CryptoTech, Thanks for your reply. You are correct in saying that accept control connections in the properties allows SecuRemote to work - this is what I've already discovered. The issue is that I don't want to allow control connections because it allows more than I strictly need, and I didn't need to do so on v4.0 Unfortunately, the issue is not the Firewall workstation object IP address - this is correctly defined as the Firewalls' external IP address. Also note that SecuRemote does work OK when accept control connections is checked, so I can't see how it can be a Firewall object issue. Now, my suspicion is that there's some bit of inspect code which is only being activated when "allow Firewall-1 control connections" is checked and just allowing the protocols concerned isn't enough. Perhaps I need to allow some other protocol (maybe IKE) that I don't really need (because I use FWZ) just to activate this inspect code. Roy Hills At 08:40 22/11/00 -0500, CryptoTech wrote: >Roy, >4.1 uses port 264 for topology download and 265 for public key transfers. You >should need no explicit protocol accepts, as the 'accept firewall-1 control >connections' allows for this. Usually when you get a timeout after >authentication, >it is because the firewall object has been defined based on the internal >ip address. > >So again, I wouldn't look at the rules, I would look at the fw workstation >object >primary ip address. > >If you want to disable control connections, you must enable fw1_topo, and >fw1_key >and IKE to get these connections to go through. > >HTH, >CryptoTech > >Roy Hills wrote: > > > On Firewall-1 v4.0 I have been able to use SecuRemote with FWZ key > > scheme by just allowing "FW1" (tcp port 256) from any to the Firewall > > as well as the relevant client encrypt rules and unchecking the > > "accept Firewall-1 control connections" box in the policy properties. > > > > However on Firewall-1 v4.1, I find that I need to select "accept VPN-1 & > > Firewall-1 > > control connections" in the policy properties. I cannot seem to get > SecuRemote > > to work by using specific rules in the rulebase. > > > > I have tried the following two rules without success: > > > > a) > > > > Src: Any > > Dst: Firewall > > Svc: FW1, FW1_key, FW1_topo, RDP > > Act: Accept > > Trk: Long > > > > b) > > > > Src: SecuRemote-Client > > Dst: Firewall > > Svc: Any > > Act: Accept > > Trk: Long > > > > Src: Firewall > > Dst: SecuRemote-Client > > Svc: Any > > Act: Accept > > Trk: Long > > > > In both cases, I also had the appropriate client encrypt rules present. > > > > The symptoms I see are that I can add the Firewall "site" OK, and the > > authentication dialog box appears. However authentication fails with > > "communication failed" message. > > > > Allowing "accept VPN-1 & Firewall-1 control connections" in the policy > > properties makes SecuRemote work fine. > > > > Does anyone know what has changed from V4.0 to V4.1 regarding SecuRemote > > that causes this? > > > > Is it possible to allow SecuRemote with just rules in the rulebase and not > > with "accept VPN-1 & Firewall-1 control connections" in the policy > properties? > > > > I'm using Firewall-1 v4.1[DES] SP1 on Windows NT 4.0 SP5. SecuRemote is > > v4.1 [DES] on Win-95. I am using DES encryption, MD5 integrity and FWZ key > > exchange. > > > > Roy Hills > > -- > > Roy Hills Tel: +44 1634 721855 > > NTA Monitor Ltd FAX: +44 1634 721844 > > 14 Ashford House, Beaufort Court, > > Medway City Estate, Email: > [EMAIL PROTECTED] > > Rochester, Kent ME2 4FA, > UK WWW: http://www.nta-monitor.com/ > > > > > ================================================================================ > > To unsubscribe from this mailing list, please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > > ================================================================================ -- Roy Hills Tel: +44 1634 721855 NTA Monitor Ltd FAX: +44 1634 721844 14 Ashford House, Beaufort Court, Medway City Estate, Email: [EMAIL PROTECTED] Rochester, Kent ME2 4FA, UK WWW: http://www.nta-monitor.com/ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
