Re: [FW-1] problems with SecuRemote

Subject:	Re: [FW-1] problems with SecuRemote
From:	Gus Fritschie <gfritschie AT HOTMAIL DOT COM>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Tue, 29 Jun 2004 18:58:58 -0400

10.1.1.2 is the IP address of my SecuRemote computer that is on my home
network behind a PIX 501 that is doing NAT and my DSL modem.  I do have both
IKE over TCP and/or UDP encapsulation selected on my VPN client.
138.88.46.143 is the IP address assigned by my ISP.  Not sure what else I
should do?

From: Chris Hoff <choff AT CORNERSTONESECURITY DOT COM>
Reply-To: Mailing list for discussion of Firewall-1
<FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] problems with SecuRemote
Date: Fri, 25 Jun 2004 09:48:39 -0500

Gus,

If you notice, the host that is getting authenticated is 10.1.1.2.
However, the traffic destined for the internal network is from
138.88.46.143 (pool-138-88-46-143.res.east.verizon.net). You might get
through by either forcing IKE over TCP and/or UDP encapsulation on the
client side. This is done the in the Tools>Configure Connection
Profile>Advanced tab of the SecuRemote software.

Good luck,

Chris

-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Gus
Fritschie
Sent: Wednesday, June 23, 2004 8:23 AM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] problems with SecuRemote

I am running Check Point NG FP 3 on Linux 7.3.  I am having some
problems getting the client to site VPN to work.  I have the following
rules in my rule base before the stealth rule:

any -> no-fw1 -> any -> fw1_pslogon, FW1_topo, IKE, ESP,
VPN1_IPSEC_encapsulation -> accept

all users@any -> encryption domain -> if via RemoteAccess -> any ->
accept

My SecuRemote client can authenticate and connect to the site and
download the topology.  However, when I try to access a server in my
encryption domain, I fail.  When looking at the logs I see a drop on
IKE_TCP directed at the system I am trying to access.  I have attached
the logs.  Have a setup something wrong with my topology or encryption
domain?  Any help would be appreciated.  Thanks!

Time    Interface       Origin  Action  Service Source  Destination
Protocol        User    Information
22:16:50        eth1    no-fw1  Accept  IKE_tcp
pool-138-88-46-143.res.east.verizon.net no-fw1  tcp
22:16:56        daemon  no-fw1  Login
pool-138-88-46-143.res.east.verizon.net                 test    reason:
Client Encryption: Authenticated by Internal Password;
22:16:56        daemon  no-fw1  Login
pool-138-88-46-143.res.east.verizon.net no-fw1          test    reason:
User authenticated by Firewall. Sending SSL Encrypted Topology, using
IKE authentication.;
22:17:39        eth1    no-fw1  Accept  IKE
pool-138-88-46-143.res.east.verizon.net no-fw1  udp
22:17:40        daemon  no-fw1  Key
Install         pool-138-88-46-143.res.east.verizon.net no-fw1
test    IKE: Quick
Mode completion; IKE IDs: subnet: 0.0.0.0 (mask= 0.0.0.0) and host:
10.1.1.2;
22:17:40        eth1    no-fw1  Accept  VPN1_IPSEC_encapsulation
pool-138-88-46-143.res.east.verizon.net no-fw1  udp
22:17:42        eth1    no-fw1  Drop    IKE_tcp
pool-138-88-46-143.res.east.verizon.net 172.x.x.x       tcp

=================================================
To set vacation, Out-Of-Office, or away messages, send an email to
LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options,
email fw-1-owner AT ts.checkpoint DOT com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================


=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] problems with SecuRemote, Gus Fritschie Re: [FW-1] problems with SecuRemote, Chris Hoff Re: [FW-1] problems with SecuRemote, Gus Fritschie <=

Previous by Date:	Re: [FW-1] Problem IN gUI Client Connection with Firewall BOX, NAVTEJ KOHLI
Next by Date:	Re: [FW-1] Edge setup - getting close!, Stala
Previous by Thread:	Re: [FW-1] problems with SecuRemote, Chris Hoff
Next by Thread:	[FW-1] Scripts to Monitor Solaris?, Shane Presley
Indexes:	[Date] [Thread] [Top] [All Lists]