Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] FW-1 SecuRemote/OneWayEncryption

To: "[email protected]" <[email protected]>
Subject: [FW1] FW-1 SecuRemote/OneWayEncryption
From: Patrick Lotti <[email protected]>
Date: Wed, 16 May 2001 10:49:59 +0200
Organization: ISION Internet AG
Sender: [email protected]

Hi all,

I'm not sure if this is really a problem:
My setup is:
server (2.2.2.254) ---- (2.2.2.1) CP_FW-1 (10.1.22.1) ---- (10.1.22.100) SR-Client

The server is just a normal server, nothing special.
The SR-Client has properly downloaded his security policy, after authentication it
gets the error message:
>You are using an inappropriate policy.
>Load a new policy from your Policy Server.
The FW-1 has the following rule:
Users@Any | Server | Any | ClientEncrypt | Long
Implied rules for FW-1 communications and ICMP are active.
Encryption domain is the net 2.2.2.0/24, with FWZ & encapsulation.

If it then try to connect to my server (either ping or e.g. ftp) I get the
returing packets un-encrypted and un-encapsulated.

A ping from the SR-Client to 2.2.2.254 doesn't receive an answer.
Firewall-log:
[...] decrypt | SR-Client  | 2.2.2.254 | icmp | 1 | | Username [...]
Sniffer-log:
Proto  Desc                                              Source    Dest      Type
UDP    Src Port: Unknown, (259); Dst Port: Unknown (259) SR-Client CP_FW-1   IP
UDP    Src Port: Unknown, (259); Dst Port: Unknown (259) CP_FW-1   SR-Client IP
UDP    Src Port: Unknown, (259); Dst Port: Unknown (259) SR-Client CP_FW-1   IP
UDP    Src Port: Unknown, (259); Dst Port: Unknown (259) CP_FW-1   SR-Client IP
UDP    Src Port: Unknown, (259); Dst Port: Unknown (259) SR-Client CP_FW-1   IP
IP     ID = 0x6600; Proto = 0x5E; Len: 65                SR-Client CP_FW-1   IP
IP     ID = 0x6600; Proto = 0x5E; Len: 65                SR-Client CP_FW-1   IP
ICMP   Echo Reply: To 10.01.22.100 From 02.02.02.254     2.2.2.254 SR-Client IP
IP     ID = 0x7200; Proto = 0x5E; Len: 65                SR-Client CP_FW-1   IP
IP     ID = 0x7200; Proto = 0x5E; Len: 65                SR-Client CP_FW-1   IP
ICMP   Echo Reply: To 10.01.22.100 From 02.02.02.254     2.2.2.254 SR-Client IP
(The first four entries are the authentication process)

Is this normal behavior due to the "inappropriate policy", and
how to fix the policy?

Best Regards,
Patrick Lottifw



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] FW1 on NT and routing
Next by Date: [FW1] Problems with Push/Fetch policy over a FR link
Previous by thread: [FW1] Errors installing policies
Next by thread: [FW1] Problems with Push/Fetch policy over a FR link
Index(es):
- Date
- Thread