Re: [FW1] User@any with client encrypt VS workstation with accept

Sat, 11 Nov 2000 06:07:41 -0800

Jason,
Don't feel bad, in this field, we all miss things now and again.
Please allow me to ask a few questions.
1.  Have you modified policy properties 'security policy' tab?  Specifically the control connections tab.
2.  Are you allowing ESP and AH to the firewall (Irrelavent as long as the client vpn rule comes before the stealth rule.)

You have indicated that ICMP is not working.  Have you disabled it under policy properties?

Two notes:  You've got it almost right.  The first scenario works because under policy properties you have Enable decrypt on Accept enabled.  Disable this and scenario1 will fail.
                    ICMP will only work in a client scenario if you have 1)the allow icmp property set, or 2) a rule for icmp in both directions.  ICMP is not stateful, and therefore Replies are not simply allowed.

I'll wait to hear back from you,
CryptoTech
 

Jason Kent wrote:

 

Ok... I must be missing something really really stupid....been pouring over the Checkpoint PDFs and phoneboy.. no luck...

NT 4 - FW-1 v 4.1 SP2   SecureRemote - same version from the same CD

Using SecureRemote with IKE Preshared Secrets - Setup goes fine - Site Creation is fine...

Two scenarios.. first one works, the second one doesn't
Can someone explain what else I need to make the 2nd work, give me some ideas to try ?  (i'm all out at this point)
(i also have above the below rules..an Any to Firewall IKE and RDP accept rule)

Thanks in advance for the help !

Jason

FIRST: (working)
I have the following (applicable)rules:
Any             WebServer               HTTP    Accept
pc1             enc_domain      Any     Accept
enc_domain      Any                     Any     Accept

I start Securemote on the Client and everything works great... HTTP handled by the first rule.. things like FTP and PCanywhere by the 2nd

Logs: I see The phase 1 key install and then phase 2 in both directions....then a bunch of decryption when things are working...

(It's annoying that pings don't make it intact.. but i remember reading something about that...i'll try to dig it up again)
 
 

SECOND: (broken)
I change the 2nd rule to:

User@any        enc_domain      Any     Client Encrypt

I start securemote on the client and HTTP still works fine... but FTP and PCAnywhere and anything else through the changed rule no longer function.

Logs: I see the Phase 1 Key Install..and a Phase 2 >from the PC1 to the Firewall... but NEVER see Phase 2 back the other way (From the Firwall to PC1 (the client)

Reply via email to