Hi All,
I have been having some problems with SecuRemote, encrypting the DNS
lookups. I'm using CP2000 (4.1 SP1) and SR build 4157.
Having carefully followed the SR-DNS document, I have found an
inconsistancy. The section in crypt.def where #define ENCDNS is added is
different than what the documentation shows:
Doc:
define USERC_DECRYPT_SRC {
(
#ifndef ENCDNS
not(dport = SERV_domain, (udp or
tcp)),
#endif
not(dport = FWD_SVC_PORT, tcp),
not(dport = FWM_SVC_PORT, tcp),
not(dport = ISAKMPD_DPORT, sport =
ISAKMPD_SPORT, udp)
)
};
deffunc ACCEPT_CLIENT_ENCRYPTION(rule) {
(
USERC_DECRYPT_SRC,
(direction = 0, <src,0> in
userc_rules,
USER_DECRYPTION(rule,0))
or
(direction = 1, <dst,0> in
userc_rules, USER_ENCRYPTION(rule))
)
};
4.1Sp1 code:
define USERC_DECRYPT_SRC {
(
#ifndef ENCDNS
not(dport = SERV_domain, (udp or tcp)),
#endif
#ifdef SECUREMOTE
not(<ip_p,dport> in userc_noncrypt_ports),
#else
not(dport = FWD_TOPO_PORT, tcp),
not(dport = FWD_SVC_PORT, tcp),
not(dport = FWM_SVC_PORT, tcp),
#endif
not(dport = ISAKMPD_DPORT, udp),
not(_fwz_encapsulation),
not(_esp),
not(_ah)
)
};
deffunc ACCEPT_CLIENT_ENCRYPTION(rule) {
(
USERC_DECRYPT_SRC,
(direction = 0, <src,0> in userc_rules,
USER_DECRYPTION(rule,0))
or
(direction = 1, <dst,0> in userc_rules,
USER_ENCRYPTION(rule))
)
};
I'm wondering if this is my problem ........ any clues???
thanks,
simon
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
