[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

aw: [FW1] SecuRemote IPIP problem

To: "'fw-1-mailinglist@lists.us.checkpoint.com'" <fw-1-mailinglist@lists.us.checkpoint.com>
Subject: aw: [FW1] SecuRemote IPIP problem
From: Andreas Huenger <Andreas.Huenger@d2privat.de>
Date: Fri, 23 Apr 1999 08:40:49 +0100 (MEZ)



Hi,

we have a similiar (perhaps the same) problem.

We have a Cisco 7500 with ethernet and dial-in (ISDN) 
interfaces, respectively, in front of our Firewall 
(FW-1 4.0 SP2, FWZ, Solaris 2.6).

There are SecuRemote clients (WinNT with SecuRemote 4.0)
attached via the dial-in as well as via the ethernet interfaces.

The corresponding rule looks like:

users@clients internal-server http client-encrypt long

For the clients connecting via ethernet everything works
fine.

Problems arise if a client tries to access the internal server 
via dial-in. We get a successful SecuRemote authentication and
the corresponding log entry on the firewall. But then it ends.
The clients are not able to access the server and there a no 
log entries telling me that encrypted packkets are arriving at the 
FW (haven't looked with snoop yet, what really happens).

If I change the rule to

users@clients internal-server http accept long

or

users@clients internal-server http user-auth long
(without encryption enabled)

everything works fine even via dial-in.


Absolutely the same happens if I use FW-1 3.0b
and SecuRemote 3.0. So it is definitely not a bug in
FW-1 4.0 or SR 4.0.


It seems, that the problem is caused by the enryption.
Encrypted packets are discarded somewhere on the dial-in
coonection.
There are no ACLs on the router which could be responsible
for the behaviour.

Has anybody an idea how to declare/solve this problem.

Otherwise I will spent some time with snoop and IOS debugging :-(

				
				Greetings


					Andreas



______________________________________________________________________
Dr. Andreas Huenger
Systemingenieur Network Security

Mannesmann Mobilfunk GmbH
Abteilung Networkmanagement Engineering 
Am Seestern 1
40543 Duesseldorf

Tel.: [49]-(0)211/533-3949
E-Mail: andreas.huenger@d2privat.de
______________________________________________________________________

-------------
Original Text
Von "Maerk Christoph" <christoph.maerk@cnv.at>, am 22.04.1999 13:32:
Hi!

Win95, SecuRemote 4005, FWZ1 / Checkpoint 4.0/SP2 Solarisx86

Our SecuRemote Clients connect to the central site through different
internet providers. The following tcpdump on the FW (ws1) is a correct
Communication with Provider A

line169.providerA.net -> ws1          UDP D=259 S=259 LEN=801
         ws1 -> line169.providerA.net IP  D=194.183.152.169 S=193.170.42.1
LEN=492, ID=34577
         ws1 -> line169.providerA.net IP  D=194.183.152.169 S=193.170.42.1
LEN=121, ID=34578
line169.providerA.net -> ws1          IP  D=193.170.42.1 S=194.183.152.169
LEN=65, ID=62977
         ws1 -> line169.providerA.net IP  D=194.183.152.169 S=193.170.42.1
LEN=65, ID=737
line169.providerA.net -> ws1          IP  D=193.170.42.1 S=194.183.152.169
LEN=121, ID=64257

First - udp - authentification, then ws1 sends IPIP Packets (protocol Nr 
94)
- on the client "User sucessfully authenticated...." appears and SecuRemote
answers with IPIP packets... Thats OK!


But now the problem: the same configuration with Provider B

line111.providerB.net -> ws1          UDP D=259 S=259 LEN=801
         ws1 -> line111.providerB.net IP  D=195.3.76.65 S=193.170.42.1
LEN=492, ID=53039
         ws1 -> line111.providerB.net IP  D=195.3.76.65 S=193.170.42.1
LEN=121, ID=53040
         ws1 -> line111.providerB.net IP  D=195.3.76.65 S=193.170.42.1
LEN=492, ID=53041
         ws1 -> line111.providerB.net IP  D=195.3.76.65 S=193.170.42.1
LEN=492, ID=53042
and so on....

On the client the "User sucessfully authenticated..." appears - but then -
fhe Client does not answer to the IPIP packets. The FW keeps sending the
"LEN=492" packets... -> no communication can occur.

The "Site Update" worked fine. We are using FWZ1. There is no NAT on the
used ways...
ProviderB tells us, that he has no filters and no access-lists and no NAT 
on
his routers... 

What else could this be?

Christoph Maerk
christoph.maerk@cnv.at



============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====

----------------------------------------------------------------------
This Mail has been checked for Viruses
Attention: Encrypted Mails can NOT be checked !

* * *

Diese Mail wurde auf Viren ueberprueft
Hinweis: Verschluesselte Mails koennen NICHT geprueft werden !
----------------------------------------------------------------------



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] Remote control on FW-1 ?
Next by Date: [FW1] Install SecuRemote on ADSL (Efficient ATM 25 NIC)
Prev by thread: RE: [FW1] Remote control on FW-1 ?
Next by thread: [FW1] Install SecuRemote on ADSL (Efficient ATM 25 NIC)
Index(es):
- Date
- Thread