[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] SecureRemote2VPN-1
Hi, the steps for SecuRemote are - Get and install the license for VPN-1, SecuRemote and/or Secure Client - Install the SecuRemote/Secure Client Software on PC - Define Users and a User Group in GUI - Check Properties of VPN-1 (Desktop rules if Secure Client, disable "unauthenticated topology download"...) - Check Network Object "firewall" for VPN definition, correct Encryption Domain and "Exportable" - make a rule like usergroup@any internal-net needed-services ClientEncrypt longLog Don't check ClientEncrypt-Props- "Apply rule only..." when using SecuRemote and not Secure Client - If properties are modified, make a rule before the stealth-rule any firewall IKE,AH,ESP accept long - For the download of the topo, you might also need a (temporary) rule like any firewall FW1_topo,FW1_key accept long - install rulebase - In SecuRemote define Firewall, connect, authenticate and download the topo - Give it a first try... Do you have a license for Secure Client? If not, delete the definition of the Policy Server. If there are problems, maybe the log has some entries (see also system log). Another problem might be a missing rule before the Stealth-Rule: You will not only have to accept IKE (500/udp), but also the Internet Protocols 50 and 51 - pre-defined as AH and ESP. For the download you will need also to accept 264/tcp and 265/tcp. Maybe it helps if you define a clean-up rule also - for logging. Try defining the site after the modifications at the FW, it should work. BTW: SecuRemote doesn't encrypt, if the own IP-Address is in the Encryption Domain of the FW Hope it helps, best regards, Matthias http://www.fw-1.de -- AERAsec Network Services and Security GmbH Wagenberger Straße 1 D-85662 Hohenbrunn, Germany http://www.aerasec.de ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|