| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW1] Securemote Client and NAT
Kevin,
I don't know if you've received an answer, I couldn't hook the email thread.
Phoneboy is referring to VPN and nat on fw 4.0 versions when IKE was in its earlier
iteration of ISAKMP/Oakley.
I can't find a good doc on Check Point's web site. I'll try to describe it:
Verify that the firewall is 4.1 sp1 or 4.1 sp2.
If the firewall is properly configured for SR, you should be able to enter the
following line in userc.c with the other commands at the top
:force_udp_encapsulation (true)
that is
<tab><tab>:force_udp_encapsulation<space>(true). Then kill and restart.
This should do as it says.
Let me know what kind of errors or symptoms you see.
Cheers,
CT
Kevin Ruggles wrote:
> Hello,
> I am new to this and need some help.
> I am using SR client 4.1 behind a netgear rt311 router and DSL modem.
>
> My problem is that I have a private lan and am using the netgear router to
> allow all machines internet access. When I try using the SR client from a
> machine going through the router, I am not able to make it work.
>
> I have researched the issue of using SR client behind a router and came up
> with a great info page at (http://www.phoneboy.com/fw1/faq/0141.html)
>
> I have a few questions about the information on the above web page.
>
> bullet 2 under the A: talks about "ISKAMP", a little below it has ISAKMP and
> then later it has "IKE". Are these all the same?
> I think the first two are but I'm not sure about the last. If it is
> different, what is IKE?
>
> bullets 3-5 talk about STATIC , POOL and HIDE NAT. Bullets 3,4 both say at
> the end " follow the steps below." I am not sure what steps below to follow.
>
> Bullet 5 is for HIDE NAT. It says " only one user .... unless ... UDP
> Encapsulation....
> This should work fine for ... home-office network...."
>
> So this is where I fit in. I only need one machine enabled to use SR client
> behind my netgear Router.
> Here I am assuming that the router fits into the HIDE NAT category.
> Please correct me if I am wrong.
>
> The Last part of the article starting with
> "You will need to modify objects.c on the management console."
> appears to be talking of the FW server. I have no ability to make these
> changes.
>
> Are these changes required for the HIDE NAT, ISAKMP (ISKAMP?) section of the
> article?
>
> So bottom line, I want to know if I have a HIDE NAT device (netgear rt311)
> and use ISAKMP key management, If I do these two steps:
>
> 1) Insure that UDP port 500 on your NAT gateway is mapped to the
> SecuRemote client. FireWall-1 tries to communicate via this port.
>
> 2) Make sure your NAT gateway can pass IPSEC traffic (IP Protocol 50).
> If UDP Encapsulation Mode is used, make sure it can also pass UDP Port
> 2746.
>
> (BTW How are these steps accomplished)
>
> Do I need to do anything else or worry about UDP encapsulation in order for
> it to work?
>
> Kevin Ruggles
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
|
|
