Are you running UDP encapsulation and IKE over TCP? We also dropped the default MTU to 1300 using MTUAdjust but that shouldn't be needed with AI.
Ray
From: Craig Baltzer <[EMAIL PROTECTED]> Reply-To: Mailing list for discussion of Firewall-1 <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: [FW-1] Keberos V5 though client VPN Date: Mon, 8 Dec 2003 00:18:44 -0500
Thanks Ray. In the "newer" Checkpoint releases (at least in NG) there are "kerberos" objects (TCP and UDP flavours), as well as a "kerberos_V5" objects (again in both TCP and UDP). The V5 is port 88.
We pulled down the most recent release of the VPN client on Thursday last week (Dec 4) and it was newer than what we had. I'll check tomorrow just to confirm, but I think we're on the latest and greatest.
I'll try the explicit Kerberos_V5/accept rule tomorrow and see if the logs tell us anything useful. To be honest this feels like a UDP fragmentation discard issue which I've run into before (fragmented UDP packets just get discarded silently), but that's just speculation on my part.
Craig
-----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Ray P. Sent: Sunday, December 07, 2003 10:16 PM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Keberos V5 though client VPN
Hi Craig,
Whoops, sorry. I didn't make the connection (no pun intended). For whatever it's worth, before Check Point shut down the newgroups this was a fairly common question and TCP was the only answer that worked. I just poked around Nokia's support site a bit and found a note that FW-1's Kerberos object does NOT use 88 and that a new object should be created using port 88. I can't confirm this from home. Do a search on the Nokia KB on key work kerberos
FWIW, SecureClient/SecuRemote was updated a few days ago and is a public download. Might want to give it a try as well.
With Exchange, we had to add a specifc rule to get Outlook to work right over remote access because "service any" didn't cut it. You might try putting a specific rule to accept TCP 88 and UDP 88 via Remote Access and log it to see what's going on.
Ray
>From: Craig Baltzer <[EMAIL PROTECTED]> >Reply-To: Mailing list for discussion of Firewall-1 ><[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: Re: [FW-1] Keberos V5 though client VPN >Date: Fri, 5 Dec 2003 21:15:30 -0500 > >Thanks Ray, but we'd already been there (take a look at the tail end of >the post, we already have it working over TCP which is what is >referenced in the KB you sent). We're trying to get the firewall to pass >88/UDP through the tunnel, not convert all of our workstations over to >use 88/TCP... > >Craig > >-----Original Message----- >From: Mailing list for discussion of Firewall-1 >[mailto:[EMAIL PROTECTED] On Behalf Of Ray P. >Sent: Friday, December 05, 2003 8:51 PM >To: [EMAIL PROTECTED] >Subject: Re: [FW-1] Keberos V5 though client VPN > >http://support.microsoft.com/default.aspx?scid=kb;EN-US;244474 and its >related link should do it. > >Ray > > >From: Craig Baltzer <[EMAIL PROTECTED]> > >Reply-To: Mailing list for discussion of Firewall-1 > ><[EMAIL PROTECTED]> > >To: [EMAIL PROTECTED] > >Subject: [FW-1] Keberos V5 though client VPN > >Date: Fri, 5 Dec 2003 19:31:54 -0500 > > > >We're having an issue where we're unable to successfully perform > >Kerberos authentication through a VPN connection. Environment is > >CheckPoint NG (Nokia) with the latest Checkpoint VPN client. Clients >are > >a mixture of Windows 2000 Pro and Windows XP. Servers are Windows 2003 > >(Kerberos V5). The configuration is basically an Internet connected > >client establishing a VPN connection via the NG VPN client back to a > >Nokia NG firewall which protects the corporate network hosting the > >Windows 2003 server. > > > >When attempting a connection, we see a Kerberos request over 88/UDP >with > >a destination of a Kerberos KDC. It shows in the client log, however it > >never appears in the firewall log and nothing reaches the KDC server. > >Switching the client to use Kerberos 88/TCP fixes the problem, however > >we're reluctant to modify all of our clients to use TCP (a ton of > >clients to update, overhead concerns with a large number of TCP >sessions > >setups/teardowns needed for KDC operators, and a desire to generally > >stay with the standard (RFC 1510) method of doing Kerberos over UDP). > > > >What do we need to change on the firewall to get it to pass Kerberos > >88/UDP inside a VPN connection? > > > >Thoughts/hints appreciated. > > > >Thanks > > > >Craig
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
_________________________________________________________________ Get holiday tips for festive fun. http://special.msn.com/network/happyholidays.armx
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
