Hey folks,
Somebody knows if SecuRemote are available on LINUX? Thx, terraja On 4/18/08, Eric Janz <[EMAIL PROTECTED]> wrote: > Hi Everybody, > > We had a 2 nodes Nokia IP380 Cluster with IPSO 3.8 and Checkpoint NGX R60 > and upgraded it last week to a 2 nodes Nokia IP690 Cluster with IPSO 4.2 > Build 078 and have installed Checkpoint VPN-1 Power NGX R65 without HFA's. > The nokia cluster is working in forwarding mode and static work assignment > with the failure interval set to 5000ms. The cpu and memory utilization is > normal. At the Checkpoint level we are using Nokia IP Clustering Load > Sharing. We have remote clients which are connecting with Secure Client > using different versions ( R55, R56, R60 ) in office mode and they get IPs > assigned from our central dhcp server. The office mode antispoofing is on > and configured with the network range that can be assigned by the dhcp > server and this network is not used locally and always gets routed through > the Firewall. > > Everything went fine, we first upgraded our Smartcenter and then changed > the gateways, but a few days ago we noticed that the VPN connections fail > "sometimes". At the user laptops we see that the tunnel test is failing > but it says that the connection was established successfully. > > I have read a lot of SK's and googled around "local interface address > spoofing" and "tunnel test failure" without a lot of success and after > testing a lot of options in the gateway configuration (MEP on/off, Dynamic > Gateway Address Resolution vs Gateway Address Resolution from topology, > etc ) I found that the only way to get the client vpn connections to work > is removing one node from the cluster leaving the other one alone. > > At Smartview Tracker I found log entries that state that there is "local > interface address spoofing" and it seems to me that this is happening when > the client establishes the VPN through one gateway but the response is > trying to get out the other one ¿ is that a possible problem ? ¿ shouldnt > the connections be sincronized between the cluster members ? > > Number: 13474 > Date: 18Apr2008 > Time: 13:01:46 > Product: VPN-1 Power/UTM > Interface: eth-s1p1c1 > Origin: <cluster-node-2-external-ip> > Type: Alert > Action: Drop > Protocol: udp > Service: 10366 > Source: <cluster-external-ip> > Destination: <remote-client-public-dsl-ip> > Source Port: IKE_NAT_TRAVERSAL > Information: message_info: Local interface address > spoofing > SmartDefense Profile: Default_Protection > Policy Info: Policy Name: policy1 > Created at: Fri Apr 18 12:50:08 > 2008 > Installed from: smartcenter > > > When this is happening, I try to ping from the remote client a local pc > and I can see with a tcpdump that the packets are arriving to the local pc > with the office mode remote source ip from the remote client and that the > local pc is responding. This response arrives to the firewall and gets > dropped due to the local interface address spoofing ¿? > > > Thanks a lot in advance for any advice, > Kind Regards, > Eric Janz > > > > -- > > ADVERTENCIA LEGAL > El contenido de este correo es confidencial y dirigido unicamente a su > destinatario. Para acceder a su clausula de privacidad consulte > http://www.barceloviajes.com/privacy > > LEGAL ADVISORY > This message is confidential and intended only for the person or entity to > which it is addressed. In order to read its privacy policy consult it at > http://www.barceloviajes.com/privacy > > > > Scanned by Check Point Total Security Gateway. > > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
