Dear group,
So far, I have only been reading about the interactions in this mail group and
have not had any request for info. or made comments, as I have been out of the
mainstream after getting canned during the silicon valley crunch. Here in
Europe, getting some bites, however. I have a potential client who is having a
problem with a VPN.
I would like to research his SecureRemote problem and report back to him by
Monday. Before I get really involved w- research and making deductions, I
thought I would ask the group if you have experienced the same problems.
I asked some questions about their setup and here were the answers:
>1. from end to end setup
It's a Host<->Gateway VPN, from my boss' home SecuRemote to our Internet
firewall. Since my boss is behind a NAT-ing ADSL gateway/firewall, it uses udp
encapsulation.
>2. Encryptions - setup instructions if you know them
I'm not quite sure what you mean by this question...
>3. Multiple entry points? Others having same problem?
No MEP. Someone else at our company might have the same problems,
although I have not sniffed his connection yet.
>4. VPN cards?
Nope.
>5. Hardware configurations. Any other problems exist other than VPN?
Company firewall: noname PC: 1GHz Celeron, 128M memory, 2 double Intel
and a single (unused) D-Link network cards
SecuRemote host: no idea
>6. OS platforms
Company firewall: Red Hat Linux 7.3
SecuRemote host: Windows XP
>7. Fw platforms - versions, management consoles, inspection modules
NGFP3 with current hotfixes
The SecuRemote is the most current FP3 version (but same problem with the FP4
version)
>What type of problems:
>1. Connectivity, communication slow, etc. Does it ever correct itself?
VPN connection sometimes dies (non-VPN ones still work). After a few minutes
(5-10 or more) it is usually OK again.
>2. What type of error messages
None at all (apart from the can't connect, unreachable, etc. stuff from the
applications).
>3. Frequency of problems
Varies, but many times a day.
>4. What you have done to correct the problem in past
Rebooting always helps. So does deleting and recreating the site
definition in SecuRemote. Or just waiting. All these solutions are temporary
however.
>5. What you think is causing the problem
Stupid Check Point, perhaps? ;)
What is actually going on is pretty clear, however. If I tcpdump on the ADSL
fw/router in front of the SecuRemote machine, it is quite revealing. While SR
is working correctly, it is sending the udp encapsulated IPsec packets to the
correct interface of the FW. When it starts misbehaving, it starts trying to
send the same packets to the IP address of the internal interface of the
firewall (which is, of course, a private IP address: 192.168.47.254). I have
not yet seen any reason
why it starts sending to the wrong IP suddenly.
>6. Who has helped you in the past and what have they said and done
I searched the Check Point KB for a while, and I did find relevant resolutions
(mostly doing with resolve_interface_ranges and sometimes
contradicting each other), but they did not seem to help. But I will try it
again if you think that is the right solution.
Christopher J. Dias - CCSA, CCSE (Checkpoint), MCP + I,MCSE, (Microsoft),
CCNA, CCNP (Cisco). CSE (Novell)
Cím:1121 Budapest
Fülemile út 12-18 4.ép.3/11.
Telefon: 36 1 275-4008 Mobil:06-20/803 9687
mediaacces2003 AT yahoo DOT com
---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
