Sending proxy ID type 4 0.0.0.0/0.0.0.0 --How can I populate these BM3.8

I have narrowed a previous issue to this problem.  My IPsec compliant
firewall (PIX) expects these to have values (I'm assuming that they
should
contain the IP and subnets of the BM38 server and the other firewall)
populated.

The IKE screen on the BM3.8 server reports "Sending proxy ID type 4
0.0.0.0/0.0.0.0".

The PIX reports "testpix(config)# IPSEC(validate_proposal_request):
proposal
part #1,
  (key eng. msg.) dest= 192.168.1.1, src= 192.168.1.2,
    dest_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    src_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x24
IPSEC(validate_transform_proposal): proxy identities not supported"

Bm3.8 to PIX 501.

Sorry for the dual(ish) post, but I'm in a bind and I thought this
portion
of the issue might have a broader audience than my earlier grasping at

straws.

Gus





0
Gus
12/2/2003 6:00:41 PM
novell.bordermanager.vpn 2677 articles. 0 followers. Follow

14 Replies
1370 Views

Similar Articles

[PageSpeed] 37

<<The PIX reports "testpix(config)# IPSEC(validate_proposal_request):
proposal
<< part #1,


It looks to be some policy mismatch between NBM and PIX, There is two
ways of resolving this issue,

1.Try configuring any-to-any rule in PIX501  OR
2.configure 'protected network to protected network' traffic rule on
both sides in NBM and  PIX
   like 1.0.0.0/255.0.0.0 to 2.0.0.0/255.0.0.0, assume 1.0.0.0 is
protected by NBM38 server and
   2.0.0.0 is protected by PIX501

Thanks

gonzalo




0
mysterious
12/3/2003 11:21:57 AM
Gonzalo,
I've got traffic policies for both in both as well as a "sysopt
connection
permit-ipsec" on the PIX.  Filters down on the BM server.  The PIX, it

appears, does not know how to handle the 0.0.0.0/0.0.0.0 from the BM
server
since its destination and source are populated.  I have removed and
recreated the PIX in the site-site configuration on the BM 3.8 server
and
reconfigured the PIX several times.  No matter what other errors I
cause
during creation of either I seem to always arrive at the same error in
the
end.  Do you know where the BM server reads the data from to fill the
"Proxy ID type 4" fields or do you know if they are always blank?   I
will
delete and recreate the Master VPN server in a little while and see if
that
helps.

Thanks for your help.
Gus





0
Gus
12/3/2003 3:08:14 PM
Gus

these messages can be interpreted as follows:

Proxy ID type 4 is IPV4 SUBNET
first 0.0.0.0/0.0.0.0 is that source ID is ' any'
second 0.0.0.0/0.0.0.0 is that destination ID is ' any'

Did you try the exact steps mentioned on my previous email.?

It will be interested too to see the csaudit log file when trying to
communicate both servers.

Thanks

gonzalo




0
mysterious
12/3/2003 3:22:15 PM
Gonzalo,

I have an any-any for IP and TCP on the PIX configured for the inside
and
also the outside interface.  I did not want to have an issue with
permissions.  I apologize for not including that in my previous
response.

Here is the last few minutes.  You can have all you want, but it is
much of
the same.  Thank sfor your help.

VPN      -- Wed Dec  3 09:57:30 2003

   PFS  NOT ENABLED -  DELETING ALL IPSEC SA

VPN      -- Wed Dec  3 09:57:22 2003

   Received notify message of type  NO_PROPOSAL_CHOSEN : 14 from
   192.168.1.1

VPN      -- Wed Dec  3 09:57:22 2003

   Sending proxy id :Type 4  0.0.0.0/0.0.0.0

VPN      -- Wed Dec  3 09:57:22 2003

   Sending proxy id :Type 4  0.0.0.0/0.0.0.0

VPN      -- Wed Dec  3 09:57:06 2003

   Received notify message of type  NO_PROPOSAL_CHOSEN : 14 from
   192.168.1.1

VPN      -- Wed Dec  3 09:57:06 2003

   Sending proxy id :Type 4  0.0.0.0/0.0.0.0

VPN      -- Wed Dec  3 09:57:06 2003

   Sending proxy id :Type 4  0.0.0.0/0.0.0.0

VPN      -- Wed Dec  3 09:56:54 2003

   Received notify message of type  NO_PROPOSAL_CHOSEN : 14 from
   192.168.1.1

VPN      -- Wed Dec  3 09:56:54 2003

   Received notify message of type  IPSEC_RESPONDER_LIFETIME : 24576
from
   192.168.1.1

VPN      -- Wed Dec  3 09:56:54 2003

   Received notify message of type  IPSEC_CONTACT : 24578 from
192.168.1.1

VPN      -- Wed Dec  3 09:56:54 2003

   Sending proxy id :Type 4  0.0.0.0/0.0.0.0

VPN      -- Wed Dec  3 09:56:54 2003

   Sending proxy id :Type 4  0.0.0.0/0.0.0.0

VPN      -- Wed Dec  3 09:56:54 2003

   IKE SA was created successfully with 192.168.1.1, encr = 3DES, SA
   lifetime = 28800 sec

VPN      -- Wed Dec  3 09:56:54 2003

   Final IKE SA (phase 1) lifetime is 28800 secs

VPN      -- Wed Dec  3 09:56:54 2003

   Not an NMAS user but preshared key authentication  -use default
traffic
   rule

VPN      -- Wed Dec  3 09:56:54 2003

   Received MM ID type: 2 protocol : 17 portnum: 500 length 27

VPN      -- Wed Dec  3 09:56:54 2003

   IKE SA NEGOTIATION - Peer lifetime is: 28800 My lifetime is: 28800

VPN      -- Wed Dec  3 09:56:36 2003

   PFS  NOT ENABLED -  DELETING ALL IPSEC SA

VPN      -- Wed Dec  3 09:56:34 2003

   Sending proxy id :Type 4  0.0.0.0/0.0.0.0

VPN      -- Wed Dec  3 09:56:34 2003

   Sending proxy id :Type 4  0.0.0.0/0.0.0.0

VPN      -- Wed Dec  3 09:56:18 2003

   Sending proxy id :Type 4  0.0.0.0/0.0.0.0

VPN      -- Wed Dec  3 09:56:18 2003

   Sending proxy id :Type 4  0.0.0.0/0.0.0.0

VPN      -- Wed Dec  3 09:56:02 2003

   Received notify message of type  NO_PROPOSAL_CHOSEN : 14 from
   192.168.1.1

VPN      -- Wed Dec  3 09:56:02 2003

   Received notify message of type  IPSEC_RESPONDER_LIFETIME : 24576
from
   192.168.1.1

VPN      -- Wed Dec  3 09:56:02 2003

   Received notify message of type  IPSEC_CONTACT : 24578 from
192.168.1.1

VPN      -- Wed Dec  3 09:56:02 2003

   Sending proxy id :Type 4  0.0.0.0/0.0.0.0

VPN      -- Wed Dec  3 09:56:02 2003

   Sending proxy id :Type 4  0.0.0.0/0.0.0.0

VPN      -- Wed Dec  3 09:56:02 2003

   IKE SA was created successfully with 192.168.1.1, encr = 3DES, SA
   lifetime = 28800 sec

VPN      -- Wed Dec  3 09:56:02 2003

   Final IKE SA (phase 1) lifetime is 28800 secs

VPN      -- Wed Dec  3 09:56:02 2003

   Not an NMAS user but preshared key authentication  -use default
traffic
   rule

VPN      -- Wed Dec  3 09:56:02 2003

   Received MM ID type: 2 protocol : 17 portnum: 500 length 27

VPN      -- Wed Dec  3 09:56:02 2003

   IKE SA NEGOTIATION - Peer lifetime is: 28800 My lifetime is: 28800

VPN      -- Wed Dec  3 09:56:02 2003

   PFS  NOT ENABLED -  DELETING ALL IPSEC SA

VPN      -- Wed Dec  3 09:55:44 2003

   Received notify message of type  NO_PROPOSAL_CHOSEN : 14 from
   192.168.1.1

VPN      -- Wed Dec  3 09:55:44 2003

   Sending proxy id :Type 4  0.0.0.0/0.0.0.0

VPN      -- Wed Dec  3 09:55:44 2003

   Sending proxy id :Type 4  0.0.0.0/0.0.0.0

VPN      -- Wed Dec  3 09:55:30 2003

   Received notify message of type  NO_PROPOSAL_CHOSEN : 14 from
   192.168.1.1

VPN      -- Wed Dec  3 09:55:30 2003

   Received notify message of type  IPSEC_RESPONDER_LIFETIME : 24576
from
   192.168.1.1

VPN      -- Wed Dec  3 09:55:30 2003

   Received notify message of type  IPSEC_CONTACT : 24578 from
192.168.1.1

VPN      -- Wed Dec  3 09:55:30 2003

   Sending proxy id :Type 4  0.0.0.0/0.0.0.0

VPN      -- Wed Dec  3 09:55:30 2003

   Sending proxy id :Type 4  0.0.0.0/0.0.0.0

VPN      -- Wed Dec  3 09:55:30 2003

   IKE SA was created successfully with 192.168.1.1, encr = 3DES, SA
   lifetime = 28800 sec

VPN      -- Wed Dec  3 09:55:30 2003

   Final IKE SA (phase 1) lifetime is 28800 secs

VPN      -- Wed Dec  3 09:55:30 2003

   Not an NMAS user but preshared key authentication  -use default
traffic
   rule

VPN      -- Wed Dec  3 09:55:30 2003

   Received MM ID type: 2 protocol : 17 portnum: 500 length 27

VPN      -- Wed Dec  3 09:55:28 2003

   IKE SA NEGOTIATION - Peer lifetime is: 28800 My lifetime is: 28800

VPN      -- Wed Dec  3 09:55:16 2003

   PFS  NOT ENABLED -  DELETING ALL IPSEC SA

VPN      -- Wed Dec  3 09:55:12 2003

   Received notify message of type  NO_PROPOSAL_CHOSEN : 14 from
   192.168.1.1

VPN      -- Wed Dec  3 09:55:12 2003

   Sending proxy id :Type 4  0.0.0.0/0.0.0.0

VPN      -- Wed Dec  3 09:55:12 2003

   Sending proxy id :Type 4  0.0.0.0/0.0.0.0

VPN      -- Wed Dec  3 09:54:56 2003

   Received notify message of type  NO_PROPOSAL_CHOSEN : 14 from
   192.168.1.1

VPN      -- Wed Dec  3 09:54:56 2003

   Sending proxy id :Type 4  0.0.0.0/0.0.0.0

VPN      -- Wed Dec  3 09:54:56 2003

   Sending proxy id :Type 4  0.0.0.0/0.0.0.0

VPN      -- Wed Dec  3 09:54:42 2003

   Received notify message of type  NO_PROPOSAL_CHOSEN : 14 from
   192.168.1.1

VPN      -- Wed Dec  3 09:54:42 2003

   Received notify message of type  IPSEC_RESPONDER_LIFETIME : 24576
from
   192.168.1.1

VPN      -- Wed Dec  3 09:54:42 2003

   Received notify message of type  IPSEC_CONTACT : 24578 from
192.168.1.1

VPN      -- Wed Dec  3 09:54:42 2003

   Sending proxy id :Type 4  0.0.0.0/0.0.0.0

VPN      -- Wed Dec  3 09:54:42 2003

   Sending proxy id :Type 4  0.0.0.0/0.0.0.0

VPN      -- Wed Dec  3 09:54:42 2003

   IKE SA was created successfully with 192.168.1.1, encr = 3DES, SA
   lifetime = 28800 sec

VPN      -- Wed Dec  3 09:54:42 2003

   Final IKE SA (phase 1) lifetime is 28800 secs

VPN      -- Wed Dec  3 09:54:42 2003

   Not an NMAS user but preshared key authentication  -use default
traffic
   rule

VPN      -- Wed Dec  3 09:54:42 2003

   Received MM ID type: 2 protocol : 17 portnum: 500 length 27

VPN      -- Wed Dec  3 09:54:42 2003

   IKE SA NEGOTIATION - Peer lifetime is: 28800 My lifetime is: 28800

VPN      -- Wed Dec  3 09:54:28 2003

   PFS  NOT ENABLED -  DELETING ALL IPSEC SA

VPN      -- Wed Dec  3 09:54:24 2003

   Received notify message of type  NO_PROPOSAL_CHOSEN : 14 from
   192.168.1.1

VPN      -- Wed Dec  3 09:54:24 2003

   Sending proxy id :Type 4  0.0.0.0/0.0.0.0

VPN      -- Wed Dec  3 09:54:24 2003

   Sending proxy id :Type 4  0.0.0.0/0.0.0.0

VPN      -- Wed Dec  3 09:54:08 2003

   Received notify message of type  NO_PROPOSAL_CHOSEN : 14 from
   192.168.1.1

VPN      -- Wed Dec  3 09:54:08 2003

   Sending proxy id :Type 4  0.0.0.0/0.0.0.0

VPN      -- Wed Dec  3 09:54:08 2003

   Sending proxy id :Type 4  0.0.0.0/0.0.0.0

VPN      -- Wed Dec  3 09:53:52 2003

   Received notify message of type  NO_PROPOSAL_CHOSEN : 14 from
   192.168.1.1

VPN      -- Wed Dec  3 09:53:52 2003

   Received notify message of type  IPSEC_RESPONDER_LIFETIME : 24576
from
   192.168.1.1

VPN      -- Wed Dec  3 09:53:52 2003

   Received notify message of type  IPSEC_CONTACT : 24578 from
192.168.1.1

VPN      -- Wed Dec  3 09:53:52 2003

   Sending proxy id :Type 4  0.0.0.0/0.0.0.0

VPN      -- Wed Dec  3 09:53:52 2003

   Sending proxy id :Type 4  0.0.0.0/0.0.0.0

VPN      -- Wed Dec  3 09:53:52 2003

   IKE SA was created successfully with 192.168.1.1, encr = 3DES, SA
   lifetime = 28800 sec

VPN      -- Wed Dec  3 09:53:52 2003

   Final IKE SA (phase 1) lifetime is 28800 secs

VPN      -- Wed Dec  3 09:53:52 2003

   Not an NMAS user but preshared key authentication  -use default
traffic
   rule

VPN      -- Wed Dec  3 09:53:52 2003

   Received MM ID type: 2 protocol : 17 portnum: 500 length 27

VPN      -- Wed Dec  3 09:53:52 2003

   IKE SA NEGOTIATION - Peer lifetime is: 28800 My lifetime is: 28800

VPN      -- Wed Dec  3 09:53:38 2003

   PFS  NOT ENABLED -  DELETING ALL IPSEC SA

VPN      -- Wed Dec  3 09:53:36 2003

   Received notify message of type  NO_PROPOSAL_CHOSEN : 14 from
   192.168.1.1

VPN      -- Wed Dec  3 09:53:36 2003

   Sending proxy id :Type 4  0.0.0.0/0.0.0.0

VPN      -- Wed Dec  3 09:53:36 2003

   Sending proxy id :Type 4  0.0.0.0/0.0.0.0

VPN      -- Wed Dec  3 09:53:20 2003

   Received notify message of type  NO_PROPOSAL_CHOSEN : 14 from
   192.168.1.1

VPN      -- Wed Dec  3 09:53:20 2003

   Sending proxy id :Type 4  0.0.0.0/0.0.0.0

VPN      -- Wed Dec  3 09:53:20 2003

   Sending proxy id :Type 4  0.0.0.0/0.0.0.0

VPN      -- Wed Dec  3 09:53:06 2003

   Received notify message of type  NO_PROPOSAL_CHOSEN : 14 from
   192.168.1.1

VPN      -- Wed Dec  3 09:53:06 2003

   Received notify message of type  IPSEC_RESPONDER_LIFETIME : 24576
from
   192.168.1.1

VPN      -- Wed Dec  3 09:53:06 2003

   Received notify message of type  IPSEC_CONTACT : 24578 from
192.168.1.1

VPN      -- Wed Dec  3 09:53:06 2003

   Sending proxy id :Type 4  0.0.0.0/0.0.0.0

VPN      -- Wed Dec  3 09:53:06 2003

   Sending proxy id :Type 4  0.0.0.0/0.0.0.0

VPN      -- Wed Dec  3 09:53:06 2003

   IKE SA was created successfully with 192.168.1.1, encr = 3DES, SA
   lifetime = 28800 sec

VPN      -- Wed Dec  3 09:53:06 2003

   Final IKE SA (phase 1) lifetime is 28800 secs

VPN      -- Wed Dec  3 09:53:06 2003

   Not an NMAS user but preshared key authentication  -use default
traffic
   rule

VPN      -- Wed Dec  3 09:53:06 2003

   Received MM ID type: 2 protocol : 17 portnum: 500 length 27

VPN      -- Wed Dec  3 09:53:04 2003

   IKE SA NEGOTIATION - Peer lifetime is: 28800 My lifetime is: 28800

VPN      -- Wed Dec  3 09:53:04 2003

   PFS  NOT ENABLED -  DELETING ALL IPSEC SA

Thanks again,
Gus





0
Gus
12/3/2003 4:01:51 PM
Gus

<<I have an any-any for IP and TCP on the PIX configured for the
inside
and
<<also the outside interface.

do you have the same for border?

Gonzalo




0
mysterious
12/3/2003 4:12:31 PM
Yes any interface to any interface IP all ports and any to any all
ports
TCP.
"mysterious" <morera@globalxs.nl> wrote in message
news:3FCE0B6E.2939B5C7@globalxs.nl...
> Gus
>
> <<I have an any-any for IP and TCP on the PIX configured for the
inside
> and
> <<also the outside interface.
>
> do you have the same for border?
>
> Gonzalo
>





0
Gus
12/3/2003 4:32:28 PM
I am also seeing a "NOTIFY message 14 protocol 3" occuring on the PIX.
 I
did have an mismatch in my "key lifetime" which I corrected.  Both
devices
are now set to 28800.





0
Gus
12/3/2003 7:43:41 PM
Gus

From the csaudit logs, it appears to be that PIX 501's IP address is
not
configured, so BM it is trying to pick up the default traffic rule.
Maybe you have a schema problems and the changes in imanager are not
saved. If you go to the vpn server console and type options 3 and 4,
what do you see? can you post it here?

Thanks

Gonzalo






0
mysterious
12/4/2003 8:38:47 AM
Sorry, What screen on the console?  I deleted the VPN site-site
config,
servers,  and deleted all NDS objects including TRC and TRO and SSL
certificates.  Performed full dsrepair until no errors, checked to be
sure
the were no outstanding external references.  Reset server and
recreated VPN
server, site-site master server, and re-added 3rd party server to
site-site
configuration.  Still the same error.  I keep thinking I'm missing
something
simple.  Thanks for your continued assistance.
"mysterious" <morera@globalxs.nl> wrote in message
news:3FCEF296.5719F2E4@globalxs.nl...
> Gus
>
> From the csaudit logs, it appears to be that PIX 501's IP address is
not
> configured, so BM it is trying to pick up the default traffic rule.
> Maybe you have a schema problems and the changes in imanager are not

> saved. If you go to the vpn server console and type options 3 and 4,

> what do you see? can you post it here?
>
> Thanks
>
> Gonzalo
>
>
>





0
Gus
12/4/2003 6:14:04 PM
<<Sorry, What screen on the console?

at server console type _vpn and you will get the vpn screens

Gonzalo




0
Mysterious
12/4/2003 6:18:09 PM
Thanks, I'm a VPN rookie.  Node 1 is the BM3.8 server.

Node 1
Address = 192.168.1.2
Version = 3
IP Tunnel Active = 0
IPX Tunnel Active = 0
Vendor = 0
IPTunnel Active = 0
Found Bit = 0
KeyInfo: SecurityCapabilities = 1100001 01111111 00000000 01111111
KeyInfo: Preferred Security = 1100000 00100100 00000000 01000011
KeyInfo: Security to Use = 1100000 00000100 00000000 00000011

Node 2
Address = 192.168.1.1
Version = 2
IP Tunnel Active = 0
IPX Tunnel Active = 1
Vendor = 1
IPTunnel Active = 1
Found Bit = 0
KeyInfo: SecurityCapabilities = 100001 01110000 00000000 01100001
KeyInfo: Preferred Security = 100000 00100000 00000000 01000001
KeyInfo: Security to Use = 100000 00100000 00000000 01000001

0
Gus
12/4/2003 7:06:45 PM
I thought 7 and 8 might help as well.


vpnConsole: displayS2sTrafficRules
========S2S Traffic Rule 1
ruleEnabled = 1
ruleType = 2
rulePriority = 254
pObjectDN =
Default_Traffic_Rule.VPNRules.VPNS2STESTFIRE.Testfire.web.LAMMIC
condObjectDNArray[0]  is NULL
condObjectDNArray[1]  is NULL
pcondObjectDNArray =
Service.Default_Traffic_Rule.VPNRules.VPNS2STESTFIRE.Testfi
re.web.LAMMIC
condObjectDNArray[3]  is NULL
Service Condition:
anyService = 1
examineMethod = 0
protocolSuite = 0
IPProtocol = 0
clientOrSourcePort = -1
serverOrDestPort = -1
DestinationCondition
Anydest = 0
AnyHost = 0
SecurityDomain = 0
pIPAddrList is NULL
destcondition.pMaskIPAddrList is NULL
destcondition.pIPAddrRangeList is NULL
ThirdParty Source Condition:
 PeerAddress =    0

AnyHost = 0
AnyDest = 0
SecurityDomain = 0
pIPAddrList is NULL
pDNSNameList is NULL
sourcecondition.pMaskIPAddrList is NULL
sourcecondition.pIPAddrRangeList is NULL
Action Condition:
vpnAction = 2
vpnMode = 1
lifeSecs = 7200
lifeKB = 0
algorithmVersion = 1
numAlgorithms = 1
Auth Algo = 3, ESP Algo = 1
========End of S2S Traffic Rules==========

vpnConsole: displayS2s3rdPartyTrafficRules
========S2S Traffic Rule 1
ruleEnabled = 1
ruleType = 3
rulePriority = 255
pObjectDN =
TestPix_DEFAULT_RULE.3rdPartyVPNRules.VPNS2STESTFIRE.Testfire.web.LA
MMIC
pcondObjectDNArray =
Source.TestPix_DEFAULT_RULE.3rdPartyVPNRules.VPNS2STESTFIRE
..Testfire.web.LAMMIC
pcondObjectDNArray =
Destination.TestPix_DEFAULT_RULE.3rdPartyVPNRules.VPNS2STES
TFIRE.Testfire.web.LAMMIC
condObjectDNArray[2]  is NULL
condObjectDNArray[3]  is NULL
Service Condition:
anyService = 0
examineMethod = 0
protocolSuite = 0
IPProtocol = 0
clientOrSourcePort = 0
serverOrDestPort = 0
DestinationCondition
Anydest = 1
AnyHost = 1
SecurityDomain = 0
pIPAddrList is NULL
destcondition.pMaskIPAddrList is NULL
destcondition.pIPAddrRangeList is NULL
ThirdParty Source Condition:
 PeerAddress = 101A8C0

AnyHost = 1
AnyDest = 1
SecurityDomain = 0
pIPAddrList is NULL
pDNSNameList is NULL
sourcecondition.pMaskIPAddrList is NULL
sourcecondition.pIPAddrRangeList is NULL
Action Condition:
vpnAction = 2
vpnMode = 1
lifeSecs = 7200
lifeKB = 0
algorithmVersion = 1
Auth Algo = 3, ESP Algo = 1
========End of S2S Traffic Rules==========

vpnConsole: displayS2SIPSECPolicies
pPolicyObjectDN =
Default_Traffic_Rule.VPNRules.VPNS2STESTFIRE.Testfire.web.LAMM
IC
policy = D1419A40
 sa is NULL
sel_src_type = 10001 10000000
sel_dst_type = 10001 10000000
sel_src = 0
sel_src2 = 0
sel_dst = 0
sel_dst2 = 0
sel_src_port = 0
sel_dst_port = 0
sel_protocol = 0
ESP_Encryption Alg = 3
ESP_Auth Alg Alg = 1
AH Alg = 0
IPSec_encap_mode = 1
SA_life_type = 1
SA_life_seconds = 1C20
SA_life_kbytes = 0
=======
"





0
Gus
12/4/2003 7:18:44 PM
gus

<<========S2S Traffic Rule 1
ruleEnabled = 1
ruleType = 3
rulePriority = 255
pObjectDN =
TestPix_DEFAULT_RULE.3rdPartyVPNRules.VPNS2STESTFIRE.Testfire.web.LA
MMIC


When you add the PIX to bm it will create a default rule automatically

and this is the one and only showing here. Now you have to create
another one on top of this one. Create traffic rule with source as any

network and destination as any network. (for testing. If that works
you
can specify sources and destination as the network protected by the
servers?
Similar or matching traffic rules (or policies) should be configured
on
the PIX.

Gonzalo




0
Mysterious
12/4/2003 8:03:24 PM
gonzalo,
Does rule 2 meet the requirement?  Thanks for all of your help.  I wil

ldouble check the rulex on the PIX as I think this is the correct rule
and I
am still seeing the problem.
Gus

vpnConsole: displayS2s3rdPartyTrafficRules
========S2S Traffic Rule 1
ruleEnabled = 1
ruleType = 3
rulePriority = 0
pObjectDN =
testpix.3rdPartyVPNRules.VPNS2STESTFIRE.Testfire.web.LAMMIC
pcondObjectDNArray =
Source.testpix.3rdPartyVPNRules.VPNS2STESTFIRE.Testfire.web
..LAMMIC
pcondObjectDNArray =
Destination.testpix.3rdPartyVPNRules.VPNS2STESTFIRE.Testfir
e.web.LAMMIC
condObjectDNArray[2]  is NULL
condObjectDNArray[3]  is NULL
Service Condition:
anyService = 0
examineMethod = 0
protocolSuite = 0
IPProtocol = 0
clientOrSourcePort = 0
serverOrDestPort = 0
DestinationCondition
Anydest = 1
AnyHost = 1
SecurityDomain = 0
pIPAddrList is NULL
destcondition.pMaskIPAddrList is NULL
destcondition.pIPAddrRangeList is NULL
ThirdParty Source Condition:
 PeerAddress = 101A8C0

AnyHost = 1
AnyDest = 1
SecurityDomain = 0
pIPAddrList is NULL
pDNSNameList is NULL
sourcecondition.pMaskIPAddrList is NULL
sourcecondition.pIPAddrRangeList is NULL
Action Condition:
vpnAction = 2
vpnMode = 1
lifeSecs = 28800
lifeKB = 0
algorithmVersion = 1
numAlgorithms = 1
Auth Algo = 3, ESP Algo = 1
========S2S Traffic Rule 2
ruleEnabled = 1
ruleType = 3
rulePriority = 255
pObjectDN =
TestPix_DEFAULT_RULE.3rdPartyVPNRules.VPNS2STESTFIRE.Testfire.web.LA
MMIC
pcondObjectDNArray =
Source.TestPix_DEFAULT_RULE.3rdPartyVPNRules.VPNS2STESTFIRE
..Testfire.web.LAMMIC
pcondObjectDNArray =
Destination.TestPix_DEFAULT_RULE.3rdPartyVPNRules.VPNS2STES
TFIRE.Testfire.web.LAMMIC
condObjectDNArray[2]  is NULL
condObjectDNArray[3]  is NULL
Service Condition:
anyService = 0
examineMethod = 0
protocolSuite = 0
IPProtocol = 0
clientOrSourcePort = 0
serverOrDestPort = 0
Anydest = 1
AnyHost = 1
SecurityDomain = 0
pIPAddrList is NULL
destcondition.pMaskIPAddrList is NULL
destcondition.pIPAddrRangeList is NULL
ThirdParty Source Condition:
 PeerAddress = 101A8C0

AnyHost = 1
AnyDest = 1
SecurityDomain = 0
pIPAddrList is NULL
pDNSNameList is NULL
sourcecondition.pMaskIPAddrList is NULL
sourcecondition.pIPAddrRangeList is NULL
Action Condition:
vpnAction = 2
vpnMode = 1
lifeSecs = 7200
lifeKB = 0
algorithmVersion = 1
numAlgorithms = 1
Auth Algo = 3, ESP Algo = 1
========End of S2S Traffic Rules==========





0
Gus
12/5/2003 4:01:17 PM
Reply:

Similar Artilces:

0.0.0.0 ????
Obviously a local IP, but what are its functions/purpose? Thanks for educating the uneducated. In article <MPG.18bf7ade16e851cb989680@news.grc.com>, shr@p.com says... > > > Obviously a local IP, but what are its functions/purpose? > > Thanks for educating the uneducated. > Any available adapter - i.e. not bound to specific IP address. -- Bloated Elvis In article <MPG.18bf7ade16e851cb989680@news.grc.com>, shr@p.com says... > > > Obviously a local IP, but what are its functions/purpose? > > Thanks for educating the une...

0.0.0.0
Can someone tell me the function of this scan? FWIN,2001/08/28,20:06:43 -6:00 GMT,0.0.0.0:800,255.255.255.255:800,UDP "Ben" <notben@home.com> wrote in message news:9mhion$2hf9$1@news.grc.com... > Can someone tell me the function of this scan? > FWIN,2001/08/28,20:06:43 -6:00 GMT,0.0.0.0:800,255.255.255.255:800,UDP Ben, I haven't a clue. 800 TCP mdbs_daemon 800 UDP mdbs_daemon http://www.robertgraham.com/pubs/firewall-seen.html http://www.robertgraham.com/pubs/firewall-seen.html#3.6 http://www.robertgraham.com/pubs/firewall-seen.html#3.2 -- ...

63.0.0.0.0/255..0.0.0
Has anyone ever heard of this or know where it goes to.It was asking permission to act as a server? Thanks in advance for any help. "pb" <nothing@nomail.com> wrote in message news:9pa1u4$38b$1@news.grc.com... > Has anyone ever heard of this or know where it goes to.It was asking > permission to act as a server? Thanks in advance for any help. If it shows in your firewall log, can you post a copy of it? -- � -- Robert grc.com forum FAQ - http://grc.com/discussions.htm grc.com forum quick reference - http://grc.com/nntpquickref.htm grc.com forum disclaim...

IP Address 0.0.0.0.0
Some Agent which crosses proxy (MS ISA proxy) are register to the database with 0.0.0.0. When the agent send a request to the server for register, the field ContactAddress has 0.0.0.0 .0 The same PC - Agent without passing a proxy (another location) send a good ContactAdress IP when it register to the server. (Proxy or not) how agent defined addresses IP before to send for registration ? (Locally, with a service network, patchlink network) christian Astinx, can you post the agent update log? -- Shaun Pond PatchLink Update Agent.log 2006/10/23 10:45:14.033...

!27.0.0.1 vs. 0.0.0.0
I can use any number of tools to see what ports I have listening and/or connected. But among the *Listening* ports, some are 127.0.0.1 and some are 0.0.0.0. What is the difference between 127.0.0.1 and 0.0.0.0 ? Since I've got both - there MUST be a difference. Thanks, Alan 0.0.0.0 stands for all interfaces (example: yourIPaddress,127.0.0.1-127.254.254.254) 127.0.0.1 stands for local interface only (127.0.0.1) > 0.0.0.0 stands for all interfaces > (example: yourIPaddress,127.0.0.1-127.254.254.254) > > 127.0.0.1 stands for local interface only (127....

IP address 0.0.0.0
I am curious to find out entries in my router log (Linksys) which have LAN IP of 0.0.0.0 and destination URL/IP of �. Does nayone know what it means? Is this any hacker activity? Sam <nspam@nospam.net> wrote: > I am curious to find out entries in my router log (Linksys) which > have LAN IP of 0.0.0.0 and destination URL/IP of �. Does nayone know > what it means? Is this any hacker activity? http://www.geocities.com/merijn_bellekom/new/netstatan.html -- Robert GRC newsgroup tips - http://www.imilly.com/noregrets.htm List of Lists - http://lists.gpick.com/ Privac...

0.0.0.0 IP ADRESS
Hi !I cant understanding. why the my pc documets using 0.0.0.0 ip adress out for internet ? expecially inetsvc.exe and I got active ports program. I see that, the some of the xp (server 2003) documents using 0.0.0.0 ip adress... is there anyone for help this subject. ? and our server (they have dedicated server) no giving us any information about their company. anyone can be know that why ? and I checked my pc with netstat - r ! its seem so different information that my adsl information...thanksARKIN Explain your problem better please, would love to help you on this subject.Bryan Samp...

[PATCH] When is 0 + 0 != 0
A non-existing buffer + a non-existing buffer should be a non-existing buffer, not "", which is really '\0'. Index: string.c =================================================================== RCS file: /home/perlcvs/parrot/string.c,v retrieving revision 1.50 diff -u -r1.50 string.c --- string.c 28 Feb 2002 18:26:07 -0000 1.50 +++ string.c 1 Mar 2002 05:22:54 -0000 @@ -267,7 +265,7 @@ return string_copy(interpreter, b); } else { - return string_make(interpreter, "", 0, NULL, 0, NU...

[ 0.0.3461.0 ]
Gang... Quick fix of increasing the Add/Remove dialog's inter-button spacing to see whether that cures the effect Robin and others found when using the Classic Windows theme. Did that fix it??? <g> -- ________________________________________________________________ Steve. Working on: GRC's DNS Benchmark utility: http://www.grc.com/dev/DNSBench.exe [for the unabridged version, see Steve Gibson post above] > Did that fix it??? <g> That appears to have done the trick. And the increased spacing makes the result look much nice under the ...

[ 0.0.3460.0 ]
Gang... I decided to put up today's first build since it incorporates Sparky's really perfect improvement to the Add/Remove dialog. :) -- ________________________________________________________________ Steve. Working on: GRC's DNS Benchmark utility: http://www.grc.com/dev/DNSBench.exe Steve Gibson wrote: > Gang... > > I decided to put up today's first build since it incorporates > Sparky's really perfect improvement to the Add/Remove dialog. > > :) > I had already worked out a bunch of tests and I've found a ...

Set DateTime to nothing or 0 0 0 0 0 how? C#
How can I set this DateTime to nothing or zero hours, zero minutes, 0 seconds  DateTime tempOrgDate   Regards,-- "Mark As Answer" if my reply helped you --  By default a new DateTime starts out at {01/01/0001 00:00:00} This is taken from MinValue = {01/01/0001 00:00:00} You cant set it any lower than that. Attempts to will generate a compiler error. The alternative is to declare it as null like:DateTime tempOrgDate = null;   sukumarraju:How can I set this DateTime to nothing or zero hours, zero minutes, 0 seconds &nbs...

0.0.
Name: lethanhnguyen1990@gmail.com Email: lethanhnguyen1990atgmaildotcom Product: Firefox Summary: 0.0. Comments: good Browser Details: Mozilla/5.0 (Windows NT 5.1; rv:2.0b9pre) Gecko/20110107 Firefox/4.0b9pre From URL: http://hendrix.mozilla.org/ Note to readers: Hendrix gives no expectation of a response to this feedback but if you wish to provide one you must BCC (not CC) the sender for them to see it. ...

update 2.0.0.4 does not work with my new 2.0.0.0
Name: Robert J Norton Email: bobatnortondotnet Product: Thunderbird Summary: update 2.0.0.4 does not work with my new 2.0.0.0 Comments: Each time I have installed update 2.0.0.4 I can't get my email for rjnorton@pacbell.net. The feed back states it can't find the pop server. I've reported this twice to the web master but that amounted to zilch. I've repeated this 2 times and each time I've had to reload 2.0.0.0 to get at my email. I am continually bombarded with .4 up dates which I now refuse to install again. So far, no one has reported a fix to me. ...

ID 127.0.0.0 = ?
Sometimes I am more dense that usual. What is the local ID of 127.0.0.0 used for? Thank You, James jhboatwright@bellsouth.net "James Boatwright" <jhboat@bellsouth.net> wrote in message news:ae13n2$16hq$1@news.grc.com... > Sometimes I am more dense that usual. > What is the local ID of 127.0.0.0 used for? Loopback. (uhh, it's local ip.) Hilly. "James Boatwright" <jhboat@bellsouth.net> wrote in message news:ae13n2$16hq$1@news.grc.com... > Sometimes I am more dense that usual. > What is the local ID of 127.0.0.0 used for? >...

Web resources about - Sending proxy ID type 4 0.0.0.0/0.0.0.0 --How can I populate these BM3.8 - novell.bordermanager.vpn

Facebook Fans Populate National Car Rental Playlist
... its Facebook fans are listening to, so the company teamed up with music-streaming service Songza to allow users who like its page to help populate ...

Facebook Launches Integrations With Spotify, Netflix and More to Populate the Ticker with Playable Content ...
A wide variety of media partners and news publishers have partnered with Facebook to allow uses to publish content to the site that can be immediately ...

Perish the populate thought
Population size and growth, resources and climate change are obviously linked.

Islamic State militants raping thousands of women to populate caliphate, Iraqi official claims
ISLAMIC State fighters are reportedly raping thousands of women in Iraq and Syria to mass-produce spawn who&#8217;ll follow in their footsteps. ...

Researchers craft bot to populate Wikipedia with gene data
In order to help make Wikipedia a better source of information for biologists …

Are Chuck Schumer and Steve Israel Working To Populate Congress In The Image Of Scoop Jackson?
History lesson: In 1972 and again in 1976, the Beltway's conservative Democratic Establishment had found its man. The preferred candidate of ...

Extreme Shrimps Could Possibly be Sent to Populate Europa, NASA Reports
Rimicaris hybisae live on the edges of hydrothermal vents 7,500 feet underwater whose temperatures reach 750 degrees Fahrenheit.

Glowing robotic tentacles populate this Petting Zoo
(Credit: Minimaforms) If you swing by the Petting Zoo in Orleans, France, don't expect to see goats. The robotic "pets" that reside there hang ...

CNN.com - Millionaires populate U.S. Senate - Jun. 13, 2003
The U.S. Senate showed once more why it's sometimes called the millionaires' club.

Pokémon 2DS bundles soon to populate Australian store shelves
Australian gamers who have yet to pick up Pokémon X and Pokémon Y will be able to purchase one of two new Nintendo 2DS system bundles on June ...

Resources last updated: 12/18/2015 11:28:23 AM