[FW-1] Questions regarding "fw unloadlocal" and "ipsec_dont

Subject:	[FW-1] Questions regarding "fw unloadlocal" and "ipsec_dont_fragment"
From:	cisco4ng <cisco4ng AT YAHOO DOT COM>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Fri, 22 Apr 2005 10:51:06 -0700

All,
I have a checkpoint site-to-site VPN that will transfer about 40GB of data
between them.  When I read Checkpoint release note, checkpoint recommends
that I use dbedit to modify the parameter "ipsec_dont_fragment" from "true"
to "false" so that large file transfer across the VPN tunnel will not
drop unexpectedly.  Here is my question:

1) If that is true, why doesn't checkpoint make the ipsec_dont_fragment
parameter "false" by default?

2) What is the downside or side-effect for making ipsec_dont_fragment from
"true" to "false"?

I could never get a straight answer on this one from Checkpoint TAC.
They must be smoking crack or something.

next question:
when I perform "fw unloadlocal" on SPLAT or Nokia, ip forwarding is
disabled as well.  It means that in nokia and SPLAT routing is stopped
at that point.  To enable routing on SPLAT I have to perform
"echo 1 > /proc/sys/net/ipv4/ip_forward" or "ipsofwd on admin".  Here
is my question:

1) Why in the world checkpoints want to do that?  I understand that
they don't want the firewall to be vulnerable during the boot process
(even though the booting process only takes a few minutes)
but turning off routing when performing "fw unloadlocal" just doesn't
make sense.  I know that most people use "fw unloadlocal" for
troubleshooting purpose and they want to see if the firewall passing
traffics without any security policies.  Now if routing is disabled
by "fw unloadlocal" then no traffics can route across the firewall.
How stupid can that be?

2) Is it possible to keep routing enable on SPLAT or Nokia boxes after
"fw unloadlocal" without using "echo 1 > /proc/sys/net/ipv4/ip_forward"
or "ipsofws on admin"?

Thanks.
cisco4ng


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] Questions regarding "fw unloadlocal" and "ipsec_dont_fragment", cisco4ng Re: [FW-1] Questions regarding "fw unloadlocal" and "ipsec_dont_fragment", Crist Clark Re: [FW-1] Questions regarding "fw unloadlocal" and "ipsec_dont_fragment", Ray [FW-1] Questions regarding "fw unloadlocal" and "ipsec_dont_fragment", cisco4ng <=

Previous by Date:	[FW-1] Questions regarding "fw unloadlocal" and "ipsec_dont_fragment", cisco4ng
Next by Date:	Re: [FW-1] SPLAT iso, Ken Cameron
Previous by Thread:	Re: [FW-1] Questions regarding "fw unloadlocal" and "ipsec_dont_fragment", Ray
Next by Thread:	[FW-1] HELPPPP deleted running policy, Quick, Richard A.
Indexes:	[Date] [Thread] [Top] [All Lists]

[FW-1] Questions regarding "fw unloadlocal" and "ipsec_dont_fragment"