Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] SecureRemote2VPN-1

To: [email protected]
Subject: Re: [FW-1] SecureRemote2VPN-1
From: Matthias Leu <[email protected]>
Date: Tue, 22 Jan 2002 16:15:51 +0100
Organization: AERAsec Network Services and Security GmbH
References: <2F93E2BDA94AD5118F7A0050DA14CDA0143A4D@kamx-bagheera>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Hi,
the steps for SecuRemote are
- Get and install the license for VPN-1, SecuRemote and/or Secure Client
- Install the SecuRemote/Secure Client Software on PC

- Define Users and a User Group in GUI
- Check Properties of VPN-1 (Desktop rules if Secure Client, disable
"unauthenticated topology download"...)
- Check Network Object "firewall" for VPN definition, correct Encryption
Domain and "Exportable"
- make a rule like
  usergroup@any  internal-net  needed-services  ClientEncrypt  longLog
  Don't check ClientEncrypt-Props- "Apply rule only..." when using SecuRemote
and not Secure Client
- If properties are modified, make a rule before the stealth-rule
  any  firewall  IKE,AH,ESP  accept  long
- For the download of the topo, you might also need a (temporary) rule like
  any  firewall FW1_topo,FW1_key accept long
- install rulebase

- In SecuRemote define Firewall, connect, authenticate and download the topo
- Give it a first try...

Do you have a license for Secure Client? If not, delete the definition of the
Policy Server. If there are problems, maybe the log has some entries (see also
system log).
Another problem might be a missing rule before the Stealth-Rule: You will not
only have to accept IKE (500/udp), but also the Internet Protocols 50 and 51 -
pre-defined as AH and ESP. For the download you will need also to accept
264/tcp and 265/tcp.
Maybe it helps if you define a clean-up rule also - for logging.
Try defining the site after the modifications at the FW, it should work.
BTW: SecuRemote doesn't encrypt, if the own IP-Address is in the Encryption
Domain of the FW
Hope it helps,
best regards,
Matthias
http://www.fw-1.de
--
AERAsec Network Services and Security GmbH
Wagenberger Straße 1
D-85662 Hohenbrunn, Germany
http://www.aerasec.de

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

References:
- [FW-1] SecureRemote2VPN-1
  - From: "Börner, Rudolf" <[email protected]>

Prev by Date: Re: [FW-1] Accept Control Connections disabled
Next by Date: [FW-1] Import users/objects/rulebases files from NT to Linux
Previous by thread: [FW-1] SecureRemote2VPN-1
Next by thread: Re: [FW-1] SecureRemote2VPN-1
Index(es):
- Date
- Thread