[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] AW: [FW-1] security hole isakmp
hello again, On Fri, 3 May 2002, Jochen Vogel wrote: > 09:33:26.858000 scanner.57345 > firewall.isakmp: udp 0 > 09:33:26.876045 firewall > scanner: icmp: firewall udp port isakmp > unreachable i've done some patches and testing and this is not the behavior i see on my gateway. i'm not getting any ICMP port unreachables. can you check a few things: 1. are you running VPN-1? check to see if there is a isakmpd process 2. do you allow IKE negotiations (view -> implied rules) here is the tcpdump traces: first, to a port that we know is closed: 09:27:38.765316 192.168.3.6.44244 > 192.168.3.14.501: udp 0 09:27:38.766373 192.168.3.14 > 192.168.3.6: icmp: 192.168.3.14 udp port 501 unreachable (DF) next, to udp/500 without a patch (no unreachable sent): 09:27:49.895781 192.168.3.6.58072 > 192.168.3.14.500: [len=0] isakmp v0.0 exchange NONE commit finally, to udp/500 with a patched sport=500: 10:10:14.091036 192.168.3.6.500 > 192.168.3.14.500: [len=0] isakmp v0.0 exchange 255 (unknown) encrypted commit i have a patch to nmap to force a sport of udp/500 when dport is udp/500 if anybody wants it. if the RFC requires this, i'll probably submit it to fyodor. - brett ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|