[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW1] SecuRemote Problem
Hi Jerald,
Thanks for the reply.
Actually it worked the same for an explicit telnet in the service column. Line 3
indeed came from qfe2 the external interface. Other lines came from the daemon.
I was always suspecting the client side was not doing any encryption correctly.
But my sniffer did not show any clear telnet packets. As all traffic was
encrypted, I could not see much with sniffer. The client is now Build 4005 DES
version and the VPN-1 was 4.0 SP3. (I've just applied it with SP3 Hotfix 4064
but it seems not solving the problem yet)
Thanks in advance for more ideas
Bernard
Jerald Josephs <jjosephs@pacbell.net> on 10/14/99 12:25:49 AM
To: Bernard Lee/RMD/Raytheon/CA,
fw-1-mailinglist@lists.us.checkpoint.com
cc:
Subject: Re: [FW1] SecuRemote Problem
When I have seen log entries like this it is because the user
successfully authenticated (lines 1 and 2), but the network
connection was not of a type accepted by the rule.
For example, if your Client Encrypt rule did not allow telnet,
and the user attempted telnet, SR would first prompt for authentication
because the destination IP address was within the encryption domain
of the defined site. The user can successfully pass authentication.
Then, the telnet packet is allowed out to the decrypting firewall, who
then rejects it because it doesn't conform to the rule.
Was the reject entry showing the packet entering or exiting qfe2?
( I assume entering...) This isn't a Valid Address thing because it
was blocked by rule 22...
Try this: Explicitly define services, replacing Any in rule 1 and
see what happens.
Jerald Josephs
jjosephs@pacbell.net
----- Original Message -----
From: <Bernard_Lee@Raytheon.com>
To: <fw-1-mailinglist@lists.us.checkpoint.com>
Sent: Wednesday, October 13, 1999 4:01 PM
Subject: [FW1] SecuRemote Problem
>
>
>
> Hi all,
>
> Any idea why line 3 of the following log is not encrypted. Seems like it went
> thro' successfully the authentication and key is installed. And Rule 1 should
> have enforced encryption. Note blee belongs to group SRclient and destination
B
> is inside Encrypted_net.
>
> Inter Action Src Dst. Rule User Info
> === ===== === === === ==== ===
>
> Daemon authcrypt A 0 blee reason clientencryption:
> Authenticated by pre-shared secret scheme: ISAKMP method: DES, ISAKMP, SHA1
>
> Daemon keyinstall A B 0 scheme: ISAKMP methods: AH:
> SHA1 (Phase 2 Completion)
>
> qfe2 reject telnet A B 22 len 44
>
>
> Rule 1 : SRclient@ANY Encrypted_net ANY Client Encrypt LONG
> Gateway
> Rule 22: Any Any ANY reject LONG
> Gateway
>
> Thanks
> Bernard
>
>
>
>
>
================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>
================================================================================
>
[ Part 2, "Internet HTML" Text/HTML (Name: "att1.htm") 92 lines. ]
[ Unable to print this part. ]