From: <Ax...@co...> - 2003-03-23 21:05:14
|
Well, =20 the answer to your questions depends on what version of Checkpoint = Firewall-1 you are using and the version of your SecuRemote Client. = Please quote the Feature Pack/Service Pack version in addition to your = basic version. Axel Westerhold -----Original Message----- From: Tom Eastep [mailto:te...@sh...]=20 Sent: Sonntag, 23. M=E4rz 2003 15:42 To: Matt Perry Cc: sho...@li... On Sun, 23 Mar 2003, Matt Perry wrote: > > 2.4 What is FWZ? > > > > FWZ is a proprietary encryption protocol developed by Check Point = Software > > Technologies. It is used in VPNs that are built around their = Firewall-1 > > product. > > > > A Checkpoint-based firewall can be configured in several modes. The = "FWZ > > Encapsulation" mode cannot be masqueraded. The "IKE" mode, which = uses > > standard IPsec protocols, can be masqueraded with minor = configuration > > changes on the VPN gateway. > > Yes, I have read this. I was not clear on the part of statement > saying "minor configuration changes on the VPN gateway". > > 1. > If IKE mode is used does this imply one will always need > these changes made on the VPN gateway if one is using SNAT > on the individual's home network? > > 2. > Can I assume that the "VPN gateway" in this sentence is the > box running the corporate FW-1 Checkpoint firewall in my > particular case? > > 3. > Do I need to ask Corporate if ESP with NAT traversal is > enabled on the FW-1 Checkpoint firewall? In other words, > is that the "minor configuration" I need to have them make > in order to get things working (or at least one of them)? > > It appears from your quote of the VPN Masq HOWTO I made > the erroneous assumption that since I was able to use IKE > successfully without a firewall on my side that ESP with > NAT traversal had been enabled on Corporate's firewall. > Said another way, success with IKE used and no firewall > on my end does not imply this configuration change on the > FW-1 firewall. > Hope someone else can answer your questions -- I know nothing more about FW-1's than what I've read on the site I'm quoting. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ te...@sh... _______________________________________________ Shorewall-users mailing list Post: Sho...@li... Subscribe/Unsubscribe: = http://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm |
From: <Ax...@co...> - 2003-03-26 20:37:38
|
Hi Matt, sorry for the delay. Checkpoint 4.1 does not provide the IKE over TCP capability the new Checkpoint NG offers. As a result you will have to deal with UDP traffic on port 500 during IKE Phase 1 and Phase 2. As long as you only have to deal with one secure client/SecuRemote client you can simply try to do=20 SR=3DSecuremote CP=3DCheckpoint ACCEPT loc:<SR> net:<CP> udp 500 DNAT net:<CP> loc:<SR> udp 500 This would handle the IKE negotiation.=20 The next step needs to deal with ESP (Encapsulated Security Protocol). This is Protocol 50 (as TCP is 6 and UDP is 17). It needs to pass your firewall. I am not sure about that rule. If the one below should be wrong someone please correct me ACCEPT loc:<SR> net:<FW IP> 50=09 DNAT net:<CP> net:<SR> 50 This assumes that the management module is running on the same IP the enforcement point is running on. If you should have an Checkpoint firewall using a separated Management Module the IKE is done through the Management Modules IP while ESP you'll receive and send to the Enforcement Point. In addition, if you should run clustered Enforcement Points you would need to have a DNAT rule for each of the nodes. I hope this helps, Axel |
From: Matt P. <kh...@wi...> - 2003-03-26 22:14:24
|
Wed Mar 26 16:13:17 CST 2003 Axel: On Wed, 26 Mar 2003 Ax...@co... wrote: > > Hi Matt, > > sorry for the delay. > > Checkpoint 4.1 does not provide the IKE over TCP capability the new > Checkpoint NG offers. As a result you will have to deal with UDP traffic > on port 500 during IKE Phase 1 and Phase 2. As long as you only have to > deal with one secure client/SecuRemote client you can simply try to do > > SR=Securemote > CP=Checkpoint > > ACCEPT loc:<SR> net:<CP> udp 500 > DNAT net:<CP> loc:<SR> udp 500 > > This would handle the IKE negotiation. > > The next step needs to deal with ESP (Encapsulated Security Protocol). > This is Protocol 50 (as TCP is 6 and UDP is 17). It needs to pass your > firewall. I am not sure about that rule. If the one below should be > wrong someone please correct me > > ACCEPT loc:<SR> net:<FW IP> 50 > DNAT net:<CP> net:<SR> 50 Did you mean: DNAT net:<CP> loc:<SR> 50 ^^^ mjp > > > This assumes that the management module is running on the same IP the > enforcement point is running on. If you should have an Checkpoint > firewall using a separated Management Module the IKE is done through the > Management Modules IP while ESP you'll receive and send to the > Enforcement Point. In addition, if you should run clustered Enforcement > Points you would need to have a DNAT rule for each of the nodes. > > I hope this helps, > Axel > -- Matt Perry ma...@po... |
From: <Ax...@co...> - 2003-03-26 20:47:52
|
Hi Matt, I just was reading your email again and you just mentioned your client is SecuRemote 4.1 but did not say the firewall is 4.1 too. If the checkpoint firewall is an NG FP 1 or higher things work different. In this case you should go to the checkpoint web site and download the NG FP 3 client. It will give you an option for enabling IKE over IKE and UDP encapsulation. Each feature must be turned on on the checkpoint too but should be by default.=20 SR=3DSecuremote CP=3DCheckpoint ACCEPT loc:<SR> net:<CP> tcp 500 This would handle the IKE negotiation.=20 The next step needs to deal with ESP (Encapsulated Security Protocol). This is Protocol 50 (as TCP is 6 and UDP is 17). It needs to pass your firewall. I am not sure about that rule. If the one below should be wrong someone please correct me ACCEPT loc:<SR> net:<FW IP> 50=09 (I think for ESP the above rule is sufficient so the rule in my earlier mail should be correct). Starting with NG the Enforcement Points also handle the IKE Phase. So you just have to change the above rules if the Enforcement Points are clustered. Axel _______________________________________________ Shorewall-users mailing list Post: Sho...@li... Subscribe/Unsubscribe: http://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm |
From: <Ax...@co...> - 2003-03-26 21:48:28
|
IKE over IKE is clearly wrong I ment to say IKE over TCP Sorry, Axel -----Original Message----- From: Axel Westerhold=20 Sent: Mittwoch, 26. M=E4rz 2003 21:49 To: sho...@li... Hi Matt, I just was reading your email again and you just mentioned your client is SecuRemote 4.1 but did not say the firewall is 4.1 too. If the checkpoint firewall is an NG FP 1 or higher things work different. In this case you should go to the checkpoint web site and download the NG FP 3 client. It will give you an option for enabling IKE over IKE and UDP encapsulation. Each feature must be turned on on the checkpoint too but should be by default.=20 SR=3DSecuremote CP=3DCheckpoint ACCEPT loc:<SR> net:<CP> tcp 500 This would handle the IKE negotiation.=20 The next step needs to deal with ESP (Encapsulated Security Protocol). This is Protocol 50 (as TCP is 6 and UDP is 17). It needs to pass your firewall. I am not sure about that rule. If the one below should be wrong someone please correct me ACCEPT loc:<SR> net:<FW IP> 50=09 (I think for ESP the above rule is sufficient so the rule in my earlier mail should be correct). Starting with NG the Enforcement Points also handle the IKE Phase. So you just have to change the above rules if the Enforcement Points are clustered. Axel _______________________________________________ Shorewall-users mailing list Post: Sho...@li... Subscribe/Unsubscribe: http://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm _______________________________________________ Shorewall-users mailing list Post: Sho...@li... Subscribe/Unsubscribe: = http://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm |
From: Matt P. <kh...@wi...> - 2003-03-26 21:59:16
|
Wed Mar 26 15:52:50 CST 2003 Axel: On Wed, 26 Mar 2003 Ax...@co... wrote: > > IKE over IKE is clearly wrong I ment to say IKE over TCP Got it. > > Sorry, > Axel > > -----Original Message----- > From: Axel Westerhold > Sent: Mittwoch, 26. M=E4rz 2003 21:49 > To: sho...@li... > > > > Hi Matt, > > I just was reading your email again and you just mentioned your client > is SecuRemote 4.1 but did not say the firewall is 4.1 too. Well, it is not clear to me what version corporate is running (yet), but when I installed an NG client (the latest on Checkpoint's site) I was no longer able to communicate with the corporate firewall even when there was *no* firewall on my end. I am going to make an assumption that this implies they are using a non-NG version of the firewall on their end. That would make sense as well as I have heard nothing from our local IT people indicating they had made a change recently. I am going to make the changes indicated in your previous post where you spell out what is necessary for the original flavor of the FW-1 checkpoint firewall with the client I have and report the results. BTW, getting that NG client off of my Win98 machine required the sacrifice of at least one chicken, but that is another story for another day. :( mjp > > If the checkpoint firewall is an NG FP 1 or higher things work > different. In this case you should go to the checkpoint web site and > download the NG FP 3 client. It will give you an option for enabling IKE > over IKE and UDP encapsulation. Each feature must be turned on on the > checkpoint too but should be by default. > > > SR=3DSecuremote > CP=3DCheckpoint > > ACCEPT=09loc:<SR>=09net:<CP>=09tcp=09500 > > This would handle the IKE negotiation. > > The next step needs to deal with ESP (Encapsulated Security Protocol). > This is Protocol 50 (as TCP is 6 and UDP is 17). It needs to pass your > firewall. I am not sure about that rule. If the one below should be > wrong someone please correct me > > ACCEPT=09loc:<SR>=09net:<FW IP>=0950 > > (I think for ESP the above rule is sufficient so the rule in my earlier > mail should be correct). > > Starting with NG the Enforcement Points also handle the IKE Phase. So > you just have to change the above rules if the Enforcement Points are > clustered. > > Axel > > -- Matt Perry ma...@po... |
From: <Ax...@co...> - 2003-03-26 22:20:26
|
Hi Matt, >Well, it is not clear to me what version corporate is >running (yet), but when I installed an NG client (the >latest on Checkpoint's site) I was no longer able to >communicate with the corporate firewall even when there >was *no* firewall on my end. I am going to make an >assumption that this implies they are using a non-NG >version of the firewall on their end. That would make >sense as well as I have heard nothing from our local >IT people indicating they had made a change recently. Actually no. I am running a SecuRemote FP 3 client against various flavors of Checkpoint 4.1 and NG firewalls (I need to remote administrate about 20+ Firewalls and sometimes it's just easier and more comfortable to do it from home). If you really want to find out you can run a NMAP -O (fingerprinting) against your known Checkpoint firewall IP. NMAP will tell you if it's an 4.1 while it will not give you a valid result on NG. That's one of the reasons I tell people to upgrade to NG. Another is the SecuRemote issue. Handling 50+ Remote users with various personal firewalls or Home Networks through various firewalls or Cable/DSL routers is no fun when the FW is 4.1 ! >I am going to make the changes indicated in your previous >post where you spell out what is necessary for the >original flavor of the FW-1 checkpoint firewall with >the client I have and report the results. If you should have any more questions feel free to contact me directly as this is more a Checkpoint issue then related to Shorewall. Not need to be totally off topic. >BTW, getting that NG client off of my Win98 machine >required the sacrifice of at least one chicken, but >that is another story for another day. :( Yes, I never got Win9x machines to accept an uninstall gracefully. It works better with XP. Axel |
From: <Ax...@co...> - 2003-03-26 22:25:40
|
Yep, actually, when I first had this problem I decided to do something to = verify my problems. My rules file looked like this for the test ACCEPT loc:<myip> $FW all ACCEPT loc net all DNAT net:<CP> loc:<myIP> all This should work just fine as it DNAT's everything hitting your External = interface with a Source equal to the IP of the Checkpoint over to the = maschine you run the secu client from. When this worked I simply did the = tuning. Axel -----Original Message----- From: Matt Perry [mailto:kh...@wi...]=20 Sent: Mittwoch, 26. M=E4rz 2003 23:14 To: Axel Westerhold Cc: sho...@ma... Wed Mar 26 16:13:17 CST 2003 Axel: On Wed, 26 Mar 2003 Ax...@co... wrote: > > Hi Matt, > > sorry for the delay. > > Checkpoint 4.1 does not provide the IKE over TCP capability the new > Checkpoint NG offers. As a result you will have to deal with UDP = traffic > on port 500 during IKE Phase 1 and Phase 2. As long as you only have = to > deal with one secure client/SecuRemote client you can simply try to do > > SR=3DSecuremote > CP=3DCheckpoint > > ACCEPT loc:<SR> net:<CP> udp 500 > DNAT net:<CP> loc:<SR> udp 500 > > This would handle the IKE negotiation. > > The next step needs to deal with ESP (Encapsulated Security Protocol). > This is Protocol 50 (as TCP is 6 and UDP is 17). It needs to pass your > firewall. I am not sure about that rule. If the one below should be > wrong someone please correct me > > ACCEPT loc:<SR> net:<FW IP> 50 > DNAT net:<CP> net:<SR> 50 Did you mean: DNAT net:<CP> loc:<SR> 50 ^^^ mjp > > > This assumes that the management module is running on the same IP the > enforcement point is running on. If you should have an Checkpoint > firewall using a separated Management Module the IKE is done through = the > Management Modules IP while ESP you'll receive and send to the > Enforcement Point. In addition, if you should run clustered = Enforcement > Points you would need to have a DNAT rule for each of the nodes. > > I hope this helps, > Axel > -- Matt Perry ma...@po... |
From: Matt P. <kh...@wi...> - 2003-03-24 16:41:29
|
Alex: Ax...@co... wrote: > Well, > > the answer to your questions depends on what version of Checkpoint Fire= wall-1 you are using and the version of your SecuRemote Client. Please qu= ote the Feature Pack/Service Pack version in addition to your basic versi= on. Good point. I should have included that in the original post. It is SecuRemote version 4.1 SP-5 DES build 4200. Does that provide the information necessary? matt > > > Axel Westerhold > > -----Original Message----- > From: Tom Eastep [mailto:te...@sh...] > Sent: Sonntag, 23. M=E4rz 2003 15:42 > To: Matt Perry > Cc: sho...@li... > > On Sun, 23 Mar 2003, Matt Perry wrote: > > > > 2.4 What is FWZ? > > > > > > FWZ is a proprietary encryption protocol developed by Check Point S= oftware > > > Technologies. It is used in VPNs that are built around their Firewa= ll-1 > > > product. > > > > > > A Checkpoint-based firewall can be configured in several modes. The= "FWZ > > > Encapsulation" mode cannot be masqueraded. The "IKE" mode, which us= es > > > standard IPsec protocols, can be masqueraded with minor configurati= on > > > changes on the VPN gateway. > > > > Yes, I have read this. I was not clear on the part of statement > > saying "minor configuration changes on the VPN gateway". > > > > 1. > > If IKE mode is used does this imply one will always need > > these changes made on the VPN gateway if one is using SNAT > > on the individual's home network? > > > > 2. > > Can I assume that the "VPN gateway" in this sentence is the > > box running the corporate FW-1 Checkpoint firewall in my > > particular case? > > > > 3. > > Do I need to ask Corporate if ESP with NAT traversal is > > enabled on the FW-1 Checkpoint firewall? In other words, > > is that the "minor configuration" I need to have them make > > in order to get things working (or at least one of them)? > > > > It appears from your quote of the VPN Masq HOWTO I made > > the erroneous assumption that since I was able to use IKE > > successfully without a firewall on my side that ESP with > > NAT traversal had been enabled on Corporate's firewall. > > Said another way, success with IKE used and no firewall > > on my end does not imply this configuration change on the > > FW-1 firewall. > > > > Hope someone else can answer your questions -- I know nothing more abou= t > FW-1's than what I've read on the site I'm quoting. > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://shorewall.sf.net > Washington USA \ te...@sh... > |
From: Tom E. <te...@sh...> - 2003-03-24 16:44:53
|
On Mon, 24 Mar 2003, Matt Perry wrote: > > It is SecuRemote version 4.1 SP-5 DES build 4200. > Matt, Did you check out the site that Dennis Borngraeber pointed you to? It has the relevant information about which versions support NAT and gives configuration guidance. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ te...@sh... |
From: Matt P. <kh...@wi...> - 2003-03-24 17:21:06
|
Mon Mar 24 11:03:10 CST 2003 Tom (and Dennis): On Mon, 24 Mar 2003, Tom Eastep wrote: > On Mon, 24 Mar 2003, Matt Perry wrote: > > > > > It is SecuRemote version 4.1 SP-5 DES build 4200. > > > > Matt, > > Did you check out the site that Dennis Borngraeber pointed you to? It has > the relevant information about which versions support NAT and gives > configuration guidance. I did look at that last night. Replying to that email was next on my list. ;) I had found phoneboy's FAQ-o-Matic a week or so ago. I was concentrating on the Q/A dealing with "Using a Secure Client through Linux ipchains/iptables" http://www.phoneboy.com/fom-serve/cache/90.html which is referred to at the end of the q/a that Dennis points to. At the time I was not sure what all the ports and protocols did. Now I am a little more educated so they make sense. In any event, I did not have shorewall installed yet so I configured iptables through scripts using the commands found at the end of http://www.phoneboy.com/fom-serve/cache/90.html The result was still being in the state I described originally -- authentication on the client supported but not able to connect to the private IP address on the other side of the corporate FW-1 firewall. The configuration options mentioned in the q/a Dennis mentions I believe is for a newer version of SecuRemote. I can move to the newer version of SecuRemote if that is what the issue is...needing to make the configuration changes on the client side as described in q/a pointed to by Dennis. When I saw Alex's post I thought he might be able to shed some light on that before I made those changes. Another option is to just give it a try! ;) mjp -- Matt Perry ma...@po... |