Gus,
If you notice, the host that is getting authenticated is 10.1.1.2.
However, the traffic destined for the internal network is from
138.88.46.143 (pool-138-88-46-143.res.east.verizon.net). You might get
through by either forcing IKE over TCP and/or UDP encapsulation on the
client side. This is done the in the Tools>Configure Connection
Profile>Advanced tab of the SecuRemote software.
Good luck,
Chris
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Gus
Fritschie
Sent: Wednesday, June 23, 2004 8:23 AM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] problems with SecuRemote
I am running Check Point NG FP 3 on Linux 7.3. I am having some
problems getting the client to site VPN to work. I have the following
rules in my rule base before the stealth rule:
any -> no-fw1 -> any -> fw1_pslogon, FW1_topo, IKE, ESP,
VPN1_IPSEC_encapsulation -> accept
all users@any -> encryption domain -> if via RemoteAccess -> any ->
accept
My SecuRemote client can authenticate and connect to the site and
download the topology. However, when I try to access a server in my
encryption domain, I fail. When looking at the logs I see a drop on
IKE_TCP directed at the system I am trying to access. I have attached
the logs. Have a setup something wrong with my topology or encryption
domain? Any help would be appreciated. Thanks!
Time Interface Origin Action Service Source Destination
Protocol User Information
22:16:50 eth1 no-fw1 Accept IKE_tcp
pool-138-88-46-143.res.east.verizon.net no-fw1 tcp
22:16:56 daemon no-fw1 Login
pool-138-88-46-143.res.east.verizon.net test reason:
Client Encryption: Authenticated by Internal Password;
22:16:56 daemon no-fw1 Login
pool-138-88-46-143.res.east.verizon.net no-fw1 test reason:
User authenticated by Firewall. Sending SSL Encrypted Topology, using
IKE authentication.;
22:17:39 eth1 no-fw1 Accept IKE
pool-138-88-46-143.res.east.verizon.net no-fw1 udp
22:17:40 daemon no-fw1 Key
Install pool-138-88-46-143.res.east.verizon.net no-fw1
test IKE: Quick
Mode completion; IKE IDs: subnet: 0.0.0.0 (mask= 0.0.0.0) and host:
10.1.1.2;
22:17:40 eth1 no-fw1 Accept VPN1_IPSEC_encapsulation
pool-138-88-46-143.res.east.verizon.net no-fw1 udp
22:17:42 eth1 no-fw1 Drop IKE_tcp
pool-138-88-46-143.res.east.verizon.net 172.x.x.x tcp
=================================================
To set vacation, Out-Of-Office, or away messages, send an email to
LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options,
email fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
