VPN-1 Power/UTM Control Connections".

The point is: If you enable the Control connections, VPN works immediately.

So, any other hints, which will highly be appreciated?

Thank you in advance,
Yasushi

Acidio
2006-11-19, 20:56
Hi Yasushi,

We do exactly what you're attempting to do. Try adding the following services to a group.
AH
ESP
IKE
IKE_TCP
IKE_NAT_Traversal
FW_PSLogon
FW_PSLogon_NG
FW1_Topo
Tunnel_Test

Not all of these will be required - depending on your implementation.

Also, two other things:
1) Ensure your VPN services rule is above your stealth rule (easy one to overlook)
2) If you are using simplified mode ensure you have IKE listed in the excluded services

Yasushi Kono
2006-11-21, 05:49
Hi Acidio,

thank you for your reply. I finally managed to create a VPN tunnel without the implied rules. I tested that with the R60 SmartCenter Server. As I tried that with R62, it did not work, but I cannot find out the misconfiguration error anymore as I reinstalled the SmartCenter from scratch.

So, I know that it works!

Thanks again!
Kind regards,
Yasushi