[FW1] FW-1 SecuRemote/OneWayEncryption

[Patrick Lotti]

Hi all,

I'm not sure if this is really a problem:
My setup is:
server (2.2.2.254) ---- (2.2.2.1) CP_FW-1 (10.1.22.1) ---- (10.1.22.100) SR-Client

The server is just a normal server, nothing special.
The SR-Client has properly downloaded his security policy, after authentication it
gets the error message:
>You are using an inappropriate policy.
>Load a new policy from your Policy Server.
The FW-1 has the following rule:
Users@Any | Server | Any | ClientEncrypt | Long
Implied rules for FW-1 communications and ICMP are active.
Encryption domain is the net 2.2.2.0/24, with FWZ & encapsulation.

If it then try to connect to my server (either ping or e.g. ftp) I get the
returing packets un-encrypted and un-encapsulated.

A ping from the SR-Client to 2.2.2.254 doesn't receive an answer.
Firewall-log:
[...] decrypt | SR-Client  | 2.2.2.254 | icmp | 1 | | Username [...]
Sniffer-log:
Proto  Desc                                              Source    Dest      Type
UDP    Src Port: Unknown, (259); Dst Port: Unknown (259) SR-Client CP_FW-1   IP
UDP    Src Port: Unknown, (259); Dst Port: Unknown (259) CP_FW-1   SR-Client IP
UDP    Src Port: Unknown, (259); Dst Port: Unknown (259) SR-Client CP_FW-1   IP
UDP    Src Port: Unknown, (259); Dst Port: Unknown (259) CP_FW-1   SR-Client IP
UDP    Src Port: Unknown, (259); Dst Port: Unknown (259) SR-Client CP_FW-1   IP
IP     ID = 0x6600; Proto = 0x5E; Len: 65                SR-Client CP_FW-1   IP
IP     ID = 0x6600; Proto = 0x5E; Len: 65                SR-Client CP_FW-1   IP
ICMP   Echo Reply: To 10.01.22.100 From 02.02.02.254     2.2.2.254 SR-Client IP
IP     ID = 0x7200; Proto = 0x5E; Len: 65                SR-Client CP_FW-1   IP
IP     ID = 0x7200; Proto = 0x5E; Len: 65                SR-Client CP_FW-1   IP
ICMP   Echo Reply: To 10.01.22.100 From 02.02.02.254     2.2.2.254 SR-Client IP
(The first four entries are the authentication process)

Is this normal behavior due to the "inappropriate policy", and
how to fix the policy?

Best Regards,
Patrick Lottifw



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================