NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] Delays with IKE/ESP



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have been noticing a problem with some of our IKE users over the
past month. A couple of them are using a broadband (ADSL) connection,
with a NAT'ing router (Nokia M1122). The addresses on the inside of
the ADSL router are RFC1918 based.

The SR client can authenticate, and use the VPN, but there is a 3
minute delay between the authcrypt event and the next event
(sometimes a pool IP address bound, sometimes a decrypt). This is a
sample taken from last nights logs:

Time     Action    Source      Dest User   Reason
21:17:23 Authcrypt 210.x.x.x        wlx Authenticated 3DES, IKE,
SHA1
21:20:41 Accept    192.168.2.x      wlx Bound address 192.168.2.x
to 156.x.x.x
21:20:41 Decrypt   192.168.2.x Lots of NetBios traffic for MS
Exchange
.
. Time passes by - working OK
.
22:33:34 Authcrypt 210.x.x.x            wlxxxx Authenticated 3DES,
IKE, SHA1
22:36:54 Decrypt   192.168.2.x Normal traffic

As you can see from the above, there is about a 3 minute 20 second
wait between the authcrypt and valid traffic being allowed through.

It only affects the ADSL users - everyone else (FWZ and IKE - either
cable modem or modem) works fine. This only seems to have been an
issue since we upgraded to 4.1 SP2, although I can't rule it out as a
telco issue, as they upgraded their ADSL network at around the same
time. We managed to get it going fine using the older equipment.

We have pinholed IP Type 50 and UDP Port 500 to the PC from the
router, and even tried pinholing IP Type 51 just in case - same
problem.

Has anyone else experienced the same issues? Any ideas why there is a
3 minute wait?

Out environment is:

Firewall:
Windoze NT Server 4.1 SP6
Checkpoint VPN-1 4.1 SP2
IP pool addresses (200) to internal network addresses
UDP Encapsulation enabled

Client:
Windoze NT Workstation SP5
SecuRemote Release 4165
IP Address 192.168.2.x
Router IP address 210.x.x.x from ISP

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBOf1A6IAS1Tpq5ZYvEQLLuwCfdb5Mq+S7S9QUl3WptIVegJpJ/j4AoIA1
HccPn9lcjJ0aZAa9oaRxGt1L
=1t6l
-----END PGP SIGNATURE-----


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.