NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] SecuRemote ports



If you want to tunnel your VPN/SecuRemote, i.e. pass it through your FW, you
will have to allow PID 94 through your FW.

FW1_Encapsulation is already defined as Protocol ID 94 (hex: 0x5e)

Instead of Checkpoint re-inventing the wheel, they just this RFC and called
it theirs (FW-1 Encapsulation) , but it's not a Checkpoint proprietary
thing. So it PID 94 allows encapsulated connections to pass through your
FW... VPN's IKE/FWZ anything with an encapsulation protocol header (EPH)
that has the ID of 0x5e

Jon


http://www.ietf.org/rfc/rfc2205.txt

<!--StartFragment-->7.15 Next-Hop

   This attribute is used in order to identify the next hop in a chain of
   security  associations. This attribute is used when it is necessary to
   establish a secure link with a security gateway in order  to  reach  a
   host using IPSEC or in the case of multiple security gateways.

     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |     Type      |    Length     |      Tag      |   Protocol    |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |     Flag      |  Preference   |             Value             |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |           Value(cont)         |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

    Type

      94 for Next-Hop

    Length

      10

    Tag

      The Tag field is one octet in length and is intended to provide   a
      means  of grouping attributes in the same packet which refer to the
      same Security Association Endpoint.


Date: Fri, 12 Jan 2001 00:27:13 +0100
From: [email protected]
Subject: RE: [FW1] SecuRemote ports

Since you see IP Protocol Number 94 I guess you have set up the SecuRemote
client to use FWZ encryption and encapsulate the packets. FWZ encryption
tunnels the traffic in a FW1 Encapsulation (IP Protocol 94) (must be open
from the client to the Firewall if your ISP have any filtering)..... This is
used when you choose to encapsulate SecuRemote encryption..... I've never
managed to specify FWZ encryption with the rulebase.... To use fwz I always
enable the VPN-1 & Firewall-1 Control Connections (if anyone know how to do
this through the rulebase I'm interested..... I'm not very found of the
Control Connections which always enables more than I need)...... But IKE
encryption is not difficult to setup with the rulebase....., but the you
will have to enable either AH (IP Protocol 51) or ESP (IP Protocol 50) as
well as the SecuRemote spesific ports (depens a little on your setup) and
IKE (UDP Port 50)......

The traffic you see that is marked with IP Protocol 17 is UDP and might be
RDP (UDP Port Number 259) which Firewall-1 one needs if you use FWZ
Encryption (Using Control Connections enables Any Any RDP)......

Hope this help...

/erik



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.