Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] PPTP and client encrypt problems

To: [email protected]
Subject: [FW1] PPTP and client encrypt problems
From: [email protected]
Date: Thu, 7 Dec 2000 09:55:03 -0600
Sender: [email protected]


We are attempting to set up PPTP ( so that users can reliably view the
network behind the firewall) as the network is a large collection of
addresses, some legit and many 10.x.x.x. We currently have FW-1 4.0 SP7
with VPN 3des installed and secure remote operational on remote systems -
which reach us via Dialup / DSL /Cablemodems,etc.
Secure remote works fine for legit addresses running ftp/telnet/lotus notes
email/HTTP.
Secure remote does not work for us for NT4/2000/win98 users as they are not
able to browse the network or make a connection to NBT services.

We set up a MS-pptp server (NT4) which I added the rules into the firewall
for GRE (TCP 1723 and IP type 47)
I also have the rule perform client encryption on the inbound - however the
reverse rule to allow outbound can not encrypt.
Here is the problem - Connection is made with PPTP and internal address is
assigned to the external PPTP'd system - all work for about 15 minutes or
so - sometimes 2 min - 30 min.  Then the PPTP connection refuses to pass
data.  In addition the Secure remote message pops up that it lost
connection to the firewall.  Drop the PPTP VPN link and reconnect and all
is happy for another short and random time.  I find that I can no longer
even ping the external firewall address, however during the operating PPTP
session, the ping comes from the internal address.  Could this be a routing
confusion problem, or encryption domain being set wrong.

If I do not encrypt the connection, pptp works just fine.  I assume the
problem is that encryption is not being done on all the GRE packets.
Should I just encrypt the intial TCP control connection and forget the GRE
data ?

What are my options - I have too many address to NAT, and having a local
address appear on the remote system saves a bunch of network changes - we
have systems with access lists too.

I really hate to just rely on the MS RAS security - for example if under NT
as user is given remote access by a LAN security manager - they gain PPTP
access.  I would rather have the FW-1 perform some front end validation -
plus the address 3des encryption in addition to the MS PPTP encryption
makes me feel better (I may not have reasons for concerns, or maybe yes)

I have also tried to encrypt only the TCP control channel and leaving the
GRE protocol unencrypted


Thanks

Warren Smith



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] Check Point vs. Free Linux FW
Next by Date: Re: [FW1] Napster issue
Previous by thread: [FW1] Check Point vs. Free Linux FW
Next by thread: [FW1] Reporting Module question. Another question.
Index(es):
- Date
- Thread