Shorewall users - Mar 2003 - SecuRemote and Shorewall Problem

Sat Mar 22 14:16:55 CST 2003


This post is a bit long, but I want to make sure
I am providing the information up front that can
help in others helping me solve this mystery.

I am having a bit of difficulty getting Shorewall
to work with SecuRemote and its FW-1 server. I
have attached the "rules" file I am using and the
output of "shorewall show nat". The diagram below
describes the network topology.

I have Win98 machine behind a RH8.0 box running
Shorewall v1.4.0. I have not applieds *any* mods
to the stock RH8.0 distribution. The connection
from the Shorewall firewall box to the Internet
is through a DSL modem which also serves as the
Shorewall Firewall box''s gateway for its external
or net zone interface.

With the current set up and configuration files
I am able to get the remote FW-1 firewall to
authenticate me on the Win98 machine when I type
in the URL http://10.32.16.20. The web browser
does indicate it is "Connect: Contacting host..."
but then fails the standard IE "The page cannot
be displayed".

When I configure my network so that my loc zone
has valid private IPs (such as 192.168.1.X) I am
not ever prompted on the Win98 machine to
authenticate and IE shows it is trying to "display
the page" rather than "Contact host 10.32.16.20".
My assumption has become the FW-1 is configured
to only accept connections from IP addresses that
are valid public IPs. I am guessing on this though.

Also, when I connect to the network directly with
a valid public IP (the one I am using behind the
Shorewall Firewall in my loc zone; I have also
used others available to me) I am authenticated
and able to get to the Corporate web server. In
other words it works correctly.

I have ethereal and tcpdump available on the
Shorewall Firewall box and Windump available on
the Win98 box. I have *extremely* limited support
from Corporate. :( (ex. they have said in the past
it is not *technically* possible to connect to the
corporate web server if you use a firewall on your
end).

1.
Is there something obvious I am not doing that
one needs to do for SecuRemote/FW-1 connections
in addition to what is posted in the Shorewall
documentation for IPSec connections?

2.
Is there additional information I need/should
provide to help others help me gain insight on
how to get this working?

Any help on this would be greatly appreciated.




     +-------------------+
     |                   |
     |                   |
     | Win98             +--+ 68.53.82.13
     | SecuRemote Client |  |
     |                   |  |
     |                   |  |
     +-------------------+  |
                            |
                            |
     +-------------------+  |
     | Shorewall Firewall+--+ 68.53.82.1
     +------------+------+
                  |33.26.15.241
                  |
            +-----+------+
            | DSL Modem  |
            +-----+------+
                  |33.26.15.246
                  |
              ***********
            ***         **
            *  Internet  **
            **            *
             *************
                  |
                  |
                  | 208.25.39.13
     +------------+------+
     | FW-1 Firewall     +--+ X.X.X.X
     +-------------------+  |
                            |
                            |
                            |
                            |
     +---------------+      |
     | Corporte      |      |
     | Web Server    |      |
     |               +------+
     |               |
     +---------------+ 10.32.16.20


mjp

--
Matt Perry
mattp@pobox.com
-------------- next part --------------
ACCEPT		fw		net		tcp	53
ACCEPT		fw		net		udp	53
ACCEPT		loc		fw		tcp	22
ACCEPT		loc		fw		icmp	8
ACCEPT		fw		loc		icmp	8
ACCEPT		fw		net		icmp	8
#	Permit SecuRemote Connection
DNAT		net:208.25.39.13	loc:68.53.82.13		50	
DNAT		net:208.25.39.13	loc:68.53.82.13		udp	500
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
-------------- next part --------------
Script started on Fri Mar 21 18:41:32 2003
Shorewall-1.4.0 NAT at ripken - Fri Mar 21 18:41:38 CST 2003

Counters reset Fri Mar 21 18:40:24 CST 2003

Chain PREROUTING (policy ACCEPT 28 packets, 2198 bytes)
 pkts bytes target     prot opt in     out     source               destination
    3   156 net_dnat   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    5   306 eth0_masq  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain eth0_masq (1 references)
 pkts bytes target     prot opt in     out     source               destination
    5   306 SNAT       all  --  *      *       68.53.82.0/24       0.0.0.0/0    
to:33.26.15.241

Chain net_dnat (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       esp  --  *      *       208.25.39.13       0.0.0.0/0     
to:68.53.82.13
    0     0 DNAT       udp  --  *      *       208.25.39.13       0.0.0.0/0     
udp dpt:500 to:68.53.82.13
exit

Script done on Fri Mar 21 18:41:46 2003

On Sat, 22 Mar 2003, Matt Perry wrote:
> Sat Mar 22 14:16:55 CST 2003
>
>
> Also, when I connect to the network directly with
> a valid public IP (the one I am using behind the
> Shorewall Firewall in my loc zone; I have also
> used others available to me) I am authenticated
> and able to get to the Corporate web server. In
> other words it works correctly.
If you have these public IP addresses, why are you using SNAT in
the first place?

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.sf.net
Washington USA  \ teastep@shorewall.net

Sat Mar 22 15:16:08 CST 2003

Tom:

On Sat, 22 Mar 2003, Tom Eastep wrote:
> On Sat, 22 Mar 2003, Matt Perry wrote:
>
> > Sat Mar 22 14:16:55 CST 2003
> >
> >
> > Also, when I connect to the network directly with
> > a valid public IP (the one I am using behind the
> > Shorewall Firewall in my loc zone; I have also
> > used others available to me) I am authenticated
> > and able to get to the Corporate web server. In
> > other words it works correctly.
>
> If you have these public IP addresses, why are you using SNAT in
> the first place?
Because while the topology presented uses static public
IP addresses I currently lease I am expecting to move to
a cable modem connection in the near future where I will
be limited to a single public address (or at most two I
believe). I do not want to be constrained to having only
one device behind the Shorewall firewall be able to access
the Corporate web server.

In other words, I am using SNAT to get a larger set of
IP addresses to use in the private or loc zone for this
type of connection.

Sorry I did not include that requirement in the original
post. Does that make more sense now?

BTW, the address I tested with is one from I copied from
the dhcp pool leased out to my buddy with the cable modem
setup who accesses the same corporate web server. Please
note: as mentioned already, I have tested my own public
leased address without the Shorewall firewall in the middle
of the connection at it works as well which is why I think
the corporate firewall is just looking for valid public IP
addresses.


mjp

--
Matt Perry
mattp@pobox.com

On Sat, 22 Mar 2003, Matt Perry wrote:
> Sat Mar 22 15:16:08 CST 2003
>
> Tom:
>
> On Sat, 22 Mar 2003, Tom Eastep wrote:
>
> > On Sat, 22 Mar 2003, Matt Perry wrote:
> >
> > > Sat Mar 22 14:16:55 CST 2003
> > >
> > >
> > > Also, when I connect to the network directly with
> > > a valid public IP (the one I am using behind the
> > > Shorewall Firewall in my loc zone; I have also
> > > used others available to me) I am authenticated
> > > and able to get to the Corporate web server. In
> > > other words it works correctly.
> >
> > If you have these public IP addresses, why are you using SNAT in
> > the first place?
>
> Because while the topology presented uses static public
> IP addresses I currently lease I am expecting to move to
> a cable modem connection in the near future where I will
> be limited to a single public address (or at most two I
> believe). I do not want to be constrained to having only
> one device behind the Shorewall firewall be able to access
> the Corporate web server.
>
> In other words, I am using SNAT to get a larger set of
> IP addresses to use in the private or loc zone for this
> type of connection.
>
I''ve not heard of anyone getting multiple IPSEC tunnels to the same
endpoint to work from behind an iptables-based firewall.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.sf.net
Washington USA  \ teastep@shorewall.net

On Sat, 22 Mar 2003, Matt Perry wrote:
>
> In other words, I am using SNAT to get a larger set of
> IP addresses to use in the private or loc zone for this
> type of connection.
>
Is the FW-1 configured to use ESP (they have their own proprietary
protocol -- IIRC, it''s called FWZ) with NAT traversal enabled?

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.sf.net
Washington USA  \ teastep@shorewall.net

Sat Mar 22 16:18:22 CST 2003

Tom:

On Sat, 22 Mar 2003, Tom Eastep wrote:
> On Sat, 22 Mar 2003, Matt Perry wrote:
>
> > Sat Mar 22 15:16:08 CST 2003
> >
> > Tom:
> >
> > On Sat, 22 Mar 2003, Tom Eastep wrote:
> >
> > > On Sat, 22 Mar 2003, Matt Perry wrote:
> > >
> > > > Sat Mar 22 14:16:55 CST 2003
> > > >
> > > >
> > > > Also, when I connect to the network directly with
> > > > a valid public IP (the one I am using behind the
> > > > Shorewall Firewall in my loc zone; I have also
> > > > used others available to me) I am authenticated
> > > > and able to get to the Corporate web server. In
> > > > other words it works correctly.
> > >
> > > If you have these public IP addresses, why are you using SNAT in
> > > the first place?
> >
> > Because while the topology presented uses static public
> > IP addresses I currently lease I am expecting to move to
> > a cable modem connection in the near future where I will
> > be limited to a single public address (or at most two I
> > believe). I do not want to be constrained to having only
> > one device behind the Shorewall firewall be able to access
> > the Corporate web server.
> >
> > In other words, I am using SNAT to get a larger set of
> > IP addresses to use in the private or loc zone for this
> > type of connection.
> >
>
> I''ve not heard of anyone getting multiple IPSEC tunnels to the
same
> endpoint to work from behind an iptables-based firewall.
That is right. I remember (now) reading that on your site
and others. I am assuming that means that concurrently or
simultaneously and that it would still work as long as it
were only one device at a time. This does modify my
thinking somewhat, but I still would like to keep these
devices (or single device) behind the shorewall firewall.

mjp

--
Matt Perry
mattp@pobox.com

Sat Mar 22 16:22:51 CST 2003

Tom:

On Sat, 22 Mar 2003, Tom Eastep wrote:
> On Sat, 22 Mar 2003, Matt Perry wrote:
>
> >
> > In other words, I am using SNAT to get a larger set of
> > IP addresses to use in the private or loc zone for this
> > type of connection.
> >
>
> Is the FW-1 configured to use ESP (they have their own proprietary
> protocol -- IIRC, it''s called FWZ) with NAT traversal enabled?
I configure on the client side to use IKE *not* FWZ. I do not
know enough about VPN protocols or Checkpoints products to
know if the use of IKE on the client side implies NAT traversal
being enabled. (Again, for clarity''s sake, the SecuRemote client
configuration remains unchanged when I insert or remove the
shorewall firewall so I have proved to myself the client on the
Win98 machine does work.)

mjp

--
Matt Perry
mattp@pobox.com

On Sat, 22 Mar 2003, Matt Perry wrote:
> >
> > Is the FW-1 configured to use ESP (they have their own proprietary
> > protocol -- IIRC, it''s called FWZ) with NAT traversal
enabled?
>
> I configure on the client side to use IKE *not* FWZ. I do not
> know enough about VPN protocols or Checkpoints products to
> know if the use of IKE on the client side implies NAT traversal
> being enabled. (Again, for clarity''s sake, the SecuRemote client
> configuration remains unchanged when I insert or remove the
> shorewall firewall so I have proved to myself the client on the
> Win98 machine does work.)
>
>From the VPN Masquerade HOWTO:
2.4 What is FWZ?

FWZ is a proprietary encryption protocol developed by Check Point Software
Technologies. It is used in VPNs that are built around their Firewall-1
product.

A Checkpoint-based firewall can be configured in several modes. The "FWZ
Encapsulation" mode cannot be masqueraded. The "IKE" mode, which
uses
standard IPsec protocols, can be masqueraded with minor configuration
changes on the VPN gateway.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.sf.net
Washington USA  \ teastep@shorewall.net

Sat Mar 22 23:48:13 CST 2003

Tom:

On Sat, 22 Mar 2003, Tom Eastep wrote:
> On Sat, 22 Mar 2003, Matt Perry wrote:
>
> > >
> > > Is the FW-1 configured to use ESP (they have their own
proprietary
> > > protocol -- IIRC, it''s called FWZ) with NAT traversal
enabled?
> >
> > I configure on the client side to use IKE *not* FWZ. I do not
> > know enough about VPN protocols or Checkpoints products to
> > know if the use of IKE on the client side implies NAT traversal
> > being enabled. (Again, for clarity''s sake, the SecuRemote
client
> > configuration remains unchanged when I insert or remove the
> > shorewall firewall so I have proved to myself the client on the
> > Win98 machine does work.)
> >
>
> From the VPN Masquerade HOWTO:
>
> 2.4 What is FWZ?
>
> FWZ is a proprietary encryption protocol developed by Check Point Software
> Technologies. It is used in VPNs that are built around their Firewall-1
> product.
>
> A Checkpoint-based firewall can be configured in several modes. The
"FWZ
> Encapsulation" mode cannot be masqueraded. The "IKE" mode,
which uses
> standard IPsec protocols, can be masqueraded with minor configuration
> changes on the VPN gateway.
Yes, I have read this. I was not clear on the part of statement
saying "minor configuration changes on the VPN gateway".

1.
If IKE mode is used does this imply one will always need
these changes made on the VPN gateway if one is using SNAT
on the individual''s home network?

2.
Can I assume that the "VPN gateway" in this sentence is the
box running the corporate FW-1 Checkpoint firewall in my
particular case?

3.
Do I need to ask Corporate if ESP with NAT traversal is
enabled on the FW-1 Checkpoint firewall? In other words,
is that the "minor configuration" I need to have them make
in order to get things working (or at least one of them)?

It appears from your quote of the VPN Masq HOWTO I made
the erroneous assumption that since I was able to use IKE
successfully without a firewall on my side that ESP with
NAT traversal had been enabled on Corporate''s firewall.
Said another way, success with IKE used and no firewall
on my end does not imply this configuration change on the
FW-1 firewall.

mjp


--
Matt Perry
mattp@pobox.com

Tom Eastep wrote:

> I''ve not heard of anyone getting multiple IPSEC tunnels to the
same
> endpoint to work from behind an iptables-based firewall.
It''s possible allright with IPSec NAT-Traversal. Super-freeswan
includes
support for nat-t. (NAT-T is ESPinUDP, ipsec over UDP.)

So Yes, you can get them working allright. You can get ipsec connection 
from anywhere with nat-t support.

Hmmh. In fact. You can only _initiate_ connections from several machines 
behind nat.

-- 
Tuomo Soini <tis@foobar.fi>
http://foobar.fi/

On Sun, 23 Mar 2003, Matt Perry wrote:
> > 2.4 What is FWZ?
> >
> > FWZ is a proprietary encryption protocol developed by Check Point
Software
> > Technologies. It is used in VPNs that are built around their
Firewall-1
> > product.
> >
> > A Checkpoint-based firewall can be configured in several modes. The
"FWZ
> > Encapsulation" mode cannot be masqueraded. The "IKE"
mode, which uses
> > standard IPsec protocols, can be masqueraded with minor configuration
> > changes on the VPN gateway.
>
> Yes, I have read this. I was not clear on the part of statement
> saying "minor configuration changes on the VPN gateway".
>
> 1.
> If IKE mode is used does this imply one will always need
> these changes made on the VPN gateway if one is using SNAT
> on the individual''s home network?
>
> 2.
> Can I assume that the "VPN gateway" in this sentence is the
> box running the corporate FW-1 Checkpoint firewall in my
> particular case?
>
> 3.
> Do I need to ask Corporate if ESP with NAT traversal is
> enabled on the FW-1 Checkpoint firewall? In other words,
> is that the "minor configuration" I need to have them make
> in order to get things working (or at least one of them)?
>
> It appears from your quote of the VPN Masq HOWTO I made
> the erroneous assumption that since I was able to use IKE
> successfully without a firewall on my side that ESP with
> NAT traversal had been enabled on Corporate''s firewall.
> Said another way, success with IKE used and no firewall
> on my end does not imply this configuration change on the
> FW-1 firewall.
>
Hope someone else can answer your questions -- I know nothing more about
FW-1''s than what I''ve read on the site I''m quoting.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.sf.net
Washington USA  \ teastep@shorewall.net

Matt Perry said:

[...]
> Any help on this would be greatly appreciated.
Maybe you should take a look at this site
http://www.phoneboy.com/fom-serve/cache/89.html
Hope that helps to solve your prob.

Regards,
Dennis

Well,  

the answer to your questions depends on what version of Checkpoint Firewall-1
you are using and the version of your SecuRemote Client. Please quote the
Feature Pack/Service Pack version in addition to your basic version.

Axel Westerhold


-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net] 
Sent: Sonntag, 23. M?rz 2003 15:42
To: Matt Perry
Cc: shorewall-users@lists.shorewall.net

On Sun, 23 Mar 2003, Matt Perry wrote:
> > 2.4 What is FWZ?
> >
> > FWZ is a proprietary encryption protocol developed by Check Point
Software
> > Technologies. It is used in VPNs that are built around their
Firewall-1
> > product.
> >
> > A Checkpoint-based firewall can be configured in several modes. The
"FWZ
> > Encapsulation" mode cannot be masqueraded. The "IKE"
mode, which uses
> > standard IPsec protocols, can be masqueraded with minor configuration
> > changes on the VPN gateway.
>
> Yes, I have read this. I was not clear on the part of statement
> saying "minor configuration changes on the VPN gateway".
>
> 1.
> If IKE mode is used does this imply one will always need
> these changes made on the VPN gateway if one is using SNAT
> on the individual''s home network?
>
> 2.
> Can I assume that the "VPN gateway" in this sentence is the
> box running the corporate FW-1 Checkpoint firewall in my
> particular case?
>
> 3.
> Do I need to ask Corporate if ESP with NAT traversal is
> enabled on the FW-1 Checkpoint firewall? In other words,
> is that the "minor configuration" I need to have them make
> in order to get things working (or at least one of them)?
>
> It appears from your quote of the VPN Masq HOWTO I made
> the erroneous assumption that since I was able to use IKE
> successfully without a firewall on my side that ESP with
> NAT traversal had been enabled on Corporate''s firewall.
> Said another way, success with IKE used and no firewall
> on my end does not imply this configuration change on the
> FW-1 firewall.
>
Hope someone else can answer your questions -- I know nothing more about
FW-1''s than what I''ve read on the site I''m quoting.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.sf.net
Washington USA  \ teastep@shorewall.net

_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm

Alex:

Axel@congos.net wrote:
> Well,
>
> the answer to your questions depends on what version of Checkpoint
Firewall-1 you are using and the version of your SecuRemote Client. Please quote
the Feature Pack/Service Pack version in addition to your basic version.
Good point. I should have included that in the original post.

It is SecuRemote version 4.1 SP-5 DES build 4200.

Does that provide the information necessary?

matt
>
>
> Axel Westerhold
>
> -----Original Message-----
> From: Tom Eastep [mailto:teastep@shorewall.net]
> Sent: Sonntag, 23. M?rz 2003 15:42
> To: Matt Perry
> Cc: shorewall-users@lists.shorewall.net
>
> On Sun, 23 Mar 2003, Matt Perry wrote:
>
> > > 2.4 What is FWZ?
> > >
> > > FWZ is a proprietary encryption protocol developed by Check Point
Software
> > > Technologies. It is used in VPNs that are built around their
Firewall-1
> > > product.
> > >
> > > A Checkpoint-based firewall can be configured in several modes.
The "FWZ
> > > Encapsulation" mode cannot be masqueraded. The
"IKE" mode, which uses
> > > standard IPsec protocols, can be masqueraded with minor
configuration
> > > changes on the VPN gateway.
> >
> > Yes, I have read this. I was not clear on the part of statement
> > saying "minor configuration changes on the VPN gateway".
> >
> > 1.
> > If IKE mode is used does this imply one will always need
> > these changes made on the VPN gateway if one is using SNAT
> > on the individual''s home network?
> >
> > 2.
> > Can I assume that the "VPN gateway" in this sentence is the
> > box running the corporate FW-1 Checkpoint firewall in my
> > particular case?
> >
> > 3.
> > Do I need to ask Corporate if ESP with NAT traversal is
> > enabled on the FW-1 Checkpoint firewall? In other words,
> > is that the "minor configuration" I need to have them make
> > in order to get things working (or at least one of them)?
> >
> > It appears from your quote of the VPN Masq HOWTO I made
> > the erroneous assumption that since I was able to use IKE
> > successfully without a firewall on my side that ESP with
> > NAT traversal had been enabled on Corporate''s firewall.
> > Said another way, success with IKE used and no firewall
> > on my end does not imply this configuration change on the
> > FW-1 firewall.
> >
>
> Hope someone else can answer your questions -- I know nothing more about
> FW-1''s than what I''ve read on the site I''m
quoting.
>
> -Tom
> --
> Tom Eastep    \ Shorewall - iptables made easy
> Shoreline,     \ http://shorewall.sf.net
> Washington USA  \ teastep@shorewall.net
>

On Mon, 24 Mar 2003, Matt Perry wrote:
> 
> It is SecuRemote version 4.1 SP-5 DES build 4200.
> 
Matt,

Did you check out the site that Dennis Borngraeber pointed you to? It has 
the relevant information about which versions support NAT and gives 
configuration guidance.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.sf.net
Washington USA  \ teastep@shorewall.net

Mon Mar 24 11:03:10 CST 2003

Tom (and Dennis):

On Mon, 24 Mar 2003, Tom Eastep wrote:
> On Mon, 24 Mar 2003, Matt Perry wrote:
>
> >
> > It is SecuRemote version 4.1 SP-5 DES build 4200.
> >
>
> Matt,
>
> Did you check out the site that Dennis Borngraeber pointed you to? It has
> the relevant information about which versions support NAT and gives
> configuration guidance.
I did look at that last night. Replying to that email was
next on my list. ;)

I had found phoneboy''s FAQ-o-Matic a week or so ago. I was
concentrating on the Q/A dealing with "Using a Secure Client
through Linux ipchains/iptables"

http://www.phoneboy.com/fom-serve/cache/90.html

which is referred to at the end of the q/a that Dennis
points to. At the time I was not sure what all the ports
and protocols did. Now I am a little more educated so
they make sense. In any event, I did not have shorewall
installed yet so I configured iptables through scripts
using the commands found at the end of

http://www.phoneboy.com/fom-serve/cache/90.html

The result was still being in the state I described
originally -- authentication on the client supported
but not able to connect to the private IP address on
the other side of the corporate FW-1 firewall.

The configuration options mentioned in the q/a Dennis
mentions I believe is for a newer version of SecuRemote.
I can move to the newer version of SecuRemote if that
is what the issue is...needing to make the configuration
changes on the client side as described in q/a pointed
to by Dennis. When I saw Alex''s post I thought he might
be able to shed some light on that before I made those
changes.

Another option is to just give it a try! ;)

mjp

--
Matt Perry
mattp@pobox.com

Hi Matt,

sorry for the delay.

Checkpoint 4.1 does not provide the IKE over TCP capability the new
Checkpoint NG offers. As a result you will have to deal with UDP traffic
on port 500 during IKE Phase 1 and Phase 2. As long as you only have to
deal with one secure client/SecuRemote client you can simply try to do 

SR=Securemote
CP=Checkpoint

ACCEPT	loc:<SR>	net:<CP>	udp	500
DNAT		net:<CP>	loc:<SR>	udp	500

This would handle the IKE negotiation. 

The next step needs to deal with ESP (Encapsulated Security Protocol).
This is Protocol 50 (as TCP is 6 and UDP is 17). It needs to pass your
firewall. I am not sure about that rule. If the one below should be
wrong someone please correct me

ACCEPT	loc:<SR>	net:<FW IP>	50	
DNAT		net:<CP>	net:<SR>	50


This assumes that the management module is running on the same IP the
enforcement point is running on. If you should have an Checkpoint
firewall using a separated Management Module the IKE is done through the
Management Modules IP while ESP you''ll receive and send to the
Enforcement Point. In addition, if you should run clustered Enforcement
Points you would need to have a DNAT rule for each of the nodes.

I hope this helps,
Axel

Hi Matt,

I just was reading your email again and you just mentioned your client
is SecuRemote 4.1 but did not say the firewall is 4.1 too.

If the checkpoint firewall is an NG FP 1 or higher things work
different. In this case you should go to the checkpoint web site and
download the NG FP 3 client. It will give you an option for enabling IKE
over IKE and UDP encapsulation. Each feature must be turned on on the
checkpoint too but should be by default. 


SR=Securemote
CP=Checkpoint

ACCEPT	loc:<SR>	net:<CP>	tcp	500

This would handle the IKE negotiation. 

The next step needs to deal with ESP (Encapsulated Security Protocol).
This is Protocol 50 (as TCP is 6 and UDP is 17). It needs to pass your
firewall. I am not sure about that rule. If the one below should be
wrong someone please correct me

ACCEPT	loc:<SR>	net:<FW IP>	50	

(I think for ESP the above rule is sufficient so the rule in my earlier
mail should be correct).

Starting with NG the Enforcement Points also handle the IKE Phase. So
you just have to change the above rules if the Enforcement Points are
clustered.

Axel


_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm

IKE over IKE is clearly wrong I ment to say IKE over TCP

Sorry,
Axel

-----Original Message-----
From: Axel Westerhold 
Sent: Mittwoch, 26. M?rz 2003 21:49
To: shorewall-users@lists.shorewall.net



Hi Matt,

I just was reading your email again and you just mentioned your client
is SecuRemote 4.1 but did not say the firewall is 4.1 too.

If the checkpoint firewall is an NG FP 1 or higher things work
different. In this case you should go to the checkpoint web site and
download the NG FP 3 client. It will give you an option for enabling IKE
over IKE and UDP encapsulation. Each feature must be turned on on the
checkpoint too but should be by default. 


SR=Securemote
CP=Checkpoint

ACCEPT	loc:<SR>	net:<CP>	tcp	500

This would handle the IKE negotiation. 

The next step needs to deal with ESP (Encapsulated Security Protocol).
This is Protocol 50 (as TCP is 6 and UDP is 17). It needs to pass your
firewall. I am not sure about that rule. If the one below should be
wrong someone please correct me

ACCEPT	loc:<SR>	net:<FW IP>	50	

(I think for ESP the above rule is sufficient so the rule in my earlier
mail should be correct).

Starting with NG the Enforcement Points also handle the IKE Phase. So
you just have to change the above rules if the Enforcement Points are
clustered.

Axel


_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm

_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm

Wed Mar 26 15:52:50 CST 2003

Axel:

On Wed, 26 Mar 2003 Axel@congos.net wrote:
>
> IKE over IKE is clearly wrong I ment to say IKE over TCP
Got it.
>
> Sorry,
> Axel
>
> -----Original Message-----
> From: Axel Westerhold
> Sent: Mittwoch, 26. M=E4rz 2003 21:49
> To: shorewall-users@lists.shorewall.net
>
>
>
> Hi Matt,
>
> I just was reading your email again and you just mentioned your client
> is SecuRemote 4.1 but did not say the firewall is 4.1 too.
Well, it is not clear to me what version corporate is
running (yet), but when I installed an NG client (the
latest on Checkpoint''s site) I was no longer able to
communicate with the corporate firewall even when there
was *no* firewall on my end. I am going to make an
assumption that this implies they are using a non-NG
version of the firewall on their end. That would make
sense as well as I have heard nothing from our local
IT people indicating they had made a change recently.

I am going to make the changes indicated in your previous
post where you spell out what is necessary for the
original flavor of the FW-1 checkpoint firewall with
the client I have and report the results.

BTW, getting that NG client off of my Win98 machine
required the sacrifice of at least one chicken, but
that is another story for another day. :(

mjp
>
> If the checkpoint firewall is an NG FP 1 or higher things work
> different. In this case you should go to the checkpoint web site and
> download the NG FP 3 client. It will give you an option for enabling IKE
> over IKE and UDP encapsulation. Each feature must be turned on on the
> checkpoint too but should be by default.
>
>
> SR=3DSecuremote
> CP=3DCheckpoint
>
> ACCEPT=09loc:<SR>=09net:<CP>=09tcp=09500
>
> This would handle the IKE negotiation.
>
> The next step needs to deal with ESP (Encapsulated Security Protocol).
> This is Protocol 50 (as TCP is 6 and UDP is 17). It needs to pass your
> firewall. I am not sure about that rule. If the one below should be
> wrong someone please correct me
>
> ACCEPT=09loc:<SR>=09net:<FW IP>=0950
>
> (I think for ESP the above rule is sufficient so the rule in my earlier
> mail should be correct).
>
> Starting with NG the Enforcement Points also handle the IKE Phase. So
> you just have to change the above rules if the Enforcement Points are
> clustered.
>
> Axel
>
>
--
Matt Perry
mattp@pobox.com

Wed Mar 26 16:13:17 CST 2003

Axel:

On Wed, 26 Mar 2003 Axel@congos.net wrote:
>
> Hi Matt,
>
> sorry for the delay.
>
> Checkpoint 4.1 does not provide the IKE over TCP capability the new
> Checkpoint NG offers. As a result you will have to deal with UDP traffic
> on port 500 during IKE Phase 1 and Phase 2. As long as you only have to
> deal with one secure client/SecuRemote client you can simply try to do
>
> SR=Securemote
> CP=Checkpoint
>
> ACCEPT	loc:<SR>	net:<CP>	udp	500
> DNAT		net:<CP>	loc:<SR>	udp	500
>
> This would handle the IKE negotiation.
>
> The next step needs to deal with ESP (Encapsulated Security Protocol).
> This is Protocol 50 (as TCP is 6 and UDP is 17). It needs to pass your
> firewall. I am not sure about that rule. If the one below should be
> wrong someone please correct me
>
> ACCEPT	loc:<SR>	net:<FW IP>	50
> DNAT		net:<CP>	net:<SR>	50
Did you mean:
DNAT		net:<CP>	loc:<SR>	50
                                ^^^

mjp
>
>
> This assumes that the management module is running on the same IP the
> enforcement point is running on. If you should have an Checkpoint
> firewall using a separated Management Module the IKE is done through the
> Management Modules IP while ESP you''ll receive and send to the
> Enforcement Point. In addition, if you should run clustered Enforcement
> Points you would need to have a DNAT rule for each of the nodes.
>
> I hope this helps,
> Axel
>
--
Matt Perry
mattp@pobox.com

Hi Matt,


>Well, it is not clear to me what version corporate is
>running (yet), but when I installed an NG client (the
>latest on Checkpoint''s site) I was no longer able to
>communicate with the corporate firewall even when there
>was *no* firewall on my end. I am going to make an
>assumption that this implies they are using a non-NG
>version of the firewall on their end. That would make
>sense as well as I have heard nothing from our local
>IT people indicating they had made a change recently.
Actually no. I am running a SecuRemote FP 3 client against various
flavors of Checkpoint 4.1 and NG firewalls (I need to remote
administrate about 20+ Firewalls and sometimes it''s just easier and
more
comfortable to do it from home). If you really want to find out you can
run a NMAP -O (fingerprinting) against your known Checkpoint firewall
IP. NMAP will tell you if it''s an 4.1 while it will not give you a
valid
result on NG. That''s one of the reasons I tell people to upgrade to NG.
Another is the SecuRemote issue. Handling 50+ Remote users with various
personal firewalls or Home Networks through various firewalls or
Cable/DSL routers is no fun when the FW is 4.1 !
>I am going to make the changes indicated in your previous
>post where you spell out what is necessary for the
>original flavor of the FW-1 checkpoint firewall with
>the client I have and report the results.
If you should have any more questions feel free to contact me directly
as this is more a Checkpoint issue then related to Shorewall. Not need
to be totally off topic.
>BTW, getting that NG client off of my Win98 machine
>required the sacrifice of at least one chicken, but
>that is another story for another day. :(
Yes, I never got Win9x machines to accept an uninstall gracefully. It
works better with XP.


Axel

Yep,

actually, when I first had this problem I decided to do something to verify my
problems.

My rules file looked like this for the test

ACCEPT	loc:<myip>	$FW	all
ACCEPT	loc		net	all
DNAT		net:<CP>	loc:<myIP>	all

This should work just fine as it DNAT''s everything hitting your
External interface with a Source equal to the IP of the Checkpoint over to the
maschine you run the secu client from. When this worked I simply did the tuning.


Axel

-----Original Message-----
From: Matt Perry [mailto:kheintz@winternet.com] 
Sent: Mittwoch, 26. M?rz 2003 23:14
To: Axel Westerhold
Cc: shorewall-users@mail.shorewall.net

Wed Mar 26 16:13:17 CST 2003

Axel:

On Wed, 26 Mar 2003 Axel@congos.net wrote:
>
> Hi Matt,
>
> sorry for the delay.
>
> Checkpoint 4.1 does not provide the IKE over TCP capability the new
> Checkpoint NG offers. As a result you will have to deal with UDP traffic
> on port 500 during IKE Phase 1 and Phase 2. As long as you only have to
> deal with one secure client/SecuRemote client you can simply try to do
>
> SR=Securemote
> CP=Checkpoint
>
> ACCEPT	loc:<SR>	net:<CP>	udp	500
> DNAT		net:<CP>	loc:<SR>	udp	500
>
> This would handle the IKE negotiation.
>
> The next step needs to deal with ESP (Encapsulated Security Protocol).
> This is Protocol 50 (as TCP is 6 and UDP is 17). It needs to pass your
> firewall. I am not sure about that rule. If the one below should be
> wrong someone please correct me
>
> ACCEPT	loc:<SR>	net:<FW IP>	50
> DNAT		net:<CP>	net:<SR>	50
Did you mean:
DNAT		net:<CP>	loc:<SR>	50
                                ^^^

mjp
>
>
> This assumes that the management module is running on the same IP the
> enforcement point is running on. If you should have an Checkpoint
> firewall using a separated Management Module the IKE is done through the
> Management Modules IP while ESP you''ll receive and send to the
> Enforcement Point. In addition, if you should run clustered Enforcement
> Points you would need to have a DNAT rule for each of the nodes.
>
> I hope this helps,
> Axel
>
--
Matt Perry
mattp@pobox.com