We have just upgraded from plain NG (don't know which version) to NG AI, R54. We used to allow VPN access into our LAN via the rule:
Source Destination Service Action <any external> <our VPN server> PPtP Accept The PPtP service is a group, with two members: the GRE protocol (47) and the PPtP port (TCP 1723). With the older firewall, this worked fine (for several years) for VPN connections from outside the LAN. Note that these connections were to the VPN server inside the firewall, not to the firewall itself via Secure Remote or Secure Client. The internal network is a Windows 2003 LAN with Active Directory with a T-1 connection to the Internet The remote client machines are Windows 2000 Professional, with Linksys BEFW11s4v2 routers, with MTU set to 1300, and with DSL service. There is no NATing at our firewall. The global properties have "Accept ICMP requests" turned off, but the ruleset has a rule above the VPN rule that allows a few ICMP types, including type 3. After the upgrade to NG AI, which uses the identical ruleset, the VPN connection fails. The failure is unusual - the VPN client gets authenticated, then we get a little window that says: "Loading your personal settings". This stays on the screen for a good 30-40 minutes, but then the connection is successful. But the connection is so slow nothing useful can be accomplished. The firewall logs show, first, an accepted connection to the PPtP port (TCP 1723), then another accepted connection to the GRE protocol. Later, every minute or so, there is a dropped packet for ICMP type 3, code 4, for the stated reason "ICMP packet out of state", no rule specified (i.e., from the implied rules), source: the remote client, destination: the VPN server. This error did not show up in the earlier firewall. Any ideas? Thanks in advance. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
