Well,
After much scratching of heads, arranging the magic crystals etc a solution
comes through ! -- To save the same wasted effort elsewhere I'm forwarding
to the list.
Problem 1. (KEY PROBLEM) - conf\dnsinfo.c on management system
THE FILE FORMAT IS NOT AS ADVERTISED IN THE MANUAL!
CP VPN book, page 157 states format is
:dns_servers (
(
<snip>
)
:encrypt_dns (true)
)
Note the location of the brackets !
Actual format of the file is :-
(
:dns_servers (
: (dns_svr_name.FW_NAME <- Note the host.firewall,
not host.domain
format !
:obj (
: (DNS_IP_ADDR)
)
:topology (
: (
:ipaddr (INTERNAL_NET_ADDR)
:ipmask (INTERNAL_NET_MASK)
)
)
:domain (
: (
:dns_label_count (DEPTH_OF_DNS)
:domain (.DOMAIN_SUFFIX)
)
)
)
)
:encrypt_dns (true)
)
Note that the checkpoint web site has a doc "Firewall-1 V4 SecuRemote
Split/Encrypted DNS quick ref guide
(http://support.checkpoint.com/kb/docs/public/securemote/4_0/pdf/sr-dns.pdf)
which has the right file format and a statement under the files which reads
"Please make sure that the syntax of this file is very particular. If you
misspell "encrypt" for "encypt", you might be looking for this typo for
quite a long time"
Why not say that we got it wrong in the manual :-}
Problem #2,
Pg 157 of the manual for crypt.def has a code block which looks like it
replaces the existing code, ignore all of this and simply place the line
#define ENCDNS
above the "define USERC_DECRYPT_SRC" line
Looks like Checkpoint needs to update the manuals and the PDF's on the
CP2000 CD's
This is now working on CP2000 SP2.
Also, Thanks to Tim Frost for his input and helping to point the right way.
Cheers
Tim
-----Original Message-----
From: Chilton Tim [mailto:[EMAIL PROTECTED]]
Sent: 27 July 2000 13:23
To: [EMAIL PROTECTED]
Subject: [FW1] SecureRemote - DNS not encrypting
Hi,
I've been looking a problem with SecureRemote where DNS is not encrypting
(which puzzles me since I can think of no reason any sysadmin would want
their entire internal DNS internet visible !)
Tech stuff
FW - NT4, SP6a, CP2000 4.1 SP2
Client NT4, SP6a, SR build 4157
Encryption rule is using FWZ encryption.
Client encryption rule
SRUsers Any Any Client Encrypt
I can dial-up, authenticate and do everything except DNS queries (which show
as unencrypted in a packet trace on the workstation)
The CP2000 VPN book includes a section on encrypting DNS and I've done the
dnsinfo.c, userc.c updates etc, however the crypt.def update does not in any
way match the code that is already there. - there is an "#ifdef
SECUREREMOTE" code block that appears in the existing curly brace section.
Question : Is the CP2000 book wrong or does the existing code get removed,
added before, after, etc (Seeing a couple of surrounding lines in the
printed code extract would be handy !
Question - Checkpoint -- WHY would I not want to encrypt internal DNS
queries like the rest of my traffic ?-- after all my rules base that I want
to download says "Remote -> Any for Any" -- not "Remote -> Any for anything
but DNS"
Anyone seen this or better still know of a fix ?
Cheers
Tim
************************************************************************
The information in this email is confidential and is intended solely
for the addressee(s).
Access to this email by anyone else is unauthorised. If you are not
an intended recipient, you must not read, use or disseminate the
information contained in the email.
Any views expressed in this message are those of the individual sender,
except where the sender specifically states them to be the views of
The Capital Markets Company.
http://www.capco.com
***********************************************************************
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
************************************************************************
The information in this email is confidential and is intended solely
for the addressee(s).
Access to this email by anyone else is unauthorised. If you are not
an intended recipient, you must not read, use or disseminate the
information contained in the email.
Any views expressed in this message are those of the individual sender,
except where the sender specifically states them to be the views of
The Capital Markets Company.
http://www.capco.com
***********************************************************************
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
