[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] FW-1 SecuRemote/OneWayEncryption
Hi all, I'm not sure if this is really a problem: My setup is: server (2.2.2.254) ---- (2.2.2.1) CP_FW-1 (10.1.22.1) ---- (10.1.22.100) SR-Client The server is just a normal server, nothing special. The SR-Client has properly downloaded his security policy, after authentication it gets the error message: >You are using an inappropriate policy. >Load a new policy from your Policy Server. The FW-1 has the following rule: Users@Any | Server | Any | ClientEncrypt | Long Implied rules for FW-1 communications and ICMP are active. Encryption domain is the net 2.2.2.0/24, with FWZ & encapsulation. If it then try to connect to my server (either ping or e.g. ftp) I get the returing packets un-encrypted and un-encapsulated. A ping from the SR-Client to 2.2.2.254 doesn't receive an answer. Firewall-log: [...] decrypt | SR-Client | 2.2.2.254 | icmp | 1 | | Username [...] Sniffer-log: Proto Desc Source Dest Type UDP Src Port: Unknown, (259); Dst Port: Unknown (259) SR-Client CP_FW-1 IP UDP Src Port: Unknown, (259); Dst Port: Unknown (259) CP_FW-1 SR-Client IP UDP Src Port: Unknown, (259); Dst Port: Unknown (259) SR-Client CP_FW-1 IP UDP Src Port: Unknown, (259); Dst Port: Unknown (259) CP_FW-1 SR-Client IP UDP Src Port: Unknown, (259); Dst Port: Unknown (259) SR-Client CP_FW-1 IP IP ID = 0x6600; Proto = 0x5E; Len: 65 SR-Client CP_FW-1 IP IP ID = 0x6600; Proto = 0x5E; Len: 65 SR-Client CP_FW-1 IP ICMP Echo Reply: To 10.01.22.100 From 02.02.02.254 2.2.2.254 SR-Client IP IP ID = 0x7200; Proto = 0x5E; Len: 65 SR-Client CP_FW-1 IP IP ID = 0x7200; Proto = 0x5E; Len: 65 SR-Client CP_FW-1 IP ICMP Echo Reply: To 10.01.22.100 From 02.02.02.254 2.2.2.254 SR-Client IP (The first four entries are the authentication process) Is this normal behavior due to the "inappropriate policy", and how to fix the policy? Best Regards, Patrick Lottifw ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|