Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] SecuRemote Session Timeout for IPSEC (using CAPI)

To: [email protected]
Subject: [FW-1] SecuRemote Session Timeout for IPSEC (using CAPI)
From: Tan Teik Guan <[email protected]>
Date: Sat, 12 Jan 2002 12:32:22 +0800
Organization: Data Security Systems Solutions
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

hi all,

    I've managed to setup SecuRemote VPN1 NG working through an OPSEC PKI.
The authentication at the client side is using USB Minikeys from AR which
provides the CAPI interface to the SecuRemote.

    During my testing, I have 2 observations which I hope someone can
advise:

1)    When the secure IPSEC connection is established, and I'm running 2
telnet and 1 ftp sessions, the SecuRemote icon in my notebook (Win98) shows
that it is "idle", instead of the regular envelop opening/closing action.
This is obviously not true as the logs on the VPN1 gateway clearly shows
that the connections are "decrypt".

2)    More importantly, when I removed the USB Minikey token (which contains
the IPSEC privatekey and certificate), the secure connections still persist.
I've changed all the timeouts (Client Authentication, IKE negotiation, IPSEC
negotiation) on the gateway to 5 minutes, but after 30 minutes, my secure
connections still persist.  In fact, I can even open new secure connections
to the servers protected by the VPN1.  The only way to stop the connection
is to "Erase password" on the SecuRemote, which forces me to re-insert my
token, in order to proceed with the authenticated session.  Is there some
parameter I can set for the SecuRemote to check that the token is still
inserted, and kill the connections if otherwise ?

    Thanks.

regards,
Teik

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Prev by Date: [FW-1] IPSO 3.4.1. on Nokia 650s with CP 4.1 SP5/
Next by Date: [FW-1] FW GUI under WINE??? was Re: [FW-1] Is there a GUI for Redhat 6.2
Previous by thread: Re: [FW-1] IPSO 3.4.1. on Nokia 650s with CP 4.1 SP5/
Next by thread: [FW-1] New Linksys VPN
Index(es):
- Date
- Thread