| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] Force FW1 to fragment encrypted packets on Solaris
On Wed, Dec 26, 2001 at 09:53:57AM -0800, Yim Lee wrote:
> Running 4.1 SP5 on Solaris 2.6
>
> Having problem with SecuRemote establishment, my
> support vendor suggested the following fix:
>
> 1. Open the file /etc/system with a text editor
> 2. Add the following line at the end of the file:
> set fw:fw_ipsec_dont_fragment = 0x0
> 3. Reboot the machine
>
> This will force FireWall-1 to fragment encrypted
> packets on Solaris.
>
> Is there any security risk in doing this?
No, all the (fragmented) packets are encrypted - there's
just more of them. Not a security problem.
You may see a performance hit though since the Solaris box
will need to do packet re-assembly to get the data. This is
usually expensive in terms of CPU.
I wonder why your support said this - I'd run a sniffer
and see if your packets are exceeding the 1500 byte limit
with the DF (Don't Fragment) flag set. Also check
www.phoneboy.com if you haven't already
alan
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
|
|
