Hi,
I just can't make SecuRemote work with our firewall. I have read many FAQs
and recipes about SecuRemote to no avail.
I start SecuRemote, define a site, get the key exchange dialog, but when trying
to download a security policy (or trying a telnet if security policy is
disabled), I always get this error message right after the authentication:
"Error: Communication with site myfirewall has failed"
Here are the details:
- FW1 4.1 with VPN-1 on Solaris 2.7
- Checked with "fw printlic -p" that we have "encryption", "strong" and "isakmp"
- Got a license for SecureRemote
- SecuRemote 4.1 SP1-3des build 4157 April 27,2000 (tried on NT and Windows 95)
- Followed quite precisely recipes found on Phoneboy FAQ and also on Checkpoint
knowledge base
- Defined encryption domain as all the networks behind the firewall
- Used IKE with "Pre-defined shared secret" as authentication. Authentication
works since I get the message "Authentication failed" when I enter the wrong
password (valid password is the one defined at the firewall object, not at
the user object level)
- On the firewall, I have a rule
SecureRemote@Any Any Any ClientEncrypt
with SecuRemote group containing definition of a user. Also tried variations
of this with "encdomain" as destination
- The firewall log shows a line with action "keyinst" and comment "IKE Log:
Phase 1 (aggressive) completion. 3DES/SHA1/Pre Shared secrets Negotiation Id:
<bunch of numbers and letters>"
- A snoop shows the following exchange between the firewall and the SecuRemote
PC (UDP 500=IKE is allowed through the firewall by implied rules):
1 0.00000 securem -> myfirewall TCP D=264 S=1031 Syn Seq=96996 Len=0 Win=8192
Options=<mss 1460,nop,nop,sackOK>
2 0.03607 myfirewall -> securem TCP D=1031 S=264 Syn Ack=96997
Seq=4071055565 Len=0 Win=8760 Options=<nop,nop,sackOK,mss 1460>
3 0.00032 securem -> myfirewall TCP D=264 S=1031 Ack=4071055566
Seq=96997 Len=0 Win=8760
4 0.00433 securem -> myfirewall TCP D=264 S=1031 Ack=4071055566
Seq=96997 Len=4 Win=8760
5 0.03583 myfirewall -> securem TCP D=1031 S=264 Ack=97001
Seq=4071055566 Len=0 Win=8760
6 0.00024 securem -> myfirewall TCP D=264 S=1031 Ack=4071055566
Seq=97001 Len=4 Win=8760
7 0.03626 myfirewall -> securem TCP D=1031 S=264 Ack=97005
Seq=4071055566 Len=4 Win=8760
8 0.00045 securem -> myfirewall TCP D=264 S=1031 Ack=4071055570
Seq=97005 Len=4 Win=8756
9 0.02926 myfirewall -> securem TCP D=1031 S=264 Ack=97009
Seq=4071055570 Len=28 Win=8760
10 0.00020 securem -> myfirewall TCP D=264 S=1031 Ack=4071055598
Seq=97009 Len=4 Win=8728
11 0.03203 myfirewall -> securem TCP D=1031 S=264 Ack=97013
Seq=4071055598 Len=9 Win=8760
12 0.13894 securem -> myfirewall TCP D=264 S=1031 Ack=4071055607
Seq=97013 Len=0 Win=8719
13 0.03003 myfirewall -> securem TCP D=1031 S=264 Ack=97013
Seq=4071055607 Len=8 Win=8760
14 0.00049 securem -> myfirewall TCP D=264 S=1031 Ack=4071055615
Seq=97013 Len=4 Win=8711
15 0.07065 myfirewall -> securem TCP D=1031 S=264 Ack=97017
Seq=4071055615 Len=0 Win=8760
16 0.00029 securem -> myfirewall TCP D=264 S=1031 Ack=4071055615
Seq=97017 Len=68 Win=8711
17 0.06562 myfirewall -> securem TCP D=1031 S=264 Ack=97085
Seq=4071055615 Len=1460 Win=8760
18 0.01339 myfirewall -> securem TCP D=1031 S=264 Ack=97085
Seq=4071057075 Len=1460 Win=8760
19 0.00011 myfirewall -> securem TCP D=1031 S=264 Ack=97085
Seq=4071058535 Len=132 Win=8760
20 0.00039 securem -> myfirewall TCP D=264 S=1031 Ack=4071058535
Seq=97085 Len=0 Win=8760
21 0.00040 securem -> myfirewall TCP D=264 S=1031 Ack=4071058667
Seq=97085 Len=4 Win=8628
22 0.03414 myfirewall -> securem TCP D=1031 S=264 Fin Ack=97089
Seq=4071058667 Len=0 Win=8760
23 0.00021 securem -> myfirewall TCP D=264 S=1031 Ack=4071058668
Seq=97089 Len=0 Win=8628
24 0.00757 securem -> myfirewall TCP D=264 S=1031 Fin Ack=4071058668
Seq=97089 Len=0 Win=8628
25 0.03556 myfirewall -> securem TCP D=1031 S=264 Ack=97090
Seq=4071058668 Len=0 Win=8760
26 25.30865 securem -> myfirewall UDP D=500 S=500 LEN=414
27 0.16461 myfirewall -> securem UDP D=500 S=500 LEN=328
28 0.05143 securem -> myfirewall UDP D=500 S=500 LEN=60
29 2.26028 securem -> myfirewall UDP D=500 S=500 LEN=60
30 2.01507 securem -> myfirewall UDP D=500 S=500 LEN=60
31 2.01472 securem -> myfirewall UDP D=500 S=500 LEN=60
32 2.03960 securem -> myfirewall UDP D=500 S=500 LEN=60
33 2.49503 securem -> myfirewall UDP D=500 S=500 LEN=60
34 2.01023 securem -> myfirewall UDP D=500 S=500 LEN=60
35 4.21962 securem -> myfirewall UDP D=500 S=500 LEN=60
36 4.02456 securem -> myfirewall UDP D=500 S=500 LEN=60
37 4.02494 securem -> myfirewall UDP D=500 S=500 LEN=60
38 4.02003 securem -> myfirewall UDP D=500 S=500 LEN=60
39 4.02444 securem -> myfirewall UDP D=500 S=500 LEN=60
The snoop trace is the same when taken from the firewall or from the network
where the PC with SecuRemote is, so nothing blocks the communication.
The IKE exchange blocks, but I am at lost understanding the cause. Any help
would be greatly appreciated.
Denis Lebeuf
[EMAIL PROTECTED]
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
