[FW-1] problems with SecuRemote

Subject:	[FW-1] problems with SecuRemote
From:	Gus Fritschie <gfritschie AT HOTMAIL DOT COM>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Wed, 23 Jun 2004 09:22:55 -0400

I am running Check Point NG FP 3 on Linux 7.3.  I am having some problems
getting the client to site VPN to work.  I have the following rules in my
rule base before the stealth rule:

any -> no-fw1 -> any -> fw1_pslogon, FW1_topo, IKE, ESP,
VPN1_IPSEC_encapsulation -> accept

all users@any -> encryption domain -> if via RemoteAccess -> any -> accept

My SecuRemote client can authenticate and connect to the site and download
the topology.  However, when I try to access a server in my encryption
domain, I fail.  When looking at the logs I see a drop on IKE_TCP directed
at the system I am trying to access.  I have attached the logs.  Have a
setup something wrong with my topology or encryption domain?  Any help would
be appreciated.  Thanks!

Time    Interface       Origin  Action  Service Source  Destination     
Protocol        User    Information
22:16:50        eth1    no-fw1  Accept  IKE_tcp 
pool-138-88-46-143.res.east.verizon.net no-fw1  tcp
22:16:56        daemon  no-fw1  Login           
pool-138-88-46-143.res.east.verizon.net                 test    reason:
Client Encryption: Authenticated by Internal Password;
22:16:56        daemon  no-fw1  Login           
pool-138-88-46-143.res.east.verizon.net no-fw1          test    reason:
User authenticated by Firewall. Sending SSL Encrypted Topology, using IKE
authentication.;
22:17:39        eth1    no-fw1  Accept  IKE     
pool-138-88-46-143.res.east.verizon.net no-fw1  udp
22:17:40        daemon  no-fw1  Key
Install         pool-138-88-46-143.res.east.verizon.net no-fw1          test    
IKE: Quick
Mode completion; IKE IDs: subnet: 0.0.0.0 (mask= 0.0.0.0) and host:
10.1.1.2;
22:17:40        eth1    no-fw1  Accept  VPN1_IPSEC_encapsulation        
pool-138-88-46-143.res.east.verizon.net no-fw1  udp
22:17:42        eth1    no-fw1  Drop    IKE_tcp 
pool-138-88-46-143.res.east.verizon.net 172.x.x.x       tcp

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] problems with SecuRemote, Gus Fritschie <= Re: [FW-1] problems with SecuRemote, Chris Hoff Re: [FW-1] problems with SecuRemote, Gus Fritschie

Previous by Date:	[FW-1] VPN-1 Edge device and NG AI R55, José Joaquín Delgado Rioja
Next by Date:	Re: [FW-1] VPN-1 Edge device and NG AI R55, Two Dog Flats
Previous by Thread:	[FW-1] Secureclient with HA Firewalls, Neil Kemp
Next by Thread:	Re: [FW-1] problems with SecuRemote, Chris Hoff
Indexes:	[Date] [Thread] [Top] [All Lists]