NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] securemote IKE connections though NAT device and securemote pool NAT



I want to create an IPSEC/ESP VPN from a securemote client, let's call it
A, against a fw1 v41 SP1, on a nokia 440 box, let's say B.

      between both there is another fw1 (2 x fw1 v41 with Stonebeat
      Fullcluster v2 on Suns 220R ). Let call them C

      To test the VPN I am trying to do a telnet from A to a linux box
      behind B, lets call it D.

      here is an schematic representation:

Securemote Client      2x
v4.1 3DES              StoneBeat Fullcluster v2
Build 4174             Firewall 1 v4.1 SP1
W2K professional       Solaris 2.6 on Ultra 220R
-------                -------
|     |   IPSEC/ESP    |     |
|  A  |--------------->|  C  |
|     |    IKE XCHG    |     |
-------                -------
                          |
                          |
                          |
                       INTERNET
                          |
                          |
                          V
-------                -------
|     |                |     |
|  D  |<---------------|  B  |
|     |                |     |
-------                -------
Linux Box              Nokia IP440
RedHat 7.0             Firewall 1 V4.1 SP1

      I have managed to succesfully authenticate againts firewall B from A
      (doing static NAT for 500/udp).

      I have also set up IP Pool NAT for Securemote Connections, so A
      address 172.20.123.x is mapped to 192.168.124.x, which is routable
      for D.

      It seems that everything is working as expected, I can see the
      "decrypt" log lines on B for the telnet trials from A.
      I can also see the original (encapsulated) address of A being
      translated to 192.168.124.193 (first address of the pool), but, here
      is the problem, this is the tcpdump log from fw B to host D:

      auninc01[admin]# tcpdump -i eth-s1p3c0 port 23 and host 192.168.112.X
      tcpdump: listening on eth-s1p3c0
      16:44:53.270264 172.20.123.Y.1518 > 192.168.112.X.23: S
      721727998:721727998(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
      16:44:59.379001 172.20.123.Y.1518 > 192.168.112.X.23: S
      721727998:721727998(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)

      addresses are not being translated, but in the log it says they are:

      In the XltdSrc column I can read 192.168.124.193 for the "decrypt"
      entry for this telnet.

      any idea?

      suggestions?


      thanks in advance.


          Raúl
La información incluida en el presente correo electrónico es CONFIDENCIAL,
siendo para el uso exclusivo del destinatario arriba mencionado. Si usted
lee este mensaje y no es el destinatario señalado, el empleado o el agente
responsable de entregar el mensaje al destinatario, o ha recibido esta
comunicación por error, le informamos que está totalmente prohibida
cualquier divulgación, distribución o reproducción de esta comunicación, y
le rogamos que nos lo notifique, nos devuelva el mensaje original a la
dirección arriba mencionada y borre el mensaje.
Gracias.



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.