Firewall-1
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [FW-1] Keberos V5 though client VPN

from Hannu Liljemark [Permanent Link]
Subject: Re: [FW-1] Keberos V5 though client VPN
From: Hannu Liljemark <hannu.liljemark AT GSTDOMAIN DOT NET>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date: Wed, 26 Apr 2006 09:48:09 +0300 
Hey

Some oldish post by Craig Baltzer from 6th Dec 2003:

> We're having an issue where we're unable to successfully perform
> Kerberos authentication through a VPN connection.

> When attempting a connection, we see a Kerberos request over 88/UDP with
> a destination of a Kerberos KDC. It shows in the client log, however it
> never appears in the firewall log and nothing reaches the KDC server.
> Switching the client to use Kerberos 88/TCP fixes the problem, however
> we're reluctant to modify all of our clients to use TCP (a ton of
> clients to update, overhead concerns with a large number of TCP sessions
> setups/teardowns needed for KDC operators, and a desire to generally
> stay with the standard (RFC 1510) method of doing Kerberos over UDP).

> What do we need to change on the firewall to get it to pass Kerberos
> 88/UDP inside a VPN connection?

We've run into the same but with site-to-site VPN. XP
workstations (happens whether you have SP1 or SP2 installed), domain
controllers are Windows 2000 sp4. Aparently some udp fragmentation happens
and FW-1 silently drops the packets as things work fine with tcp
(just like in Craig's case).

Just like Craig, we're aware of TCP kerberos registry changes
(http://support.microsoft.com/default.aspx?scid=kb;EN-US;244474) and
the articles regarding FW-1 kerberos service having port 750 (there's also
services with port 88 named kerberos_v5). This happens with allow any rule
and there's nothing in the logs.

Anyone else ran into the same problem? FW-1 R55 main site on Nokia IP350,
branch sites have Edge X with 5.0.94 and 6.0.57 firmware and Nokia IP1x0
boxes with FW-1 R55.

Regards,

Hannu

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • Re: [FW-1] Keberos V5 though client VPN, Hannu Liljemark <=
Previous by Date:  Re: [FW-1] VPN community exclusions, Bhavin Gandhi
Next by Date:  Re: [FW-1] VPN community exclusions, Jubei Trippataka
Previous by Thread:  [FW-1] Fw: [FW-1] SecureClient-User-Count-File, Mark Williams
Next by Thread:  [FW-1] SecureXL on Nokia and ftp through VPN, Brockhoven, Werner
Indexes:  [Date] [Thread] [Top] [All Lists]