[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] SecuRemote ports
If you want to tunnel your VPN/SecuRemote, i.e. pass it through your FW, you will have to allow PID 94 through your FW. FW1_Encapsulation is already defined as Protocol ID 94 (hex: 0x5e) Instead of Checkpoint re-inventing the wheel, they just this RFC and called it theirs (FW-1 Encapsulation) , but it's not a Checkpoint proprietary thing. So it PID 94 allows encapsulated connections to pass through your FW... VPN's IKE/FWZ anything with an encapsulation protocol header (EPH) that has the ID of 0x5e Jon http://www.ietf.org/rfc/rfc2205.txt <!--StartFragment-->7.15 Next-Hop This attribute is used in order to identify the next hop in a chain of security associations. This attribute is used when it is necessary to establish a secure link with a security gateway in order to reach a host using IPSEC or in the case of multiple security gateways. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Tag | Protocol | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Flag | Preference | Value | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Value(cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type 94 for Next-Hop Length 10 Tag The Tag field is one octet in length and is intended to provide a means of grouping attributes in the same packet which refer to the same Security Association Endpoint. Date: Fri, 12 Jan 2001 00:27:13 +0100 From: [email protected] Subject: RE: [FW1] SecuRemote ports Since you see IP Protocol Number 94 I guess you have set up the SecuRemote client to use FWZ encryption and encapsulate the packets. FWZ encryption tunnels the traffic in a FW1 Encapsulation (IP Protocol 94) (must be open from the client to the Firewall if your ISP have any filtering)..... This is used when you choose to encapsulate SecuRemote encryption..... I've never managed to specify FWZ encryption with the rulebase.... To use fwz I always enable the VPN-1 & Firewall-1 Control Connections (if anyone know how to do this through the rulebase I'm interested..... I'm not very found of the Control Connections which always enables more than I need)...... But IKE encryption is not difficult to setup with the rulebase....., but the you will have to enable either AH (IP Protocol 51) or ESP (IP Protocol 50) as well as the SecuRemote spesific ports (depens a little on your setup) and IKE (UDP Port 50)...... The traffic you see that is marked with IP Protocol 17 is UDP and might be RDP (UDP Port Number 259) which Firewall-1 one needs if you use FWZ Encryption (Using Control Connections enables Any Any RDP)...... Hope this help... /erik ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|