FireWall-1 FAQ: Two Firewalls with Same IP and Putkeys
Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.
I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.
If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)
Q:
How do I get the putkeys to work with two Firewalls that have the same IP? I am installing a HA (failover, not loadbalance) with Stonebeat. I have installed the putkey on both the primary and the secondary.
I get the primary to work, but when I kill it and the secondary takes over (assuming the same IP as the now dead primary), the authentication fails. The primary works every time, but the secondary fails, even though the putkey is happening to the same IP address. If I go through the process of re-installing the putkey for the secondary, it then works fine, but then fails for the primary, even though once again they share the same IP. Any words of wisdom?
Just want to confirm a suspision, do I do the putkey to the heartbeat IP (which is unique between the primary and secondary) ?
A:
What is actually happening with a putkey is that you are setting up a “chain” (sort of like S/Key). The “putkey password” is the seed for this chain. Each time an authenticated session between systems is needed, one “key” in the “chain” is used. After a while, it generates a new “chain” based off the “putkey password” and the previous chain.
You can see where this is going: when you fail over to system B, the management console thinks it’s talking to A still. A thinks the state of the authentication is one way, B thinks it’s another way. They can’t talk to one another until you redo the putkeys.
The authentication really uses the nodename IP address of the box, not the IP address specified in masters (or any other place). If the nodename IP of the box is the same (or even if it isn’t), you can probably use the -n trick to solve it. i.e.:
On Management Console:
fw putkey -n mgmt-ip fwA fwB
On FireWall A:
fw putkey -n fwA-ip mgmt-ip
On FireWall B:
fw putkey -n fwB-ip mgmt-ip
The assumption here is that fwA-ip and fwB-ip are unique to each system. Note that once you’ve done this, all further ‘-n’ putkeys you do must be to the same IP address (i.e. the argument to -n is the same) or your putkeys will break. I found this one out the hard way.