NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] SR 4165 + IKE + NAT = broken



Craig,

I think I have seen this problem before. Encrypted packet=external DSL
router IP and decrypted packet=private client IP. The firewall will decrypt
the packet and then make a routing decision. The decrypted packet will have
the actual private address of the client behind the DSL router.

It sounds like the firewall is checking for anti-spoofing after it decrypts
the packet and it is matching a range on one of your firewall interfaces.

Check your firewall interfaces and make sure that you have not defined the
DSL clients private IP range on one of your firewall interfaces under the
anti-spoofing configuration. You might be have defined the anti spoofing
using 192.168.0.0/255.255.0.0 as your range and the DSL client IP range
would fall within those boundaries.


-----Original Message-----
From: Little, Craig (SSI-SIAP-NP5) [mailto:[email protected]]
Sent: Tuesday, September 26, 2000 6:59 PM
To: [email protected]
Subject: [FW1] SR 4165 + IKE + NAT = broken



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have recently upgraded to SR4156 and FW-1 4.1 SP2. All went
smoothly until a couple of people tried logging on from home via
their DSL connections.

They authenticate OK, but cannot connect to resources. I can see the
inbound packets, but the outbound packets are dropped at the
firewalls internal interface under rule 0.

The log entries follow this format (consistently).

u1 = users external (valid) IP address
u2 = users internal (RFC) address (192.168.1.45)
fwe = firewall external interface
fwi = firewall internal interface
WINS = wins server
DNS = dns server

>Action    Svc    Src Dest Prot Rul S_Port Usr XSource XDst Info
>authcrypt        u1            0          rob             
>authenticated by IKE key inst         u1  fwe                       
>           IKE Phase 1 key inst         u1  fwe  ip   0             
>             IKE Phase 2 accept           u2                      
>rob w.x.y.z      IP Pool bound decrypt   nbname u2  WINS udp  x  
>nbname rob w.x.y.z      scheme IKE decrypt   name   u2  DNS  udp  x 
> 1047   rob w.x.y.z DNS  scheme IKE drop      24625  fwi u1   50   0
>  27991                   reason: local interface address spoofing  

The key to the problem seems to be the last entry - the internal
interface of the firewall seems to be trying to send the IPSEC packet
to the DSL user, and gets refused with the message 'local interface
address spoofing'.

The users side of the network looks like this:

- --------192.168.1.45   ---------Valid IP
|  PC  |---------------|DSL Rtr|------------ Internet
- --------  192.168.2.254---------

I know IKE isn't to blame, because I can use IKE on a dial-up
connection. It appears to be a NAT issue. The DSL devices all NAT
using the RFC1918 subnet 192.168.1.0.

Has anybody else seen this behaviour, and what is the fix?


Kind Regards,

Craig Little BSc, CPD, CPI, SCJP, CCSA, CCSE
Inter-Networking / Security Consultant

Shell Services International

Phone:	+64 4 462 4661
Fax:	+64 4 463 4060
Mobile:	+64 21 37 5858
PGP Fingerprint F3CE 6EB2 6B1A 10EA E355  A157 8012 D53A 6AE5 962F
mailto:[email protected]
http://www.shellservices.com

By default attachments are compressed in WinZip format. If you cannot
read them, please contact you Help Desk to have the WinZip utility
installed. WinZip can be downloaded for free at
http://www.winzip.com.

This e-mail message and attachments are confidential between the
intended parties and may be subject to legal privilege.  If you have
received this e-mail in error, please advise the sender immediately
and destroy the message and any attachments.  If you are not the
intended recipient you are notified that any use, distribution,
amendment, copying or any action taken or omitted to be taken in
reliance of this message or attachments is prohibited.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBOdCceIAS1Tpq5ZYvEQI/UQCglFZCVZi/e89rxIZIyBZVoWvZki8An1m9
C3DcwFQl4+Y0Z0Jvk4LkAknn
=4cuB
-----END PGP SIGNATURE-----


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents � 2003 Network Presence, LLC. All rights reserved.