[EMAIL PROTECTED] wrote: > > I'd really appreciate if you could confirm this
Turning the archives upside-down and shaking a bit turned up this: >From the checkpoint KB: "Secure Client 4.1 SP2 and later when used with FireWall-1 4.1 SP2 and later support a 'UDP Encapsulation Mode' for IKE. Instead of using IP Protocol 50, UDP port 2746 is used. Most NAT gateways can perform address translation on UDP packets and it is designed to work with HIDE NAT, meaning multiple users can make use of SecuRemote behind a HIDE NAT gateway. Provided your clients are able to use TCP port 264 to fetch the topology, UDP port 500 to perform an IKE key exchange, and UDP port 2746, this should work." ... which our consistency checker croaked on: DROP: rule=LayerSizeConsistency recvif=int ipproto=UDP srcip=10.x.x.x srcport=2746 destip=194.x.x.x destport=2746 ipdataLen=84 udptotlen=76 One wonders why checkpoint's own inspection code didn't react to obviously broken packets like these. So, anyway, this appears to be an issue only with UDP (NAT-traversal) encapsulation, and this support case was from september 2001. Maybe they've gotten around to fixing this now. Pick up your upgrade and support agreements and give them a call? (I've tried searching phoneboy.com on this issue to no avail.) /Mike (Sorry I can't be of more help. All I have is this one support case.) -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 �RNSK�LDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com "Senex semper diu dormit" _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
