[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] SecuRemote has several problems - who got the knowledge to resolve ?

To: fw-1-mailinglist@lists.us.checkpoint.com
Subject: [FW1] SecuRemote has several problems - who got the knowledge to resolve ?
From: Oliver_Weismantel@gillette.com
Date: Mon, 11 Oct 1999 17:26:13 +0200
Cc: Sebastian_Kremer@gillette.com, strobel@integraliscentaur.de


I'm in the process of researching a SecuRemote based remote access VPN
ability for our employees. The more I research this tool I can see several
unresolved problems which would be a  criteria to discard SR (for me).
Anyways let me try to describe the problems I can see so far. Maybe someone
has looked in that before and can help. Scenario always refers to SR40 DES,
FW4.0 4031 and Win95.

I want to name the different topics first for easier identification
lateron.

1. SplitDNS
2. Win95Routing
3. IP pools

1. SplitDNS
The problem is easy to describe. As soon as a user is in (authenticated) I
want him to be able to make use of our internal DNS to resolve hostnames. I
sucessfully configured DNS encryption and Split DNS as described in the CP
DOC paper. Now - there are still some problems to be resolved.


1a) DHCP and DNS
As long as a PC is in the company DNS server get configured by a DHCP
server. Implicitly when the PC is outside of the company there is no DNS
server configured because of no DHCP. During ISP dialup Internet DNS server
get configured, but they cannot resolve company internal names.
Unfortunatly SR does not resolve internal names as long as I do not
manually configure internal DNS server in the network configuration. It is
not enough to configure the internal DNS server in the DNSINFO.C file on
the firewall. Yes, it gets sucessfully downloaded to the SRclient when
doing 'make new site'. userc.C on client looks fine. But as long as I do
not configure the DNS server statically it does not work

Question: Is there a workaround or whatever to enforce  SecuRemote to use
internal DNS server for internal DNS names when configured in dnsinfo.C
only ? I know this would maybe mean to do IP header rewriting but as long
as it works I'm fine with that.

I need to prevent my users from having to configure a DNS server manually
when they are outside of the company network. Dynamic DNS server
configuration is essential in the internal network.


1b) In case a DNS name is duplicated in internal and external (Internet)
DNS it gets resolved randomly. See example:

ping host.domain.com [10.11.12.13] with 32 bytes of data:
ping host.domain.com [official Internet IP] with 32 bytes of data:

This happens randomly. It seems to depend on what nameserver answers first.
(yes, what nameserver answers first!). From how I know DNS to work it only
queries exactly ONE (1) DNS server. There are three possible answers: I -
error II - name resolved III - name unresolveable. As long as no timeout
occures the answer is final since there is only one DNS in the
(Internet-)world and why should we ask a different DNS server to resolve
the name ? It only would refer to the same (distributed DNS-) database and
deliver the same answer. This behaviour is not clear to me.

Question: How can it be that in parallel two nameserver get queried and not
as expected only one depending on the DNS name ?
Remark: For SR41 always the Internet answer seems to be taken, but anyways
as long as I can also resolve internal names in parallel to Internet names
in the same domain it is proofen that still two server receive a request to
resolve a name.


2) Win95 routing

2a)  Headline could be  [How can one expect Windows to do what it is
supposed to do].

Assume the laptop in the internal network usually resides in the class C
network A. The ethernet NIC gets it's IP via DHCP. Windows adds a route to
its routing table for the interface.

  Network Address          Netmask  Gateway Address        Interface
Metric
       Network A    255.255.255.0      IP of NIC      IP of NIC       1

fine so far. When the PC is connected to the Internet vial ISP dialup
Windows addes a default route to the ISP DGW for Internet traffic. Since
the PC at this moment is not connect via the ET NIC    I would assume the
OS not to add a route for the directly attached network to the ET interface
(interface down - no route). Problem here is - Windows does add a route !
This results in the problem that a company service located in the same
subnetwork as the PC (network A)  when being in the company network is
unreachable via SR when dialed. This happens because the routing of Windows
sends the packet to the network card (and discards it) instead of the
dialup adapter to the Internet. Not suprising:  since the IP is a DHCP
address and you release it via winipcfg, the route goes away and everything
is fine. Maybe it is possible to have different hardware profiles and
disable the NIC in the 'Undocked', but sometimes we would still struggle
when there is a need for the ET NIC connectivity and status is undocked.

Question: How can I resolve this routing issue without the need for
winipcfg or other funny commands ?

3) IP pool

I know that I will have to make use of the IP pool feature implemented in
FW1 4.1

Question: Has anybody been using it so far ? I would be interested in
experience with that.


I really would appreciate any comments that help. Thanks for reading so far
and for your help in advance.


Regards,
Oliver



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] Nokia vs Checkpoint VPN Appliance
Next by Date: [FW1] Hack Attempts
Prev by thread: Re: [FW1] Nokia vs Checkpoint VPN Appliance
Next by thread: [FW1] Hack Attempts
Index(es):
- Date
- Thread