NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] AW: [FW-1] security hole isakmp



hello again,

On Fri, 3 May 2002, Jochen Vogel wrote:

> 09:33:26.858000 scanner.57345 > firewall.isakmp: udp 0
> 09:33:26.876045 firewall > scanner: icmp: firewall udp port isakmp
> unreachable

i've done some patches and testing and this is not the behavior i see on
my gateway.

i'm not getting any ICMP port unreachables. can you check a few things:

1. are you running VPN-1? check to see if there is a isakmpd process

2. do you allow IKE negotiations (view -> implied rules)


here is the tcpdump traces:

first, to a port that we know is closed:

  09:27:38.765316 192.168.3.6.44244 > 192.168.3.14.501:  udp 0
  09:27:38.766373 192.168.3.14 > 192.168.3.6: icmp: 192.168.3.14 udp port
  501 unreachable (DF)

next, to udp/500 without a patch (no unreachable sent):

  09:27:49.895781 192.168.3.6.58072 > 192.168.3.14.500:  [len=0] isakmp
  v0.0 exchange NONE commit

finally, to udp/500 with a patched sport=500:

  10:10:14.091036 192.168.3.6.500 > 192.168.3.14.500:  [len=0] isakmp v0.0
  exchange 255 (unknown) encrypted commit

i have a patch to nmap to force a sport of udp/500 when dport is udp/500
if anybody wants it. if the RFC requires this, i'll probably submit it to
fyodor.


- brett

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.