Comments for StoneBlog.stonesoft.com http://stoneblog.stonesoft.com Share knowledge about StoneGate Wed, 08 Feb 2012 09:11:13 +0000 hourly 1 http://wordpress.org/?v=3.3.1 Comment on A Very Quick Guide for Configuring StoneGate for iOS VPN by rence.suarez http://feedproxy.google.com/~r/CommentsForStoneblog/~3/PWO9L2jAIAs/ rence.suarez Wed, 08 Feb 2012 09:11:13 +0000 http://stoneblog.stonesoft.com/?p=3410#comment-498 another question.. is this support on 5.0.5? another question.. is this support on 5.0.5?

]]> http://stoneblog.stonesoft.com/2011/07/a-very-quick-guide-for-configuring-stonegate-for-ios-vpn/comment-page-1/#comment-498 Comment on A Very Quick Guide for Configuring StoneGate for iOS VPN by rence.suarez http://feedproxy.google.com/~r/CommentsForStoneblog/~3/S_Bau1WmCFk/ rence.suarez Tue, 07 Feb 2012 10:09:15 +0000 http://stoneblog.stonesoft.com/?p=3410#comment-497 @RoarinPenguin thanks for the prompt reply.. i downloaded the application.. but im really lost.. can you send me a guide or a documentation on how to use this app? thanks a lot! @RoarinPenguin thanks for the prompt reply.. i downloaded the application.. but im really lost.. can you send me a guide or a documentation on how to use this app? thanks a lot!

]]> http://stoneblog.stonesoft.com/2011/07/a-very-quick-guide-for-configuring-stonegate-for-ios-vpn/comment-page-1/#comment-497 Comment on A Very Quick Guide for Configuring StoneGate for iOS VPN by RoarinPenguin http://feedproxy.google.com/~r/CommentsForStoneblog/~3/VDi3S_g7eJk/ RoarinPenguin Tue, 07 Feb 2012 09:33:08 +0000 http://stoneblog.stonesoft.com/?p=3410#comment-496 @rence.suarez: if it has 0kb size it means that export or generation obviously failed. To generate good working certificates for these tests, I recommend to user the nice easy application XCA which is available for free @ http://xca.sourceforge.net. Also, consider that on the iPhone you need to import both the user certificate and the CA public certificate that is used to validate the server certificate that SG will present. Hope this helps. @rence.suarez: if it has 0kb size it means that export or generation obviously failed.
To generate good working certificates for these tests, I recommend to user the nice easy application XCA which is available for free @ http://xca.sourceforge.net.
Also, consider that on the iPhone you need to import both the user certificate and the CA public certificate that is used to validate the server certificate that SG will present.
Hope this helps.

]]> http://stoneblog.stonesoft.com/2011/07/a-very-quick-guide-for-configuring-stonegate-for-ios-vpn/comment-page-1/#comment-496 Comment on A Very Quick Guide for Configuring StoneGate for iOS VPN by rence.suarez http://feedproxy.google.com/~r/CommentsForStoneblog/~3/NRa69Zey08I/ rence.suarez Tue, 07 Feb 2012 09:22:54 +0000 http://stoneblog.stonesoft.com/?p=3410#comment-495 Hi, i tried making certificates but im having a problem with .p12.. i cant upload it because of its size, 0kb. i also tried Jose's way but still cant see the certificate on the iphone. the Use certificate tab is grayed out. what does that mean? sorry for my poor english.. Hi,

i tried making certificates but im having a problem with .p12.. i cant upload it because of its size, 0kb. i also tried Jose’s way but still cant see the certificate on the iphone. the Use certificate tab is grayed out. what does that mean? sorry for my poor english..

]]> http://stoneblog.stonesoft.com/2011/07/a-very-quick-guide-for-configuring-stonegate-for-ios-vpn/comment-page-1/#comment-495 Comment on Forum by luchino7773 http://feedproxy.google.com/~r/CommentsForStoneblog/~3/BSoOEv-WRbA/ luchino7773 Fri, 03 Feb 2012 15:07:00 +0000 #comment-492 Hello. I'm trying to install policy on a single firewall connected via pppoe (unfortunately with a dynamic ip address). Smc and Log are statically natted by another cluster, contact was successful but everytime I try to install a simple policy i get a message like Failed to connect to Reverse DCP dynamic for {StoneGate firewall node ID:343 SN:1014} ... Error 4987 Did anyone have this kind of problem? Best regards! Hello.
I’m trying to install policy on a single firewall connected via pppoe (unfortunately with a dynamic ip address).
Smc and Log are statically natted by another cluster, contact was successful but everytime I try to install a simple policy i get a message like
Failed to connect to Reverse DCP dynamic for {StoneGate firewall node ID:343 SN:1014} … Error 4987
Did anyone have this kind of problem?

Best regards!

]]> http://stoneblog.stonesoft.com/stoneblog-community/forum/comment-page-2/#comment-492 Comment on Forum by Marcello di Pasquale http://feedproxy.google.com/~r/CommentsForStoneblog/~3/oh6ArzAOuiw/ Marcello di Pasquale Mon, 30 Jan 2012 12:16:33 +0000 #comment-487 Good morning. I have seemingly some troubles with certificates. When i try to install policy i receive the follwing error message: Received fatal alert: certificate_expired. i receive the same message when i try to get sginfo from firewall nodes. however, if i go to cnofiguration --> configuration --> administration --> other elements --> internal certificates (even in internal certificate authority), all my certificates are active. I tried to make an initial contact with one of my nodes, but nothing changes. did anyone have the same problem? Thanks to all. Regards. Good morning. I have seemingly some troubles with certificates. When i try to install policy i receive the follwing error message: Received fatal alert: certificate_expired. i receive the same message when i try to get sginfo from firewall nodes. however, if i go to cnofiguration –> configuration –> administration –> other elements –> internal certificates (even in internal certificate authority), all my certificates are active. I tried to make an initial contact with one of my nodes, but nothing changes. did anyone have the same problem?
Thanks to all.
Regards.

]]> http://stoneblog.stonesoft.com/stoneblog-community/forum/comment-page-2/#comment-487 Comment on A Very Quick Guide for Configuring StoneGate for iOS VPN by djarvlejon http://feedproxy.google.com/~r/CommentsForStoneblog/~3/03-omr8KcAc/ djarvlejon Fri, 20 Jan 2012 08:09:20 +0000 http://stoneblog.stonesoft.com/?p=3410#comment-480 Hi alien2108, Did you test the way Jose VillafaƱa sugested? I keep geting the "Negotiation with VPN server failed" Hi alien2108,
Did you test the way Jose VillafaƱa sugested? I keep geting the “Negotiation with VPN server failed”

]]> http://stoneblog.stonesoft.com/2011/07/a-very-quick-guide-for-configuring-stonegate-for-ios-vpn/comment-page-1/#comment-480 Comment on A Very Quick Guide for Configuring StoneGate for iOS VPN by alien2108 http://feedproxy.google.com/~r/CommentsForStoneblog/~3/7FX_9Lo-ZG4/ alien2108 Thu, 19 Jan 2012 20:55:21 +0000 http://stoneblog.stonesoft.com/?p=3410#comment-479 Doing some OS X clients again on another SG FW a couple more notes.... Be sure that at least ONE USER has IPSEC as authentication method in your policy (it doesn't matter if this user actually has ipsec method enabled). If no user has it, IPSEC authentication method will not be enabled on engines at all and your iosuser certificate will thus fail! Creating vpn config package with "Iphone Configuration Utility" is fine for iOS devices but when I used it on OS X device, VPN didn't work no matter what. Reason was that StoneGate CA certificate was added to "Login" keychain and even moving it to system keychain didn't help. BUT if I deleted the CA certificate from the keychain and manually added this same SG CA certificate to System keychain (when you import it, be sure to select destination keychain->system) everything worked OK (sometimes you have to kill racoon process -> "sudo killall -9 racoon"). Another thing is that Jailbroken iPhones will NOT establish VPN no matter what (IOS 5.0.1). This is a known issue (not sg related), just to let you all know -> do not test with JB iPhones. Doing some OS X clients again on another SG FW a couple more notes….

Be sure that at least ONE USER has IPSEC as authentication method in your policy (it doesn’t matter if this user actually has ipsec method enabled). If no user has it, IPSEC authentication method will not be enabled on engines at all and your iosuser certificate will thus fail!

Creating vpn config package with “Iphone Configuration Utility” is fine for iOS devices but when I used it on OS X device, VPN didn’t work no matter what. Reason was that StoneGate CA certificate was added to “Login” keychain and even moving it to system keychain didn’t help. BUT if I deleted the CA certificate from the keychain and manually added this same SG CA certificate to System keychain (when you import it, be sure to select destination keychain->system) everything worked OK (sometimes you have to kill racoon process -> “sudo killall -9 racoon”).

Another thing is that Jailbroken iPhones will NOT establish VPN no matter what (IOS 5.0.1). This is a known issue (not sg related), just to let you all know -> do not test with JB iPhones.

]]> http://stoneblog.stonesoft.com/2011/07/a-very-quick-guide-for-configuring-stonegate-for-ios-vpn/comment-page-1/#comment-479 Comment on A Very Quick Guide for Configuring StoneGate for iOS VPN by alicante http://feedproxy.google.com/~r/CommentsForStoneblog/~3/tDC8wxVYizc/ alicante Fri, 13 Jan 2012 09:55:17 +0000 http://stoneblog.stonesoft.com/?p=3410#comment-476 Hi all. I have tried all the choices and followed all the advices unsuccessfully. I would like to know if someone has tested this kind of vpn with iOS5 and/or os x 10.7 lion. Thanks in advance. Hi all.

I have tried all the choices and followed all the advices unsuccessfully. I would like to know if someone has tested this kind of vpn with iOS5 and/or os x 10.7 lion.

Thanks in advance.

]]> http://stoneblog.stonesoft.com/2011/07/a-very-quick-guide-for-configuring-stonegate-for-ios-vpn/comment-page-1/#comment-476 Comment on TCPDUMP is your friend! by jmogez http://feedproxy.google.com/~r/CommentsForStoneblog/~3/S-DN1ZyWwsc/ jmogez Wed, 11 Jan 2012 09:15:27 +0000 http://stoneblog.stonesoft.com/2009/01/tcpdump-is-your-friend/#comment-473 One question about inbound traffic : is tcpdump take place before filtering ? One question about inbound traffic : is tcpdump take place before filtering ?

]]> http://stoneblog.stonesoft.com/2009/01/tcpdump-is-your-friend/comment-page-1/#comment-473