Members Login
Username 
 
Password 
    Remember Me  
FireWall-1 Gurus Forum -> FireWall-1 Gurus Forum -> NG AI R55: ike_use_largest_possible_subnets
Post Info TOPIC: NG AI R55: ike_use_largest_possible_subnets
ZipferUrtyp


Status: Offline
Posts: 3
Date:
NG AI R55: ike_use_largest_possible_subnets
Permalink  

After upgrading to R55 i got stuck into Checkpoints "supernetting" feature and my tunnels to the Zywalls did not work anymore until i used the same supernet definition there. This feature is decribed in detail at "http://www.phoneboy.com/bin/view.pl/FAQs/ContiguousSubnetsInEncryptionDomain". I also tried to set "ike_use_largest_possible_subnets" to "false" but then Checkpoint tried to send the dedicated host address, for which it is encrypting as the ID and IKE negotiations failed again.

It looks like this parameter is still not working correctly with NG AI R55. Does anybody have other experience or can tell me, how to set it, so that NG behaves like 4.1 and always uses the corresponding subnet as ID for IKE Negotiations?

Regards
Manfred


 


 



__________________
BillIselin


Status: Offline
Posts: 1
Date:
Permalink  

You can manually set the subnets you want to use:


 Please upgrade to FP3 HF2 and perform the following:
Configure the "max_subnet_for_range" table in $FWDIR/lib/user.def on the management (SmartCenter).

Table name and format:

max_subnet_for_range = {
<first_IP_in_range, last_IP_in_the_range; subnet_mask>,
<first_IP_in_range, last_IP_in_the_range; subnet_mask>,
...
<first_IP_in_range, last_IP_in_the_range; subnet_mask>
};

The network and subnet for IKE negotiation will be determined according to the table above. Host's IP will be matched on a relevant entry in this table, entry's subnet will be used for negotiation.
For ranges not specified in the table, the subnet mask will be determined as if ike_use_largest_possible_subnets were set to "true", wherever is relevant.



__________________
Page 1 of 1  sorted by
 
Quick Reply

Please log in to post quick replies.
FireWall-1 Gurus Forum -> FireWall-1 Gurus Forum -> NG AI R55: ike_use_largest_possible_subnets
Tweet this page Post to Digg Post to Del.icio.us


Create your own FREE Forum
Report Abuse 		Powered by ActiveBoard