NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Securemote and DNS


  • To: [email protected]
  • Subject: Re: [FW-1] Securemote and DNS
  • From: Aeon Hale <[email protected]>
  • Date: Mon, 22 Oct 2001 14:51:18 -0400
  • Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
  • Sender: Mailing list for discussion of Firewall-1 <[email protected]>
  • Thread-index: AcFbKeGTkYs6daIoQoWlNgQLVr47cQAAF6ow
  • Thread-topic: Re: [FW-1] Securemote and DNS

Check your userc.c file and make sure the you pulled down the
information from the dnsinfo.c file.  I have this setup with FWZ and it
seems to work.  It used to work with IKE, but my IKE broke and I dont
know why...and i'm fed up trying to figure it out.

-----Original Message-----
From: Jesus Calvo Hernandez [mailto:[email protected]]
Sent: Monday, October 22, 2001 1:41 PM
To: [email protected]
Subject: Re: [FW-1] Securemote and DNS


Hi Phil

I´ve just made a lot of unsuccesfull tests:

fw 1 v 4.1 sp4
securemote 4.1 build 4185 (the latest from checkpoint web)

added:

:encrypt_dns (true)

both in the management station and the gateway itself

rebooted both machines

configured the ppp adapter of the securemote machine so that the dns
configuration is:

  the internal dns in first place and the isp dns in second place

but  dns never works; if I connect to the internal machines using their
ip
addresses it´s ok, but with their names it does not work

in both cases the envelope on the right bottom  keeps opening and
closing,
so there´s encrypted traffic, but nevertheless it does not work using
names
instead of ip addresses

the only thing I can think of is that I´m using fwz encryption (with udp
encapsulation checked) instead of IKE; my firewall does not admit IKE, I
don´t know why, but suppose it´s a licence problem.

thanks for all and best regards

I´ll keep struggling with this







At 10:40 22/10/2001 +0100, you wrote:

>Hi Jesus.
>
>We are using v4.1 SP2 and SP3, Secure Remote 4.1 SP3
>The following needs to be entered into dnsinfo.C
>
>:encrypt_dns (true) (note NOT dns_encrypt)!!!!!
>
>This will then be downloaded from management station.........
>
>We do not have any reference to dns_xlate on our firewall.
>
>Phil
>
>
>
>
>
>                     "Jesus
> Calvo
>
>                     Hernandez"           To:
> [email protected]
>                     <jesus.calvo@        cc:
 >
>                     sema.es>             Subject:     Re: Securemote
and
> DNS
>
>
>                     22/10/2001
 >
>                     09:39
 >
>
>
>
>
>
>
>
>
>Hi Phil
>
>I´ve followed the instructions on the document from Checkpoint:
Firewall-1
>Version 4.0, Securemote Split/encrypted DNS quick reference guide
revision
>
>1.4 and it says that you must modify both dnsinfo.C and the userc.C
file;
>I´ve done both things, and concretely the securemote Client part is:
>
>add under the :options section:
>
>:dns_xlate(true)
>:dns_encrypt(true)
>
>these two lines go away when you update the site, and dns encrypted
stops
>working :(
>
>Perhaps I´ve done anything wrong?
>
>any suggestion would be greatly appreciated, I´m on an dead end street.
>
>
>Best regards
>
>Jesus Calvo
>
>At 08:39 22/10/2001 +0100, [email protected] wrote:
> >Hi Jesus,
> >
> >You should not be having that problem.
> >The dnsinfo should be kept on the firewall, NOT manually added to
userc.C.
> >The site update within secure remote will download the dnsinfo along
with
> >the topology.
> >there are plenty of articles around describing how to create a
> >$FWDIR/conf/dnsinfo.C file.
> >
> >Phil
> >
> > > The only problem I´ve faced with dns encryption (this dns split
stuff)
> > > is that the userc.C file gets overwritten every time you update
the
>site
> > > (because you have added new machines to the encryption domain and
need
> > > to update the site).
> > >
> > > From that moment on, the lines added to the userc.C file for split
dns
> > > to work are lost, so yoor dns encryption does not work any longer
and
> > > that is very annoying to say the least.
>
>Jesus Calvo
>SchlumbergerSema Spain
>Albarracin 25
>28037-Madrid
>
>------------------------------------------------------------------
>This email is confidential and intended solely for the use of the
>individual to whom it is addressed. Any views or opinions presented are
>solely those of the author and do not necessarily represent those of
>SchlumbergerSema.
>If you are not the intended recipient, be advised that you have
received
>this email in error and that any use, dissemination, forwarding,
printing,
>or copying of this email is strictly prohibited.
>------------------------------------------------------------------

Jesus Calvo
SchlumbergerSema Spain
Albarracin 25
28037-Madrid

------------------------------------------------------------------
This email is confidential and intended solely for the use of the
individual to whom it is addressed. Any views or opinions presented are
solely those of the author and do not necessarily represent those of
SchlumbergerSema.
If you are not the intended recipient, be advised that you have received
this email in error and that any use, dissemination, forwarding,
printing, or copying of this email is strictly prohibited.
------------------------------------------------------------------

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.