|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] CheckPoint Firewall
|
On Thu, Jan 27, 2000 at 11:06:13AM -0500, Charles Stack wrote:
: Anybody ever heard of protocols 47 and 94 in relation to Checkpoint
: firewall's secure client product? It has something to do with the transport
: layer, but nobody here or at Voicenet's NOC seemed to know what these are.
ip protocol 47 == GRE, used in PPTP and other encapsulation protocols.
ip protocol 94 == Check Point's FWZ encapsulation.
If you're using SecureClient, you're on FW-1 4.1. I don't have any
customers using that (all are still on 4.0), and I've only got 4.1 running
in my lab of mad science.
Here's a checklist to make sure SecuRemote/SecureClient will work:
256/tcp must be permitted from the remote client to the
*management console*. Most people believe (incorrectly) that you
communicate with the firewall module to get keys and site info. You are
actually talking to the MC.
259/udp *both ways* between the firewall module and the remote client.
This is used to authenticate and negotiate FWZ session keys.
500/udp *both ways* between the firewall module and the remote client.
This is used when negotiating ISAKMP keys.
ip_p 94 *both ways* between the firewall module and the remote client.
This is for FWZ packet encapsulation (if you're using that)
ip_p 50 *both ways* between the firewall module and the remote client.
This is used by ISAKMP.
--
Jason Costomiris <><
Technologist, cryptogeek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
______________________________________________________________________
Philadelphia Linux Users Group - http://plug.nothinbut.net
Announcements - http://lists.nothinbut.net/mail/listinfo/plug-announce
General Discussion - http://lists.nothinbut.net/mail/listinfo/plug
|
|