Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the Ask the Author form. You will also gain access to thousands of other FAQs at ITFAQnet.com.
| 1. | Why can t I ping such-and-such host in my peer s VPN domain? | |
| 2. | What does No response from peer: Scheme IKE mean when it appears in logs during VPN testing? | |
| 3. | What does the error message No proposal chosen mean? | |
| 4. | I want my salespeople to be able to log on and browse my NT/domain from the field. How can I do this? | |
| 5. | I have a really large network, with a lot of VPN traffic to and from multiple VPN domains, and I notice frequent connection interruptions. Why is this? | |
| 6. | What does gateway connected to both endpoints mean? | |
Answers
| 1. | This may not be allowed by policy. Check your policy s Global Properties, and make sure that ICMP is not being accepted first, before any encryption rules. Try a different protocol if you have no control over the peer policy (for example, Telnet to port 25 on a mail server in the peer s VPN domain). |
| 2. | Confirm that fwd and isakmpd are running on your peer gateway. Isakmpd listens on UDP port 500; you can use the netstat command to double-check this (on UNIX platforms and Windows platforms). This message is also seen when the remote VPN peer does not respond to the firewall s request to establish a secure tunnel. |
| 3. | The two-encryption rule properties differ in some way, or one gateway supports an encryption method that another doesn t. |
| 4. | See the section on Secure Domain Logon in this chapter. |
| 5. | Check to make sure that Key Exchange for Subnets is enabled. Check the size of the connection table. Check gateway memory usage and processor load ( fw tab “t connections “s and fw ctl pstat ). |
| 6. | This message usually appears due to broadcast traffic that is generated on your internal network. If your encryption rule has your local network in both the source and destination, and the local network object has Broadcast address included checked in the network properties General tab, you may receive these messages. They are harmless and are merely stating that the source and destination of this traffic match the encryption rule, but both endpoints are connected locally ”therefore no encryption will take place. |
![Check Point NG[s]AI](/icons/blank_book.jpg "Check Point NG[s]AI"){kind=icon}