[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] SecuRemote Problem

To: Bernard_Lee@Raytheon.com, fw-1-mailinglist@lists.us.checkpoint.com
Subject: Re: [FW1] SecuRemote Problem
From: Jerald Josephs <jjosephs@pacbell.net>
Date: Thu, 14 Oct 1999 00:25:49 -0700


    [ Part 1, Text/PLAIN (charset: ISO-8859-1 "Latin 1")  84 lines. ]
    [ Unable to print this part. ]

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set. Some ]
    [ characters may be displayed incorrectly. ]

When I have seen log entries like this it is because the user
successfully authenticated (lines 1 and 2), but the network
connection was not of a type accepted by the rule.
 
For example, if your Client Encrypt rule did not allow telnet,
and the user attempted telnet, SR would first prompt for authentication
because the destination IP address was within the encryption domain
of the defined site.  The user can successfully pass authentication.
 
Then, the telnet packet is allowed out to the decrypting firewall, who
then rejects it because it doesn't conform to the rule.
 
Was the reject entry showing the packet entering or exiting qfe2?
( I assume entering...)  This isn't a Valid Address thing because it
was blocked by rule 22...
 
Try this: Explicitly define services, replacing Any in rule 1 and
see what happens.
 
Jerald Josephs
jjosephs@pacbell.net
 
 
----- Original Message ----- From: <Bernard_Lee@Raytheon.com>
To: <fw-1-mailinglist@lists.us.checkpoint.com>
Sent: Wednesday, October 13, 1999 4:01 PM
Subject: [FW1] SecuRemote Problem

>
>
>
> Hi all,
>
> Any idea why line 3 of the following log is not encrypted. Seems like
it went
> thro' successfully the authentication and key is installed. And Rule 1
should
> have enforced encryption.  Note blee belongs to group SRclient and
destination B
> is inside Encrypted_net.
>
> Inter          Action    Src  Dst. Rule  User           Info
> ===       =====     ===  ===  ===  ====       ===
>
> Daemon    authcrypt A         0    blee       reason clientencryption:
> Authenticated by pre-shared secret scheme:    ISAKMP method: DES,
ISAKMP, SHA1
>
> Daemon    keyinstall     A    B    0               scheme: ISAKMP
methods: AH:
> SHA1 (Phase 2 Completion)
>
> qfe2      reject      telnet A     B     22             len 44
>
>
> Rule 1 :  SRclient@ANY   Encrypted_net   ANY       Client Encrypt     
LONG
> Gateway
> Rule 22:  Any            Any             ANY  reject              LONG
> Gateway
>
> Thanks
> Bernard
>
>
>
>
>===============================================================================

>      To unsubscribe from this mailing list, please see the instructions
at
>                http://www.checkpoint.com/services/mailing.html
>===============================================================================

>

Prev by Date: RE: [FW1] Replacing an existing FW
Next by Date: Re: [FW1] SecuRemote Problem
Prev by thread: [FW1] SecuRemote Problem
Next by thread: Re: [FW1] SecuRemote Problem
Index(es):
- Date
- Thread