[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] SecuRemote - encryption never works after succesfull authent
Hi all, I ran into the following problem with SecuRemote; After a succesfull authentication, IKE encryption doesn't work. The SecuRemote client has to access a webserver in the trusted LAN with a private space ip address (172.16.0.10). The webserver has it's default gateway pointing to the firewall's trusted interface and is also in the same subnet as the firewall. On top of the rulebase we defined a rule: SR-users@anywhere to Encrypt-domain action=Client-Encrypt When the SecuRemote client tries to access the webserver, a packet with service "VPN1_IPSEC_encapsulation" appears in the log, but nothing gets encrypted/decrypted and the connection at the SR client times out. We use CPfw1-41 SP4 VPN STRONG + SecuRemote 4.1 SP-5 build 4199 for Win2000 a piece of the log: 9:04:09 authcrypt pampus-ext >daemon src trust-cybercomm user xx rule 0 reason Client Encryption: Authenticated by Pre-shared secret scheme: IKE methods: 3DES,IKE,SHA1 9:04:09 keyinst pampus-ext >daemon src trust-cybercomm dst pampus-ext IKE Log: Phase 1 (aggressive) completion. 3DES/SHA1/Pre shared secrets Negotiation Id: fd82d44c787bb689-198ef53997de25ab 9:04:09 keyinst pampus-ext >daemon proto ip src trust-cybercomm dst pampus-ext srckeyid 0xad8856ad dstkeyid 0xb30a13fa rule 0 scheme: IKE methods: Combined ESP: 3DES + SHA1 (phase 2 completion) for host: xxx.xxx.xx.xxx and for subnet: 0.0.0.0 (mask= 0.0.0.0) 9:04:10 accept pampus-ext >rtl80291 proto udp src trust-cybercomm dst pampus-ext service VPN1_IPSEC_encapsulation s_port VPN1_IPSEC_encapsulation len 112 rule 10 (trust-cybercomm = SecuRemote client hostname) (pampus-ext = External interface of the firewall) Have anyone tips on how to configure the rulebase or routing for this ? Have anyone a idea to solve this problem? Regards, Frits Heemstra IRM Tel. +31 6 26 216 451 ----------------------------------------------------------------- ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. ----------------------------------------------------------------- ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|