 | ||
 Traceroute through an IPSEC-Based VPN | ||
| CPUG | |
| The Check Point User Group | |
| A Resource For The Check Point Community. Fast. Useful. Independent. | |
|
| |||||||
 |
| | LinkBack | Thread Tools | Display Modes |
 2005-08-13 | |||
| |||
 Traceroute through an IPSEC-Based VPN Traceroute through an IPSEC-Based VPN How come traceroute doesn't seem to work over our VPN? Answer -------------------------------------------------------------------------------- Traceroute works by sending out packets with successively larger Time-To-Live values. Each hop along the way generally returns an ICMP-Time-Exceeded, an ICMP-Destination-Unreachable message, or an ICMP-Echo-Reply. In an IPSEC VPN, all communication between the sites is encapsulated. When FireWall-1 encapsulates a traceroute packet, the new packet inherits the TTL value of the packet being encapsulated. As a result, each hop between the firewalls sends an ICMP-Time-Exceeded packet back to the firewall. These packets are ignored by the firewall. The user will see these in their traceroute as "request timed out." In FireWall-1 4.1, traceroute does not work through the VPN. In the NG version of Secure Client at least, traceroute appears to work properly. When you use the tracert command to trace to an internal host, the first hop is the firewall. -------------------------------------------------------------------------------- -- RobertGraham - 10 Jan 2004 FAQForm FAQs.Class: EncryptionFAQs, SecureClientFAQs FAQs.OS: FAQs.Version:  |
|
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
