This has been my experience of Secure remote as well.
Even if you hack the Userc.C file to fool the Securemote client to
Send encrypted packets to the firewall. The firewall (after
de-encapsulating the UDP packets that have been natted )
will drop the packets with the client source ip because it
Thinks that you are trying to spoof the source address, ( this assumes
you have anti spoofing enabled on the
Internet facing interface which is a must !!! )
I haven't found a way round this apart from encouraging remote networks
To use a subnet that is outside of our encryption domain.
If someone comes from a remote private lan that is a behind a Nat device
Then when the packets are de-encapsulated and de-crypted they will be
routed through your
Network with the original client ip address. ( unless you have set up ip
pools /natting etc )
I found that ip pools are useful for people using secure remote from a
dialup type connection where a
Public ip is bound to their interface. To restrict public ips routing
through our internal network I
Assign an address from the ip-pool to all vpn connections from clients
with public ips. This helps
with setting up ACLs on our internal Network.
Another undocumented 'feature' of secure remote is:
If you are using the old way of defining VPN connections in your rule
base ( handy as it is more granular )
Then If you have a user account defined that is 'enabled' but you do not
have any specific client encrypt rules for that user/user group in your
rulebase.
Then regardless of what is in your rule base when the user connects They
will be authenticated and then their connection will match ANY rule in
the
rule base that matchs to the original ip that is bound to the interface
of the client ( before it has been NATed by their remote nat device ).
This is annoying as I think it is counter intuitive as you may assume
that secure remote connections
Would ONLY match explicitly defined client encrypt rules.
What compounds this is that whilst they will match rules that will ALLOW
the connection ( and will decrypted
On that rule regardless of whether it is a client encrypt rule or not
)The encrypted packet will not match any Drop rules that you might put
in to counter this.!!
I've tested from 4.1 -> NG R54
Josh
>-----Original Message-----
>From: Alaric Turner [mailto:a.turner AT ALBOURNE DOT COM]
>Sent: 14 July 2004 01:46
>To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
>Subject: Re: [FW-1] Double NATing, Securemote
>
>
>Having spoken with my Checkpoint rep an additional licence is
>required for SecureClient :-(
>
>I have to admit to not quite understanding how office mode
>would work anyway, we are already using an IP pool on the
>Checkpoint firewall which works, as long as the nated cleint
>adress does not apear to be within the Firewalls encryptin
>domain. - Hopefully my diagram below clarifiys this..
>
>Client ip address range x
> |
> -------|-------
>| NAT Device |
> -------|-------
> |
> -------|-------
>| internet |
> ---------------
> |
> -------|-------
>| Firewall (NAT)|
> -------|-------
> |
>Internal IP range y
>
>As long as x is not a subset of y then everything works, as
>soon as x is a subset of y then I think securemote assumes
>that it is inside the encrypion domain & therefore doesn't
>atempt to connect to the firewall & it all falls apart.
>
>Does office mode fix this? when I tried the eval versions I
>don't remember it doing so but I'm not certain that I tried
>with a duplicate IP range..
>
>Alaric
>
>
>> -----Original Message-----
>> From: Mailing list for discussion of Firewall-1
>> [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Ray
>> Sent: 13 July 2004 22:00
>> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
>> Subject: Re: [FW-1] Double NATing, Securemote
>>
>> I'll bet they "fix" this in the next release. SecuRemote
>used to work
>> with Office Mode and then that ability was taken away. Their KB
>> articles say SecureClient is required for Office Mode and that piece
>> of software requires a paid-for license.
>>
>> Ray
>>
>> >From: Brian Granier <briang AT ZEBEC DOT NET>
>> >Reply-To: Mailing list for discussion of Firewall-1
>> ><FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
>> >To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
>> >Subject: Re: [FW-1] Double NATing, Securemote
>> >Date: Tue, 13 Jul 2004 11:01:06 -0500
>> >
>> >Use office mode. According to my Checkpoint rep, it is
>> permissible to
>> >install SecureClient to use office mode without having a
>> SecureClient
>> >license. You just don't get to have a policy server and push
>> down rules.
>> >This will solve the issue that you're facing.
>> >
>> >T. Brian Granier
>> >GCIA, GCFW, GCIH, GCUX, CCSE, CHP, MCSE (NT4,W2k&W2k3), et al.
>> >Information Security Architect Zebec Data Systems, Inc.
>> >
>> >
>> >-----Original Message-----
>> >From: Mailing list for discussion of Firewall-1
>> >[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On
>> Behalf Of Alaric
>> >Turner
>> >Sent: Tuesday, July 13, 2004 10:35 AM
>> >To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
>> >Subject: [FW-1] Double NATing, Securemote
>> >
>> >
>> >All,
>> >
>> >A (hopefully) simple question,
>> >We have a number of internal networks all using 192.168.x.x
>I have a
>> >number of securemote users who end up in hotels using wifi
>to access
>> >the net, many of these hotels also use the 192.168.1.x range
>> for wifi &
>> >then NAT. I need to get connectivity back to our internal systems.
>> >
>> >I'm struggling to see how we can do this with out re-numbering our
>> >internal network such that there is no conflict with the Hotel wifi
>> >networks, which I don't really want to do.
>> >
>> >Can anyone suggest a simpler solution?
>> >
>> >I guess I could multihome the machines which need to be
>> accessable to
>> >another subnet.
>> >
>> >Alaric Turner,
>> >Albourne Partners
>> >
>> >=================================================
>> >To set vacation, Out-Of-Office, or away messages, send an email to
>> >LISTSERV AT amadeus.us.checkpoint DOT com
>> >in the BODY of the email add:
>> >set fw-1-mailinglist nomail
>> >=================================================
>> >To unsubscribe from this mailing list,
>> >please see the instructions at
>> >http://www.checkpoint.com/services/mailing.html
>> >=================================================
>> >If you have any questions on how to change your subscription
>> options,
>> >email fw-1-owner AT ts.checkpoint DOT com
>> >=================================================
>> >
>> >=================================================
>> >To set vacation, Out-Of-Office, or away messages, send an email to
>> >LISTSERV AT amadeus.us.checkpoint DOT com
>> >in the BODY of the email add:
>> >set fw-1-mailinglist nomail
>> >=================================================
>> >To unsubscribe from this mailing list,
>> >please see the instructions at
>> >http://www.checkpoint.com/services/mailing.html
>> >=================================================
>> >If you have any questions on how to change your subscription
>> options,
>> >email fw-1-owner AT ts.checkpoint DOT com
>> >=================================================
>>
>> _________________________________________________________________
>> MSN Toolbar provides one-click access to Hotmail from any Web page -
>> FREE download!
>> http://toolbar.msn.click-url.com/go/onm00200413ave/direct/01/
>>
>> =================================================
>> To set vacation, Out-Of-Office, or away messages, send an email to
>> LISTSERV AT amadeus.us.checkpoint DOT com
>> in the BODY of the email add:
>> set fw-1-mailinglist nomail
>> =================================================
>> To unsubscribe from this mailing list,
>> please see the instructions at
>> http://www.checkpoint.com/services/mailing.html
>> =================================================
>> If you have any questions on how to change your subscription
>options,
>> email fw-1-owner AT ts.checkpoint DOT com
>> =================================================
>>
>>
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to LISTSERV AT amadeus.us.checkpoint DOT com
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>
>=================================================
>If you have any questions on how to change your
>subscription options, email
>fw-1-owner AT ts.checkpoint DOT com
>=================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
