You have indicated that ICMP is not working. Have you disabled
it under policy properties?
Two notes: You've got it almost right. The first scenario
works because under policy properties you have Enable decrypt on Accept
enabled. Disable this and scenario1 will fail.
ICMP will only work in a client scenario if you have 1)the allow icmp property
set, or 2) a rule for icmp in both directions. ICMP is not stateful,
and therefore Replies are not simply allowed.
Ok... I must be missing something really really stupid....been
pouring over the Checkpoint PDFs and phoneboy.. no luck...
NT 4 - FW-1 v 4.1 SP2 SecureRemote - same
version from the same CD
Using SecureRemote with IKE Preshared Secrets - Setup
goes fine - Site Creation is fine...
Two scenarios.. first one works, the second one doesn't
Can someone explain what else I need to make the 2nd
work, give me some ideas to try ? (i'm all out at this point)
(i also have above the below rules..an Any to Firewall
IKE and RDP accept rule)
Thanks in advance for the help !
Jason
FIRST: (working)
I have the following (applicable)rules:
Any
WebServer
HTTP Accept
pc1
enc_domain Any Accept
enc_domain Any
Any Accept
I start Securemote on the Client and everything works
great... HTTP handled by the first rule.. things like FTP and PCanywhere
by the 2nd
Logs: I see The phase 1 key install and then phase 2 in
both directions....then a bunch of decryption when things are working...
(It's annoying that pings don't make it intact.. but i
remember reading something about that...i'll try to dig it up again)
SECOND: (broken)
I change the 2nd rule to:
User@any enc_domain
Any Client Encrypt
I start securemote on the client and HTTP still works
fine... but FTP and PCAnywhere and anything else through the changed rule
no longer function.
Logs: I see the Phase 1 Key Install..and a Phase 2 >from
the PC1 to the Firewall... but NEVER see Phase 2 back the other way (From
the Firwall to PC1 (the client)