[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] IPSec in Transport mode or in Tunnel Mode - FOLLOWUP
Correct. Dan Hitchcock Security Analyst Breakwater Security [email protected] -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Wednesday, February 14, 2001 5:27 PM To: [email protected] Subject: RE: [FW1] IPSec in Transport mode or in Tunnel Mode - FOLLOWUP Please correct me if I'm wrong, but my understanding is that unencapsulated FWZ is 'in-place' type of encryption, so it doesn't increase the size of the packet, as the transport mode IPSEC does. Slava. -----Original Message----- From: Daniel Hitchcock [mailto:[email protected]] Sent: Wednesday, February 14, 2001 4:42 PM To: 'Hartmann, Josef'; [email protected] Subject: RE: [FW1] IPSec in Transport mode or in Tunnel Mode - FOLLOWUP SecuRemote connections work over NATed connections using tunnel mode. Since transport mode would allow the original packet to be modified, you in fact MUST use tunnel mode (i.e. IKE or encapsulated FWZ) to allow SecuRemote to function through a NAT - transport will not work. That being said, FW1 actually does support transport mode encryption (i.e. I was wrong) using unencapsulated FWZ. This provides no interoperability advantages, since FWZ is Checkpoint-proprietary, but... If I am still in error, somebody please jump in and set me straight. Dan Hitchcock Security Analyst Breakwater Security [email protected] -----Original Message----- From: Hartmann, Josef [mailto:[email protected]] Sent: Wednesday, February 14, 2001 9:10 AM To: [email protected] Subject: RE: [FW1] IPSec in Transport mode or in Tunnel Mode Well, how does Checkpoint's SecuRemote connections work then over NATted connections? > -----Original Message----- > From: Daniel Hitchcock [SMTP:[email protected]] > Sent: Wednesday, February 14, 2001 5:35 PM > To: '[email protected]'; [email protected] > Subject: RE: [FW1] IPSec in Transport mode or in Tunnel Mode > > > No, transport mode is not supported. Check out > http://www.checkpoint.com/products/vpn1/vpnwp.html (about 3/4 of the way > down the page) for some diagrams and a description of the difference. In > short, transport encrypts the data and leaves the IP header intact, > whereas > tunnel encrypts everything including the original IP header and re-creates > the packet with a new IP header. Tunnel is the most preferable from a > security standpoint. If you need transport mode, the best solution may be > to terminate your VPN somewhere other than the firewall > (parallel/inside/outside depending on your network design). > > HTH > > Dan Hitchcock > Security Analyst > Breakwater Security Associates >> [email protected] > > > -----Original Message----- > From: Martin WF Hui [mailto:[email protected]] > Sent: Wednesday, February 14, 2001 7:08 AM > To: [email protected] > Subject: [FW1] IPSec in Transport mode or in Tunnel Mode > > > > Hi, > > Please tell me whether Checkpoint FW 4.1 can support IPSec in Transport > Mode. What is the benefits on using Transport mode rather than Tunnel > mode. > Please also teach me how to build a Transport Mode IPSec Tunnel. > > Thanks a lot. > > Martin > > > ========================================================================== > == > ==== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ========================================================================== > == > ==== > > > ========================================================================== > ====== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ========================================================================== > ====== ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|