Jason Costomiris on Thu, 27 Jan 2000 12:24:48 -0500 (EST)


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] CheckPoint Firewall


On Thu, Jan 27, 2000 at 11:06:13AM -0500, Charles Stack wrote:
: Anybody ever heard of protocols 47 and 94 in relation to Checkpoint
: firewall's secure client product?  It has something to do with the transport
: layer, but nobody here or at Voicenet's NOC seemed to know what these are.

ip protocol 47 == GRE, used in PPTP and other encapsulation protocols.

ip protocol 94 == Check Point's FWZ encapsulation.

If you're using SecureClient, you're on FW-1 4.1.  I don't have any 
customers using that (all are still on 4.0), and I've only got 4.1 running
in my lab of mad science.

Here's a checklist to make sure SecuRemote/SecureClient will work:

256/tcp must be permitted from the remote client to the 
*management console*.  Most people believe (incorrectly) that you 
communicate with the firewall module to get keys and site info.  You are
actually talking to the MC.

259/udp *both ways* between the firewall module and the remote client.
This is used to authenticate and negotiate FWZ session keys.

500/udp *both ways* between the firewall module and the remote client.
This is used when negotiating ISAKMP keys.

ip_p 94 *both ways* between the firewall module and the remote client.
This is for FWZ packet encapsulation (if you're using that)

ip_p 50 *both ways* between the firewall module and the remote client.
This is used by ISAKMP.

-- 
                 Jason Costomiris <><
            Technologist, cryptogeek, human.
jcostom {at} jasons {dot} org  |  http://www.jasons.org/

______________________________________________________________________
Philadelphia Linux Users Group       -       http://plug.nothinbut.net
Announcements - http://lists.nothinbut.net/mail/listinfo/plug-announce
General Discussion   -   http://lists.nothinbut.net/mail/listinfo/plug