|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] Securemote and DNS
Hi all
I´ve got this:
so the dnsinfo.c information has been downloaded correctly to my securemote
pc, but even that , when I try to contact an internal machine the envelope
icon gets open and closed but finally it does not work.
(
:options (
:default_key_scheme (fwz)
:active_resolver (true)
:silent_topo_update (false)
:dtm_logout_timeout (20)
:resolver_ttl (0)
:resolver_session_interval (0)
:use_entelligence (true)
:fwm_encrypt (false)
:manual_slan_control (true)
:encrypt_db (false)
:gettopo_port (264)
:force_udp_encapsulation (true)
:no_clear_tables (false)
:disable_stateful_dhcp (false)
:allow_clear_in_enc_domain (false)
:use_ext_auth_msg (true)
:use_ext_logo_bitmap (true)
:pwd_erase_on_time_change (false)
:enable_kill (true)
:sdl_max_wait (-1)
:slan_enabled (true)
:pwd_type (true)
:support_tcp_ike (true)
:no_policy (false)
:dnsinfo (
:encrypt_dns (true)
:dns_servers (
: (name.fw
:obj (
: (x.x.x.x)
)
:topology (
: (
:ipaddr
(x.x.x.x)
:ipmask
(x.x.x.x)
:ipaddr
(x.x.x.x)
:ipmask
(x.x.x.x)
)
)
:domain (
: (
:dns_label_count
(4)
:domain
(.sema.es)
)
)
)
)
:encrypt_dns (true)
So I don´t really understand this odd behaviour. Next I´m gonna do is add
those two old lines to check whether it works but that poses the problem
that when you update the site, the userc.C gets overwritten.
Why is this software so lame?
I had Altavista tunnel in the past and it worked like heaven. But they were
bought by Compaq and the product was obsoleted...
Thanks to all for your help
At 09:10 23/10/2001 +0200, Joe Potak wrote:
The two lines you reference in your post are no longer required since I
think 4.1 something. I read that the function is superceded by the line
shown in the included partial userc.C file. See the Active_resolver (true)
(
:options (
:default_key_scheme (isakmp)
:active_resolver (true)
:silent_topo_update (false)
Hope this helps!
-----Original Message-----
From: Aeon Hale [mailto:[email protected]]
Sent: Monday, 22 October 2001 22:16
To: [email protected]
Subject: Re: [FW-1] Securemote and DNS
This is what my userc.c file looks like (dnsinfo part):
:dnsinfo (
:dns_servers (
: (nameserver.firewallname
:obj (
:
(..xxx.xxx)
)
:topology (
: (
:ipaddr
(xxx.xxx.xxx.xxx)
:ipmask
(255.xxx.xxx.xxx)
)
)
:domain (
: (
:dns_label_count (4)
:domain
(.yourdomain.com)
)
)
)
)
:encrypt_dns (true)
Do you see this in yours?
-----Original Message-----
From: Jesus Calvo Hernandez [mailto:[email protected]]
Sent: Monday, October 22, 2001 3:29 PM
To: [email protected]
Subject: Re: [FW-1] Securemote and DNS
Hi Aeon and all the rest
watching userc.C the line
encrypt_dns (true)
has been downloaded
I don´t know if this is correct because in the document from checkpoint
states that must appear also
dns_xlate (true)
and it is written reversed: dns_encrypt (true)
so what is what it should say anyway?
thanks a lot for your help
best regards
At 14:51 22/10/2001 -0400, Aeon Hale wrote:
>Check your userc.c file and make sure the you pulled down the
>information from the dnsinfo.c file. I have this setup with FWZ and it
>seems to work. It used to work with IKE, but my IKE broke and I dont
>know why...and i'm fed up trying to figure it out.
>
>-----Original Message-----
>From: Jesus Calvo Hernandez [mailto:[email protected]]
>Sent: Monday, October 22, 2001 1:41 PM
>To: [email protected]
>Subject: Re: [FW-1] Securemote and DNS
>
>
>Hi Phil
>
>I´ve just made a lot of unsuccesfull tests:
>
>fw 1 v 4.1 sp4
>securemote 4.1 build 4185 (the latest from checkpoint web)
>
>added:
>
>:encrypt_dns (true)
>
>both in the management station and the gateway itself
>
>rebooted both machines
>
>configured the ppp adapter of the securemote machine so that the dns
>configuration is:
>
> the internal dns in first place and the isp dns in second place
>
>but dns never works; if I connect to the internal machines using their
>ip
>addresses it´s ok, but with their names it does not work
>
>in both cases the envelope on the right bottom keeps opening and
>closing,
>so there´s encrypted traffic, but nevertheless it does not work using
>names
>instead of ip addresses
>
>the only thing I can think of is that I´m using fwz encryption (with
udp
>encapsulation checked) instead of IKE; my firewall does not admit IKE,
I
>don´t know why, but suppose it´s a licence problem.
>
>thanks for all and best regards
>
>I´ll keep struggling with this
>
>
>
>
>
>
>
>At 10:40 22/10/2001 +0100, you wrote:
>
> >Hi Jesus.
> >
> >We are using v4.1 SP2 and SP3, Secure Remote 4.1 SP3
> >The following needs to be entered into dnsinfo.C
> >
> >:encrypt_dns (true) (note NOT dns_encrypt)!!!!!
> >
> >This will then be downloaded from management station.........
> >
> >We do not have any reference to dns_xlate on our firewall.
> >
> >Phil
> >
> >
> >
> >
> >
> > "Jesus
> > Calvo
> >
> > Hernandez" To:
> > [email protected]
> > <jesus.calvo@ cc:
> >
> > sema.es> Subject: Re: Securemote
>and
> > DNS
> >
> >
> > 22/10/2001
> >
> > 09:39
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >Hi Phil
> >
> >I´ve followed the instructions on the document from Checkpoint:
>Firewall-1
> >Version 4.0, Securemote Split/encrypted DNS quick reference guide
>revision
> >
> >1.4 and it says that you must modify both dnsinfo.C and the userc.C
>file;
> >I´ve done both things, and concretely the securemote Client part is:
> >
> >add under the :options section:
> >
> >:dns_xlate(true)
> >:dns_encrypt(true)
> >
> >these two lines go away when you update the site, and dns encrypted
>stops
> >working :(
> >
> >Perhaps I´ve done anything wrong?
> >
> >any suggestion would be greatly appreciated, I´m on an dead end
street.
> >
> >
> >Best regards
> >
> >Jesus Calvo
> >
> >At 08:39 22/10/2001 +0100, [email protected] wrote:
> > >Hi Jesus,
> > >
> > >You should not be having that problem.
> > >The dnsinfo should be kept on the firewall, NOT manually added to
>userc.C.
> > >The site update within secure remote will download the dnsinfo
along
>with
> > >the topology.
> > >there are plenty of articles around describing how to create a
> > >$FWDIR/conf/dnsinfo.C file.
> > >
> > >Phil
> > >
> > > > The only problem I´ve faced with dns encryption (this dns split
>stuff)
> > > > is that the userc.C file gets overwritten every time you update
>the
> >site
> > > > (because you have added new machines to the encryption domain
and
>need
> > > > to update the site).
> > > >
> > > > From that moment on, the lines added to the userc.C file for
split
>dns
> > > > to work are lost, so yoor dns encryption does not work any
longer
>and
> > > > that is very annoying to say the least.
> >
> >Jesus Calvo
> >SchlumbergerSema Spain
> >Albarracin 25
> >28037-Madrid
> >
> >------------------------------------------------------------------
> >This email is confidential and intended solely for the use of the
> >individual to whom it is addressed. Any views or opinions presented
are
> >solely those of the author and do not necessarily represent those of
> >SchlumbergerSema.
> >If you are not the intended recipient, be advised that you have
>received
> >this email in error and that any use, dissemination, forwarding,
>printing,
> >or copying of this email is strictly prohibited.
> >------------------------------------------------------------------
>
>Jesus Calvo
>SchlumbergerSema Spain
>Albarracin 25
>28037-Madrid
>
>------------------------------------------------------------------
>This email is confidential and intended solely for the use of the
>individual to whom it is addressed. Any views or opinions presented are
>solely those of the author and do not necessarily represent those of
>SchlumbergerSema.
>If you are not the intended recipient, be advised that you have
received
>this email in error and that any use, dissemination, forwarding,
>printing, or copying of this email is strictly prohibited.
>------------------------------------------------------------------
>
>===============================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>===============================================
>
>===============================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>===============================================
Jesus Calvo
SchlumbergerSema Spain
Albarracin 25
28037-Madrid
------------------------------------------------------------------
This email is confidential and intended solely for the use of the
individual to whom it is addressed. Any views or opinions presented are
solely those of the author and do not necessarily represent those of
SchlumbergerSema.
If you are not the intended recipient, be advised that you have received
this email in error and that any use, dissemination, forwarding,
printing, or copying of this email is strictly prohibited.
------------------------------------------------------------------
===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================
===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================
===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================
Jesus Calvo
SchlumbergerSema Spain
Albarracin 25
28037-Madrid
------------------------------------------------------------------
This email is confidential and intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not necessarily represent those of SchlumbergerSema.
If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited.
------------------------------------------------------------------
Hi all
I´ve got this:
so the dnsinfo.c information has been downloaded correctly to my
securemote pc, but even that , when I try to contact an internal machine
the envelope icon gets open and closed but finally it does not
work.
(
:options
(
:default_key_scheme
(fwz)
:active_resolver
(true)
:silent_topo_update
(false)
:dtm_logout_timeout
(20)
:resolver_ttl
(0)
:resolver_session_interval
(0)
:use_entelligence
(true)
:fwm_encrypt
(false)
:manual_slan_control
(true)
:encrypt_db
(false)
:gettopo_port
(264)
:force_udp_encapsulation
(true)
:no_clear_tables
(false)
:disable_stateful_dhcp
(false)
:allow_clear_in_enc_domain
(false)
:use_ext_auth_msg
(true)
:use_ext_logo_bitmap
(true)
:pwd_erase_on_time_change
(false)
:enable_kill
(true)
:sdl_max_wait
(-1)
:slan_enabled
(true)
:pwd_type
(true)
:support_tcp_ike
(true)
:no_policy
(false)
:dnsinfo
(
:encrypt_dns
(true)
:dns_servers
(
:
(name.fw
:obj
(
:
(x.x.x.x)
)
:topology
(
:
(
:ipaddr
(x.x.x.x)
:ipmask
(x.x.x.x)
:ipaddr
(x.x.x.x)
:ipmask
(x.x.x.x)
)
)
:domain
(
:
(
:dns_label_count
(4)
:domain
(.sema.es)
)
)
)
)
:encrypt_dns
(true)
So I don´t really understand this odd behaviour. Next I´m gonna do is
add those two old lines to check whether it works but that poses the
problem that when you update the site, the userc.C gets
overwritten.
Why is this software so lame?
I had Altavista tunnel in the past and it worked like heaven. But they
were bought by Compaq and the product was obsoleted...
Thanks to all for your help
At 09:10 23/10/2001 +0200, Joe Potak wrote:
The two lines you reference in your
post are no longer required since I
think 4.1 something. I read that the function is superceded by the
line
shown in the included partial userc.C file. See the Active_resolver
(true)
(
:options (
:default_key_scheme (isakmp)
:active_resolver (true)
:silent_topo_update (false)
Hope this helps!
-----Original Message-----
From: Aeon Hale
[mailto:[email protected]]
Sent: Monday, 22 October 2001 22:16
To: [email protected]
Subject: Re: [FW-1] Securemote and DNS
This is what my userc.c file looks like (dnsinfo part):
:dnsinfo (
:dns_servers (
: (nameserver.firewallname
:obj (
:
(xxx.xxx.xxx.xxx)
)
:topology (
: (
:ipaddr
(xxx.xxx.xxx.xxx)
:ipmask
(255.xxx.xxx.xxx)
)
)
:domain (
: (
:dns_label_count (4)
:domain
(.yourdomain.com)
)
)
)
)
:encrypt_dns (true)
Do you see this in yours?
-----Original Message-----
From: Jesus Calvo Hernandez
[mailto:[email protected]]
Sent: Monday, October 22, 2001 3:29 PM
To: [email protected]
Subject: Re: [FW-1] Securemote and DNS
Hi Aeon and all the rest
watching userc.C the line
encrypt_dns (true)
has been downloaded
I don´t know if this is correct because in the document from
checkpoint
states that must appear also
dns_xlate (true)
and it is written reversed: dns_encrypt (true)
so what is what it should say anyway?
thanks a lot for your help
best regards
At 14:51 22/10/2001 -0400, Aeon Hale wrote:
>Check your userc.c file and make sure the you pulled down the
>information from the dnsinfo.c file. I have this setup with FWZ
and it
>seems to work. It used to work with IKE, but my IKE broke and I
dont
>know why...and i'm fed up trying to figure it out.
>
>-----Original Message-----
>From: Jesus Calvo Hernandez
[mailto:[email protected]]
>Sent: Monday, October 22, 2001 1:41 PM
>To: [email protected]
>Subject: Re: [FW-1] Securemote and DNS
>
>
>Hi Phil
>
>I´ve just made a lot of unsuccesfull tests:
>
>fw 1 v 4.1 sp4
>securemote 4.1 build 4185 (the latest from checkpoint web)
>
>added:
>
>:encrypt_dns (true)
>
>both in the management station and the gateway itself
>
>rebooted both machines
>
>configured the ppp adapter of the securemote machine so that the
dns
>configuration is:
>
> the internal dns in first place and the isp dns in
second place
>
>but dns never works; if I connect to the internal machines
using their
>ip
>addresses it´s ok, but with their names it does not work
>
>in both cases the envelope on the right bottom keeps opening
and
>closing,
>so there´s encrypted traffic, but nevertheless it does not work
using
>names
>instead of ip addresses
>
>the only thing I can think of is that I´m using fwz encryption
(with
udp
>encapsulation checked) instead of IKE; my firewall does not admit
IKE,
I
>don´t know why, but suppose it´s a licence problem.
>
>thanks for all and best regards
>
>I´ll keep struggling with this
>
>
>
>
>
>
>
>At 10:40 22/10/2001 +0100, you wrote:
>
> >Hi Jesus.
> >
> >We are using v4.1 SP2 and SP3, Secure Remote 4.1 SP3
> >The following needs to be entered into dnsinfo.C
> >
> >:encrypt_dns (true) (note NOT dns_encrypt)!!!!!
> >
> >This will then be downloaded from management
station.........
> >
> >We do not have any reference to dns_xlate on our firewall.
> >
> >Phil
> >
> >
> >
> >
> >
>
>
"Jesus
> > Calvo
> >
>
>
Hernandez"
To:
> > [email protected]
>
>
<jesus.calvo@ cc:
> >
>
>
sema.es>
Subject: Re: Securemote
>and
> > DNS
> >
> >
>
>
22/10/2001
> >
>
>
09:39
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >Hi Phil
> >
> >I´ve followed the instructions on the document from
Checkpoint:
>Firewall-1
> >Version 4.0, Securemote Split/encrypted DNS quick reference
guide
>revision
> >
> >1.4 and it says that you must modify both dnsinfo.C and the
userc.C
>file;
> >I´ve done both things, and concretely the securemote Client part
is:
> >
> >add under the :options section:
> >
> >:dns_xlate(true)
> >:dns_encrypt(true)
> >
> >these two lines go away when you update the site, and dns
encrypted
>stops
> >working :(
> >
> >Perhaps I´ve done anything wrong?
> >
> >any suggestion would be greatly appreciated, I´m on an dead
end
street.
> >
> >
> >Best regards
> >
> >Jesus Calvo
> >
> >At 08:39 22/10/2001 +0100, [email protected]
wrote:
> > >Hi Jesus,
> > >
> > >You should not be having that problem.
> > >The dnsinfo should be kept on the firewall, NOT manually
added to
>userc.C.
> > >The site update within secure remote will download the
dnsinfo
along
>with
> > >the topology.
> > >there are plenty of articles around describing how to
create a
> > >$FWDIR/conf/dnsinfo.C file.
> > >
> > >Phil
> > >
> > > > The only problem I´ve faced with dns encryption (this
dns split
>stuff)
> > > > is that the userc.C file gets overwritten every time
you update
>the
> >site
> > > > (because you have added new machines to the
encryption domain
and
>need
> > > > to update the site).
> > > >
> > > > From that moment on, the lines added to the userc.C
file for
split
>dns
> > > > to work are lost, so yoor dns encryption does not
work any
longer
>and
> > > > that is very annoying to say the least.
> >
> >Jesus Calvo
> >SchlumbergerSema Spain
> >Albarracin 25
> >28037-Madrid
> >
>
>------------------------------------------------------------------
> >This email is confidential and intended solely for the use of
the
> >individual to whom it is addressed. Any views or opinions
presented
are
> >solely those of the author and do not necessarily represent
those of
> >SchlumbergerSema.
> >If you are not the intended recipient, be advised that you
have
>received
> >this email in error and that any use, dissemination,
forwarding,
>printing,
> >or copying of this email is strictly prohibited.
>
>------------------------------------------------------------------
>
>Jesus Calvo
>SchlumbergerSema Spain
>Albarracin 25
>28037-Madrid
>
>------------------------------------------------------------------
>This email is confidential and intended solely for the use of
the
>individual to whom it is addressed. Any views or opinions presented
are
>solely those of the author and do not necessarily represent those
of
>SchlumbergerSema.
>If you are not the intended recipient, be advised that you have
received
>this email in error and that any use, dissemination,
forwarding,
>printing, or copying of this email is strictly prohibited.
>------------------------------------------------------------------
>
>===============================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>===============================================
>
>===============================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>===============================================
Jesus Calvo
SchlumbergerSema Spain
Albarracin 25
28037-Madrid
------------------------------------------------------------------
This email is confidential and intended solely for the use of the
individual to whom it is addressed. Any views or opinions presented
are
solely those of the author and do not necessarily represent those
of
SchlumbergerSema.
If you are not the intended recipient, be advised that you have
received
this email in error and that any use, dissemination, forwarding,
printing, or copying of this email is strictly prohibited.
------------------------------------------------------------------
===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================
===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================
===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================
Jesus Calvo
SchlumbergerSema Spain
Albarracin 25
28037-Madrid
|
|