NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Problem with enabling UDP Encryption for SecuRemote



At 11:58 AM 1/24/2002, Shawn Kearley wrote:
I am attempting to configure UDP encapsulation for SecuRemote...

Hi Shawn,


Something similar happened to one of my customers recently.  It's my
opinion that "local interface address spoofing" is erroneously
listed.  Call it instead a symptom that the encryption service is not
communicating well with the firewall service.  This is probably a
configuration error.

Check to make sure that the SecuRemote rule specifies the destination, not
just "Any".

In your edited objects.C file, make sure that the :active (true) tag was
added inside the parenthesis for the :isakmp.udpencapsulation section.  The
Phoneboy FAQ isn't 100% clear on this.

If worst comes to worst, CheckPoint support is pretty good at walking you
through a clean set up for SecuRemote.  You might also want to consider
upgrading to a more recent FW-1 service pack, although I doubt it will
solve this particular problem.

Regards,
-Jim MacLeod

At 11:58 AM 1/24/2002, you wrote:
I am attempting to configure UDP encapsulation for SecuRemote as specified
in the PhoneBoy FAQ, to try and get a vendor VPN connection working from
within their network and am experiencing a problem that I hope someone here
can help with.

After modifying objects.C as specified in the document, and sending a new
userc.c file to the vendor, when he connects  to our network, I see the
successful authentication, and am initial Decrypt packet for the connection
he is attempting , however he is still unable to connect to the internal
resource on our network.

When I look in the Firewall logs I see the following packet

                Action: Drop
                Service: VPN1_IPSEC_encapsulation
                Source: my firewall's internal Interface
                Destination: Vendor's Internet address
                Protocol: UDP
                Rule: 0
                Info: reason: local interface address spoofing

I have tested the VPN connection from an ADSL router connected directly to
the Internet and did not experience any VPN problems.  I do not have any
anti-spoofing rules enabled on any of the Firewall's Interfaces, (All
interfaces allow ANY addresses.)

Any ideas on why this may be happening, and what if anything I may be able
to do to correct this.

I am running FW1 4.1-SP4 on WinNT 4.0 sp 6a

Thanks
Shawn




====================================== Shawn Kearley Infrastructure Analyst Newfoundland Power Co. Ltd.

Phone:Fax:Email: [email protected]

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================


Jim MacLeod
Independant FireWall-1 and network security consultant
[email protected]

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.