[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] Firewall responds from wrong interface
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We are using the latest version of SecureRemote and establishing tunnels with MEP and hybrid IKE to Nokia IP440's (IPSO 3.3) running FW-1 SP3. The SR clients are configured to use UDP encapsulation for the IPSEC traffic. The SR clients are given IP addresses on the network using a SecureRemote IP pool. The firewalls are defined as their external IP address and licensed there as well. The SecureRemote site is also defined as the external IP address of the firewalls/VPN gateways. SecureRemote is working fine, but users behind stateful firewalls can not establish a tunnel. After watching some packets, I noticed that return packets from the firewall are actually coming from the internal IP address! Therefore, the return packets are not matched by the users firewall and not accepted statefully. Has anyone seen anything like this? It seems like IPSO routing should figure out that the external interface is closest to the Internet (where the VPN originated) and source packets from that interface! I'm not sure what else to try... ___________________________ Aaron Shilts eSecurity Consulting __________________________ -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBOy9ij0s16BUb0TtfEQLlggCeK4RaiuXoAy4IfBoKur84Ensj6IQAoN9f 8euT7ikaMmLz5XoqedeTU1hO =x2d2 -----END PGP SIGNATURE----- ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|