[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] UDP encapsulation problems
I'm trying to force udp encapsulation with IKE for SecuRemote on 4.1sp3 and SR4166. IKE works fine when :force_udp_encapsulation (false) in userc.C but if I set it to true it fails. With a sniffer, I have confirmed the following: - client udp 2647 reaches the firewall - firewall unencapsulatees & decrypts traffic - internal host receives and replies to traffic - firewall encrypts & encapsulates traffic - firewall udp 2647 reaches the client The one potential problem is that the client communicates with the firewall's internal NIC address and the firewall communicates with the client via its external NIC address. Is there a way around this? The above example doesn't generate any log errors. When I try the same example but with my client behind a NAT device, I get rule 0 drop "local address spoofing" and the client never sees the return traffic. Again, this behavior is only with udp encapsulation. Regular IKE works great. Any help would be greatly appreciated!!! Cheers, >I'm not sure why but when I enable udp encapsulation for SR, I keep >getting rule 0 drops of the udp encapsulated traffic originating from >my FW. The log indicates "local address spoofing" as the reason. > >I've turned off spoofing on all FW interfaces but that didn't solve >the problem. I even tried adding :resolve_multiple_interfaces (true) >in objects.C but no luck there. > ---- Jeff Newton ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|