[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] Securemote and DNS
Hi Phil
I´ve just made a lot of unsuccesfull tests:
fw 1 v 4.1 sp4
securemote 4.1 build 4185 (the latest from checkpoint web)
added:
:encrypt_dns (true)
both in the management station and the gateway itself
rebooted both machines
configured the ppp adapter of the securemote machine so that the dns
configuration is:
the internal dns in first place and the isp dns in second place
but dns never works; if I connect to the internal machines using their ip
addresses it´s ok, but with their names it does not work
in both cases the envelope on the right bottom keeps opening and closing,
so there´s encrypted traffic, but nevertheless it does not work using names
instead of ip addresses
the only thing I can think of is that I´m using fwz encryption (with udp
encapsulation checked) instead of IKE; my firewall does not admit IKE, I
don´t know why, but suppose it´s a licence problem.
thanks for all and best regards
I´ll keep struggling with this
At 10:40 22/10/2001 +0100, you wrote:
Hi Jesus.
We are using v4.1 SP2 and SP3, Secure Remote 4.1 SP3
The following needs to be entered into dnsinfo.C
:encrypt_dns (true) (note NOT dns_encrypt)!!!!!
This will then be downloaded from management station.........
We do not have any reference to dns_xlate on our firewall.
Phil
"Jesus
Calvo
Hernandez" To:
[email protected]
<jesus.calvo@ cc:
>
sema.es> Subject: Re: Securemote and
DNS
22/10/2001
>
09:39
>
Hi Phil
I´ve followed the instructions on the document from Checkpoint: Firewall-1
Version 4.0, Securemote Split/encrypted DNS quick reference guide revision
1.4 and it says that you must modify both dnsinfo.C and the userc.C file;
I´ve done both things, and concretely the securemote Client part is:
add under the :options section:
:dns_xlate(true)
:dns_encrypt(true)
these two lines go away when you update the site, and dns encrypted stops
working :(
Perhaps I´ve done anything wrong?
any suggestion would be greatly appreciated, I´m on an dead end street.
Best regards
Jesus Calvo
At 08:39 22/10/2001 +0100, [email protected] wrote:
>Hi Jesus,
>
>You should not be having that problem.
>The dnsinfo should be kept on the firewall, NOT manually added to userc.C.
>The site update within secure remote will download the dnsinfo along with
>the topology.
>there are plenty of articles around describing how to create a
>$FWDIR/conf/dnsinfo.C file.
>
>Phil
>
> > The only problem I´ve faced with dns encryption (this dns split stuff)
> > is that the userc.C file gets overwritten every time you update the
site
> > (because you have added new machines to the encryption domain and need
> > to update the site).
> >
> > From that moment on, the lines added to the userc.C file for split dns
> > to work are lost, so yoor dns encryption does not work any longer and
> > that is very annoying to say the least.
Jesus Calvo
SchlumbergerSema Spain
Albarracin 25
28037-Madrid
------------------------------------------------------------------
This email is confidential and intended solely for the use of the
individual to whom it is addressed. Any views or opinions presented are
solely those of the author and do not necessarily represent those of
SchlumbergerSema.
If you are not the intended recipient, be advised that you have received
this email in error and that any use, dissemination, forwarding, printing,
or copying of this email is strictly prohibited.
------------------------------------------------------------------
Jesus Calvo
SchlumbergerSema Spain
Albarracin 25
28037-Madrid
------------------------------------------------------------------
This email is confidential and intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not necessarily represent those of SchlumbergerSema.
If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited.
------------------------------------------------------------------
===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================
