| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] Securemote and DNS
- To: [email protected]
- Subject: Re: [FW-1] Securemote and DNS
- From: Aeon Hale <[email protected]>
- Date: Mon, 22 Oct 2001 16:15:54 -0400
- Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
- Sender: Mailing list for discussion of Firewall-1 <[email protected]>
- Thread-index: AcFbM11KCm2xx5frQ02yHhmXDfnVYQAArbew
- Thread-topic: Re: [FW-1] Securemote and DNS
This is what my userc.c file looks like (dnsinfo part):
:dnsinfo (
:dns_servers (
: (nameserver.firewallname
:obj (
:
(..xxx.xxx)
)
:topology (
: (
:ipaddr
(xxx.xxx.xxx.xxx)
:ipmask
(255.xxx.xxx.xxx)
)
)
:domain (
: (
:dns_label_count (4)
:domain
(.yourdomain.com)
)
)
)
)
:encrypt_dns (true)
Do you see this in yours?
-----Original Message-----
From: Jesus Calvo Hernandez [mailto:[email protected]]
Sent: Monday, October 22, 2001 3:29 PM
To: [email protected]
Subject: Re: [FW-1] Securemote and DNS
Hi Aeon and all the rest
watching userc.C the line
encrypt_dns (true)
has been downloaded
I don´t know if this is correct because in the document from checkpoint
states that must appear also
dns_xlate (true)
and it is written reversed: dns_encrypt (true)
so what is what it should say anyway?
thanks a lot for your help
best regards
At 14:51 22/10/2001 -0400, Aeon Hale wrote:
>Check your userc.c file and make sure the you pulled down the
>information from the dnsinfo.c file. I have this setup with FWZ and it
>seems to work. It used to work with IKE, but my IKE broke and I dont
>know why...and i'm fed up trying to figure it out.
>
>-----Original Message-----
>From: Jesus Calvo Hernandez [mailto:[email protected]]
>Sent: Monday, October 22, 2001 1:41 PM
>To: [email protected]
>Subject: Re: [FW-1] Securemote and DNS
>
>
>Hi Phil
>
>I´ve just made a lot of unsuccesfull tests:
>
>fw 1 v 4.1 sp4
>securemote 4.1 build 4185 (the latest from checkpoint web)
>
>added:
>
>:encrypt_dns (true)
>
>both in the management station and the gateway itself
>
>rebooted both machines
>
>configured the ppp adapter of the securemote machine so that the dns
>configuration is:
>
> the internal dns in first place and the isp dns in second place
>
>but dns never works; if I connect to the internal machines using their
>ip
>addresses it´s ok, but with their names it does not work
>
>in both cases the envelope on the right bottom keeps opening and
>closing,
>so there´s encrypted traffic, but nevertheless it does not work using
>names
>instead of ip addresses
>
>the only thing I can think of is that I´m using fwz encryption (with
udp
>encapsulation checked) instead of IKE; my firewall does not admit IKE,
I
>don´t know why, but suppose it´s a licence problem.
>
>thanks for all and best regards
>
>I´ll keep struggling with this
>
>
>
>
>
>
>
>At 10:40 22/10/2001 +0100, you wrote:
>
> >Hi Jesus.
> >
> >We are using v4.1 SP2 and SP3, Secure Remote 4.1 SP3
> >The following needs to be entered into dnsinfo.C
> >
> >:encrypt_dns (true) (note NOT dns_encrypt)!!!!!
> >
> >This will then be downloaded from management station.........
> >
> >We do not have any reference to dns_xlate on our firewall.
> >
> >Phil
> >
> >
> >
> >
> >
> > "Jesus
> > Calvo
> >
> > Hernandez" To:
> > [email protected]
> > <jesus.calvo@ cc:
> >
> > sema.es> Subject: Re: Securemote
>and
> > DNS
> >
> >
> > 22/10/2001
> >
> > 09:39
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >Hi Phil
> >
> >I´ve followed the instructions on the document from Checkpoint:
>Firewall-1
> >Version 4.0, Securemote Split/encrypted DNS quick reference guide
>revision
> >
> >1.4 and it says that you must modify both dnsinfo.C and the userc.C
>file;
> >I´ve done both things, and concretely the securemote Client part is:
> >
> >add under the :options section:
> >
> >:dns_xlate(true)
> >:dns_encrypt(true)
> >
> >these two lines go away when you update the site, and dns encrypted
>stops
> >working :(
> >
> >Perhaps I´ve done anything wrong?
> >
> >any suggestion would be greatly appreciated, I´m on an dead end
street.
> >
> >
> >Best regards
> >
> >Jesus Calvo
> >
> >At 08:39 22/10/2001 +0100, [email protected] wrote:
> > >Hi Jesus,
> > >
> > >You should not be having that problem.
> > >The dnsinfo should be kept on the firewall, NOT manually added to
>userc.C.
> > >The site update within secure remote will download the dnsinfo
along
>with
> > >the topology.
> > >there are plenty of articles around describing how to create a
> > >$FWDIR/conf/dnsinfo.C file.
> > >
> > >Phil
> > >
> > > > The only problem I´ve faced with dns encryption (this dns split
>stuff)
> > > > is that the userc.C file gets overwritten every time you update
>the
> >site
> > > > (because you have added new machines to the encryption domain
and
>need
> > > > to update the site).
> > > >
> > > > From that moment on, the lines added to the userc.C file for
split
>dns
> > > > to work are lost, so yoor dns encryption does not work any
longer
>and
> > > > that is very annoying to say the least.
> >
> >Jesus Calvo
> >SchlumbergerSema Spain
> >Albarracin 25
> >28037-Madrid
> >
> >------------------------------------------------------------------
> >This email is confidential and intended solely for the use of the
> >individual to whom it is addressed. Any views or opinions presented
are
> >solely those of the author and do not necessarily represent those of
> >SchlumbergerSema.
> >If you are not the intended recipient, be advised that you have
>received
> >this email in error and that any use, dissemination, forwarding,
>printing,
> >or copying of this email is strictly prohibited.
> >------------------------------------------------------------------
>
>Jesus Calvo
>SchlumbergerSema Spain
>Albarracin 25
>28037-Madrid
>
>------------------------------------------------------------------
>This email is confidential and intended solely for the use of the
>individual to whom it is addressed. Any views or opinions presented are
>solely those of the author and do not necessarily represent those of
>SchlumbergerSema.
>If you are not the intended recipient, be advised that you have
received
>this email in error and that any use, dissemination, forwarding,
>printing, or copying of this email is strictly prohibited.
>------------------------------------------------------------------
>
>===============================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>===============================================
>
>===============================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>===============================================
Jesus Calvo
SchlumbergerSema Spain
Albarracin 25
28037-Madrid
------------------------------------------------------------------
This email is confidential and intended solely for the use of the
individual to whom it is addressed. Any views or opinions presented are
solely those of the author and do not necessarily represent those of
SchlumbergerSema.
If you are not the intended recipient, be advised that you have received
this email in error and that any use, dissemination, forwarding,
printing, or copying of this email is strictly prohibited.
------------------------------------------------------------------
===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================
===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================
|
|
