NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] SecuRemote - encryption never works after succesfull authent



Is the SR client on a private IP address (behind some sort of NAT device)?

Have you followed the steps to enable UDP encapsulation?
(If you installed SP4 directly this will already have been done for you,
however if you upgraded from a previous version that might not be the
case).

How do you have IKE configured? Any additional information that you can
provide may help.

-Don

On Thu, 17 Jan 2002, Frits Heemstra wrote:

> Hi all,
>
> I ran into the following problem with SecuRemote; After a succesfull
> authentication, IKE encryption doesn't work.
>
> The SecuRemote client has to access a webserver in the trusted LAN with a
> private space ip address (172.16.0.10). The webserver has it's default gateway
> pointing to the firewall's trusted interface and is also in the same subnet as
> the firewall.
> On top of the rulebase we defined a rule:   SR-users@anywhere  to
> Encrypt-domain    action=Client-Encrypt
> When the SecuRemote client tries to access the webserver, a packet with service
> "VPN1_IPSEC_encapsulation" appears in the log, but nothing gets
> encrypted/decrypted and the connection at the SR client times out.
>
> We use CPfw1-41 SP4 VPN STRONG + SecuRemote 4.1 SP-5 build 4199 for Win2000
>
> a piece of the log:
>  9:04:09 authcrypt pampus-ext >daemon src trust-cybercomm user xx rule 0
> reason Client Encryption: Authenticated by Pre-shared secret scheme: IKE
> methods: 3DES,IKE,SHA1
>  9:04:09 keyinst pampus-ext >daemon src trust-cybercomm dst pampus-ext IKE Log:
> Phase 1 (aggressive) completion. 3DES/SHA1/Pre shared secrets Negotiation Id:
> fd82d44c787bb689-198ef53997de25ab
>  9:04:09 keyinst pampus-ext >daemon proto ip src trust-cybercomm dst pampus-ext
> srckeyid 0xad8856ad dstkeyid 0xb30a13fa rule 0 scheme: IKE methods: Combined
> ESP: 3DES + SHA1 (phase 2 completion) for host: xxx.xxx.xx.xxx and for subnet:
> 0.0.0.0 (mask= 0.0.0.0)
>  9:04:10 accept   pampus-ext >rtl80291 proto udp src trust-cybercomm dst
> pampus-ext service VPN1_IPSEC_encapsulation s_port VPN1_IPSEC_encapsulation len
> 112 rule 10
>
> (trust-cybercomm = SecuRemote client hostname)
> (pampus-ext = External interface of the firewall)
>
> Have anyone tips on how to configure the rulebase or routing for this ?
> Have anyone a idea to solve this problem?
>
> Regards,
>
> Frits Heemstra
> IRM
> Tel. +31 6 26 216 451
>
>
> -----------------------------------------------------------------
> ATTENTION:
> The information in this electronic mail message is private and
> confidential, and only intended for the addressee. Should you
> receive this message by mistake, you are hereby notified that
> any disclosure, reproduction, distribution or use of this
> message is strictly prohibited. Please inform the sender by
> reply transmission and delete the message without copying or
> opening it.
>
> Messages and attachments are scanned for all viruses known.
> If this message contains password-protected attachments, the
> files have NOT been scanned for viruses by the ING mail domain.
> Always scan attachments before opening them.
> -----------------------------------------------------------------
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.