[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] PPTP and client encrypt problems
We are attempting to set up PPTP ( so that users can reliably view the network behind the firewall) as the network is a large collection of addresses, some legit and many 10.x.x.x. We currently have FW-1 4.0 SP7 with VPN 3des installed and secure remote operational on remote systems - which reach us via Dialup / DSL /Cablemodems,etc. Secure remote works fine for legit addresses running ftp/telnet/lotus notes email/HTTP. Secure remote does not work for us for NT4/2000/win98 users as they are not able to browse the network or make a connection to NBT services. We set up a MS-pptp server (NT4) which I added the rules into the firewall for GRE (TCP 1723 and IP type 47) I also have the rule perform client encryption on the inbound - however the reverse rule to allow outbound can not encrypt. Here is the problem - Connection is made with PPTP and internal address is assigned to the external PPTP'd system - all work for about 15 minutes or so - sometimes 2 min - 30 min. Then the PPTP connection refuses to pass data. In addition the Secure remote message pops up that it lost connection to the firewall. Drop the PPTP VPN link and reconnect and all is happy for another short and random time. I find that I can no longer even ping the external firewall address, however during the operating PPTP session, the ping comes from the internal address. Could this be a routing confusion problem, or encryption domain being set wrong. If I do not encrypt the connection, pptp works just fine. I assume the problem is that encryption is not being done on all the GRE packets. Should I just encrypt the intial TCP control connection and forget the GRE data ? What are my options - I have too many address to NAT, and having a local address appear on the remote system saves a bunch of network changes - we have systems with access lists too. I really hate to just rely on the MS RAS security - for example if under NT as user is given remote access by a LAN security manager - they gain PPTP access. I would rather have the FW-1 perform some front end validation - plus the address 3des encryption in addition to the MS PPTP encryption makes me feel better (I may not have reasons for concerns, or maybe yes) I have also tried to encrypt only the TCP control channel and leaving the GRE protocol unencrypted Thanks Warren Smith ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|