[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] What to let through for IKE VPN?
Hi Gareth and gang, Thanks for the response! I actually found the answer this morning (from CP). If you're using SR behind a NAT, your client is sending the IKE packets encapsulated in UDP headers to port 2746 on the FW. Thus, you need a line in your Cisco router like: access-list 100 permit udp any host my.fw.ex.ip eq 2746 If there is no encapsulation with IKE (ie. not NAT'ed), you still need: access-list 100 permit 50 any host my.fw.ex.ip access-list 100 permit 51 any host my.fw.ex.ip Additionally, for authentication, you need: access-list 100 permit udp any host my.fw.ex.ip eq 500 Hope this helps someone out there. Take care, Ian -----Original Message----- From: Gareth Bromley [mailto:[email protected]] Sent: Monday, November 20, 2000 11:46 PM To: Ian Campbell Subject: Re: [FW1] What to let through for IKE VPN? Ian Campbell wrote: > ------------------------------------------------------------- > 2. To establish a connection between SecuRemote Client and the server: > > For ISAKMP, open UDP port 500 (ISAKMP service) for Authentication, and allow > traffic on protocol 50 (0x32) and 51 (0x33) which are the new protocol > numbers for ISAKMP > ------------------------------------------------------------- Are you using any PKI based auth as well? You may need to enable LDAP for CRL retrieval. > I've added these three lines to our Cisco router's ACL: > access-list 100 permit 50 any host my.fw.ex.ip > access-list 100 permit 51 any host my.fw.ex.ip > access-list 100 permit udp any host my.fw.ex.ip eq 500 > But my session dies after auth. If I do a 'sh access-list 100', I can see > the hits on the third line for auth, but nothing on the first two. If I add > my test machine's external IP back in and allow any traffic from it, it > works again. Has anybody got any idea what I'm doing wrong here? Thanks! Is the Cisco Unit doing the NAT? Or is the firewall doing the NAT? We have completed a 50,000 user VPN with NAT solution, and the only way to make it work was to have the firewall doing the NAT after VPN set, using either IP NAT Pools, or what we did because of the amount of entry point across geographical locations, was NAT Rules specific to each firewall to get round assymetric routing problems. >From what you have outlined above that should work for a standard IPsec setup and VPN traffic. Have you tried using snoop (Solaris), Ethereal (Linux/Solaris), NetMon (NT) or better NetXRay (NT) to see what the packets are coming in? Is the firewall dropping anything? --Gareth > > > Ian > > ============================================================================ ==== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ============================================================================ ==== -- --Gareth Bromley Managing Director, Int* Consulting Ltd ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|