The part I'm missing is what you're doing with SecureClient inside the
encryption domain. Are you actually starting SecureClient up in Connect Mode
and using VPN from inside the encryption domain through the internal
interface of the firewall?
Is this so you can reach some network routed by the firewall and you want to
use VPN inside the encryption domain to do so?
If so, the only way I know that you're going to be able to do this is to
turn off anti-spoofing on the internal interface.
Ray
From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
Reply-To: Mailing list for discussion of Firewall-1
<[email protected]>
To: [email protected]
Subject: Re: [FW-1] SecureClient inside the encryption domain
Date: Thu, 17 Mar 2005 23:14:23 +0100
[EMAIL PROTECTED] wrote:
If I understand it correctly, change the following parameter in userc.C:
:allow_clear_in_enc_domain (false) to
:allow_clear_in_enc_domain (true)
this will not work because this option will only work when the SC is
working in transparent mode - we are using SC with connect mode.
If the user is using Office Mode then all traffic is
routed to the firewall and encrypted. This is due to the fact that
the office mode IP pool is not part of the encryption domain. The
routing table in the PC running SecureClient is modified by
SecureClient to add all networks within the encryption domain to
route to the Firewall. This may be good but it is not what I want,
I do not need to encrypt and route to the Firewall if I have
SC connected and am trying to access my internal resources.
If the User is not using Office Mode and is within the
encryption domain then packets sent to the Secure Networks will be
unencrypted and the Firewall log shows "Received
a cleartext packet within an encrypted connection"?! This is because
I believe cp will not encrypt a packet if the client is within the
encryption domain.
What I should do now? ...all what I want is that when the SC is inside
my network the SC should connect to the policy server (because all
should be dropped when the SC is disconnected) and recognize that there
is no need for encryption when accessing my internal networks resources.
Should I add the IP pool network to the encryption domain? since AI its
possible...but this will solve my problem? I am not sure...
I dont want to change the Remote Access parameter "When disconnected,
traffic to the encryption domain will be dropped" in global properties.
thx
andre
I don't understand the problem. Is it that you can't even get an IP
address
via DHCP when in the encryption domain and disconnected? if so, add a rule
allowing it for the group [EMAIL PROTECTED]
ive got a question concerning when SC is inside the encryption domain.
SC
is working in "Connect Mode" and we have enabled the option that when the
SC is disconnect all the traffic will be dropped. When SC is outside the
enc domain the SC will get an IP address from the configured IP pool and
the user can access hosts inside the enc domain.
Is there any way without receiving an IP address from the IP pool when
the
SC is inside the enc domain? (only logon to policy server, the FW
recognize that the SC is part of the encryption domain and traffic will
be
unencrypted between machines in the enc domain)
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
