[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] SecuRemote requires accept fw-1 control connections on v4.1but not v4.0
Roy, If you look at the documentation in the VPN-1/FW-1 Administration Guide page 239 or page 266 in electronic format (There is the electronic copy on the CP2K disc in /Docs/SecAdmin.pdf). It makes a small reference to there being a distinctive change from earlier versions. It may help. Be sure you log the Implied rules. If you look for those ports being rejected in the logs then by creating a rule with those ports you maybe able to set them up with a specific rule. I wouldn't overlook anti spoofing if you have that setup but the log should show at what point the communication is dropping. Is the 'Accept Clear Text requests' checked or unchecked? Is it dumping out at the phase 1 IKE exchange or after phase 2? etc,. Good Luck! Charlie -----Original Message----- From: Roy Hills [mailto:[email protected]] Sent: Wednesday, November 22, 2000 8:56 AM To: CryptoTech Cc: [email protected] Subject: Re: [FW1] SecuRemote requires accept fw-1 control connections on v4.1but not v4.0 CryptoTech, Thanks for your reply. You are correct in saying that accept control connections in the properties allows SecuRemote to work - this is what I've already discovered. The issue is that I don't want to allow control connections because it allows more than I strictly need, and I didn't need to do so on v4.0 Unfortunately, the issue is not the Firewall workstation object IP address - this is correctly defined as the Firewalls' external IP address. Also note that SecuRemote does work OK when accept control connections is checked, so I can't see how it can be a Firewall object issue. Now, my suspicion is that there's some bit of inspect code which is only being activated when "allow Firewall-1 control connections" is checked and just allowing the protocols concerned isn't enough. Perhaps I need to allow some other protocol (maybe IKE) that I don't really need (because I use FWZ) just to activate this inspect code. Roy Hills At 08:40 22/11/00 -0500, CryptoTech wrote: >Roy, >4.1 uses port 264 for topology download and 265 for public key transfers. You >should need no explicit protocol accepts, as the 'accept firewall-1 control >connections' allows for this. Usually when you get a timeout after >authentication, >it is because the firewall object has been defined based on the internal >ip address. > >So again, I wouldn't look at the rules, I would look at the fw workstation >object >primary ip address. > >If you want to disable control connections, you must enable fw1_topo, and >fw1_key >and IKE to get these connections to go through. > >HTH, >CryptoTech > >Roy Hills wrote: > > > On Firewall-1 v4.0 I have been able to use SecuRemote with FWZ key > > scheme by just allowing "FW1" (tcp port 256) from any to the Firewall > > as well as the relevant client encrypt rules and unchecking the > > "accept Firewall-1 control connections" box in the policy properties. > > > > However on Firewall-1 v4.1, I find that I need to select "accept VPN-1 & > > Firewall-1 > > control connections" in the policy properties. I cannot seem to get > SecuRemote > > to work by using specific rules in the rulebase. > > > > I have tried the following two rules without success: > > > > a) > > > > Src: Any > > Dst: Firewall > > Svc: FW1, FW1_key, FW1_topo, RDP > > Act: Accept > > Trk: Long > > > > b) > > > > Src: SecuRemote-Client > > Dst: Firewall > > Svc: Any > > Act: Accept > > Trk: Long > > > > Src: Firewall > > Dst: SecuRemote-Client > > Svc: Any > > Act: Accept > > Trk: Long > > > > In both cases, I also had the appropriate client encrypt rules present. > > > > The symptoms I see are that I can add the Firewall "site" OK, and the > > authentication dialog box appears. However authentication fails with > > "communication failed" message. > > > > Allowing "accept VPN-1 & Firewall-1 control connections" in the policy > > properties makes SecuRemote work fine. > > > > Does anyone know what has changed from V4.0 to V4.1 regarding SecuRemote > > that causes this? > > > > Is it possible to allow SecuRemote with just rules in the rulebase and not > > with "accept VPN-1 & Firewall-1 control connections" in the policy > properties? > > > > I'm using Firewall-1 v4.1[DES] SP1 on Windows NT 4.0 SP5. SecuRemote is > > v4.1 [DES] on Win-95. I am using DES encryption, MD5 integrity and FWZ key > > exchange. > > > > Roy Hills > > -- > > Roy Hills Tel: +44 1634 721855 > > NTA Monitor Ltd FAX: +44 1634 721844 > > 14 Ashford House, Beaufort Court, > > Medway City Estate, Email: > [email protected] > > Rochester, Kent ME2 4FA, > UK WWW: http://www.nta-monitor.com/ > > > > > ============================================================================ ==== > > To unsubscribe from this mailing list, please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > > ============================================================================ ==== -- Roy Hills Tel: +44 1634 721855 NTA Monitor Ltd FAX: +44 1634 721844 14 Ashford House, Beaufort Court, Medway City Estate, Email: [email protected] Rochester, Kent ME2 4FA, UK WWW: http://www.nta-monitor.com/ ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|