Re: Client Encryption: Failed to generate reply

[Jack Coates <jcoates () rainfinity com>]

Hi Greg,

As I understand it, FWZ keys aren't synchronized by the CPFW-1 gateway
cluster object, so it won't work with the nice transparent failover
functions. You can do FWZ with non-transparent failover by using sticky
IPs, though it's not the most scalable solution. Best thing is to use
that as a stopgap and start migrating to IPSec.

HTH,
-- 
Jack Coates, Rainfinity SE
t: 408-382-4860 m: 650-280-4376

Greg Polanski wrote:
> I have just completed an installation and configuration
> of Rainwal 1.3, build 38 on Solaris 2.7 and Checkpoint 4.1 SP2.
> Hide NAT and SecuRemote IP Pools are working.
>
> The secret for SecuRemote is adding the phrase,
>         :ip_pool_vpn (true)
> to objects.C (page 250 of the Jan 2000 VPN manual.)
>
> IKE Hybrid authentication works with SecurID.
>
> FWZ authentication fails
> FW log:
>         reason Client Encryption:
>         Failed to generate reply to client request
>
> User's desktop
>         Error:  No answer received from a Firewall at site ....
>         If this problem persists, please contact your system
>         administrator.
>
> Where should I look to fixing VPN for FWZ users?
>
> greg
>
> _______________________________________________________________
> Greg Polanski                    mailto:greg_polanski () adc com
> ADC Telecommunications, Inc.     952-946-2270
> MS 85                            952-946-2465 FAX
> PO Box 1101                      612-538-1833 pager
> Minneapolis, MN  55440-1101      6125381833 () minncommpaging com
> _______________________________________________________________

_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards