According to a few of my friends at Check Point, you must use a "Any FW IKE
ACCEPT) rule, if you uncheck the "Accept Firewall-1 Control Connections"
box in the policy properties. Had that box been checked, you wouldn't need
an explicit rule to allow IKE\SecuRemote - but then you'd be allowing a lot
more... Hope this helps!
Jason
At 03:35 PM 6/21/00 +1200, Jim Shaw wrote:
>
>I have resolved a problem I had with SR but now find that unless the
>client can do a key exchange using IKE to the firewall it does not
>connect. The client sits saying "Exchanging Keys" and then errors out.
>
>I am using SR build 4157 - the most recent I think, talking to
>Checkpoint 2000. I am using IKE with VPN-1 username/password
>authentication.
>
>I downloaded the topology while on an internal network with a rule
>permitting some clients to connect directly to the firewall. No problem
>there. Dialing in from outside with the LAN card disabled I get a
>connection failed error with log entries in the FW log indicating that
>it is refusing IKE port connections because of my "Any, FW, Any Any
>Drop" rule.
>
>I have a rule preceding that that permits "SRUsers@Any, MyNet, Any,
>Client Encrypt" which is what I understand was all that is necessary to
>get SR clients working.
>
>It works if I add a rule that says "Any, Firewall, IKE, Accept". I don't
>like that but appear to have no option.
>
>Anyone got any ideas?
>Jim
>
>Ryan Finnesey wrote:
>>
>> Is this the same thing has Mail Prory in Firewall 4.1. Because I am
running
>> 4.0 soon to be 4.1 on a Sun box. I need something to take the mail from
the
>> Internet and pass it to the Exchange Server that is on the LAN. What is
the
>> best thing to use ?
>>
>> Ryan V. Finnesey
>> Network Administrator
>> @tmosphere Interactive
>> 1375 Broadway, 11th floor
>> New York, NY 10018
>> 212 827 2507 phone
>> 212 827 2525 fax
>> [EMAIL PROTECTED]
>>
>> -----Original Message-----
>> From: Olaf Selke [mailto:[EMAIL PROTECTED]]
>> Sent: Tuesday, June 20, 2000 2:23 PM
>> To: [EMAIL PROTECTED]
>> Subject: [FW1] 4.1 smtp security server not fully rfc821 compliant,
>> <#@[]> 'invalid address syntax'
>>
>> platform: 4.1 SP1+Hotfix 41603 [VPN + DES + STRONG], Solaris 7
>>
>> hi list,
>> it looks like the fw-1 smtp security server isn't fully RFC821
>> compliant. Mails with a sender address <#@[]> are accepted by the smtp
>> security server with a reply code '250 Ok'. This means according RFC821
>> everything is fine: "250 Requested mail action okay, completed".
>> Nevertheless they are not delivered to the final destination
>> by the fw-1 mail dequeuer.
>>
>> The trouble is caused by the fw-1 mail dequeuer which logs
>> "failed: 553 Invalid address syntax" and drops the mail silently! This
>> means bounces (<#@[]> usually are bounces) do vanish on the firewall
>> system without notice. My customer doesn't really like the idea that
>> mails are vanishing on his firewall system. <#@[]> is supposed to be
>> a valid address.
>>
>> Attached you'll find some verbatim stuff documenting in more detail
>> what I'm talking about.
>>
>> Olaf
>> --
>> Olaf Selke, [EMAIL PROTECTED], voice +49 5241 80-7069
>>
>> ======= the sender <#@[]> is accepted and confirmed with code 250 ======
>>
>> root@mx [/] >>telnet internal 25
>> Trying ...
>> Connected to internal.mediaways.net.
>> Escape character is '^]'.
>> 220 CheckPoint FireWall-1 secure SMTP server
>> mail from: <#@[]>
>> 250 <#@[]>... Sender ok
>> rcpt to: <[EMAIL PROTECTED]>
>> 250 <[EMAIL PROTECTED] Recipient ok
>> data
>> 354 Enter mail, end with "." on a line by itself
>> test with <#@[]>
>
>--
>Jim Shaw Email: [EMAIL PROTECTED]
>Optimation NZ Ltd, DDI: +64-4-470-5831
>P.O. Box 10616, Ph: +64-4-472-7218
>Level 2, Optimation House, Fax: +64-4-472-7219
>1 Grey Street, Web: http://www.optimation.co.nz
>Wellington,
>New Zealand
>
>
>===========================================================================
=====
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>===========================================================================
=====
>
>
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
