[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] securemote IKE connections though NAT device and securemote pool NAT
I want to create an IPSEC/ESP VPN from a securemote client, let's call it A, against a fw1 v41 SP1, on a nokia 440 box, let's say B. between both there is another fw1 (2 x fw1 v41 with Stonebeat Fullcluster v2 on Suns 220R ). Let call them C To test the VPN I am trying to do a telnet from A to a linux box behind B, lets call it D. here is an schematic representation: Securemote Client 2x v4.1 3DES StoneBeat Fullcluster v2 Build 4174 Firewall 1 v4.1 SP1 W2K professional Solaris 2.6 on Ultra 220R ------- ------- | | IPSEC/ESP | | | A |--------------->| C | | | IKE XCHG | | ------- ------- | | | INTERNET | | V ------- ------- | | | | | D |<---------------| B | | | | | ------- ------- Linux Box Nokia IP440 RedHat 7.0 Firewall 1 V4.1 SP1 I have managed to succesfully authenticate againts firewall B from A (doing static NAT for 500/udp). I have also set up IP Pool NAT for Securemote Connections, so A address 172.20.123.x is mapped to 192.168.124.x, which is routable for D. It seems that everything is working as expected, I can see the "decrypt" log lines on B for the telnet trials from A. I can also see the original (encapsulated) address of A being translated to 192.168.124.193 (first address of the pool), but, here is the problem, this is the tcpdump log from fw B to host D: auninc01[admin]# tcpdump -i eth-s1p3c0 port 23 and host 192.168.112.X tcpdump: listening on eth-s1p3c0 16:44:53.270264 172.20.123.Y.1518 > 192.168.112.X.23: S 721727998:721727998(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) 16:44:59.379001 172.20.123.Y.1518 > 192.168.112.X.23: S 721727998:721727998(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) addresses are not being translated, but in the log it says they are: In the XltdSrc column I can read 192.168.124.193 for the "decrypt" entry for this telnet. any idea? suggestions? thanks in advance. Raúl La información incluida en el presente correo electrónico es CONFIDENCIAL, siendo para el uso exclusivo del destinatario arriba mencionado. Si usted lee este mensaje y no es el destinatario señalado, el empleado o el agente responsable de entregar el mensaje al destinatario, o ha recibido esta comunicación por error, le informamos que está totalmente prohibida cualquier divulgación, distribución o reproducción de esta comunicación, y le rogamos que nos lo notifique, nos devuelva el mensaje original a la dirección arriba mencionada y borre el mensaje. Gracias. ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|