RE: [FW1] Secure Remote and NAT issues

["Gibson, Brian" <GibsonB@FW1-NOSPAMgruntal.com>]

Title: RE: [FW1] Secure Remote and NAT issues

Well you need 2 settings.  On the client side you need to put in the options of userc

 

:force_udp_ecncapsulation (true)

 

and there is some changes that need to be made on the objects.C file on the mngmt server.  Do a have Nokia online support?  If not then go to Phoneboy and do a search on udp 2746.  However if your FW is not SP2 or later then it isn't going to work.

-----Original Message-----
From: Steven Zimmerman [mailto:szimmerman@ir-ns.com]
Sent: Friday, March 09, 2001 10:58 AM
To: 'Gibson, Brian'; Fw1 Mailing List (E-mail)
Subject: RE: [FW1] Secure Remote and NAT issues

I am using fw-1 4.1 sp3 at the client side.  I do not know of any other configs on this side to change to all the UDP 50 packets to map back through the Hide NAT.  Do you know of another setting on my side I need to look into?

 

-----Original Message-----
From: Gibson, Brian [mailto:GibsonB@gruntal.com]
Sent: Friday, March 09, 2001 10:35 AM
To: 'Steven Zimmerman'; Gibson, Brian; Fw1 Mailing List (E-mail)
Subject: RE: [FW1] Secure Remote and NAT issues

 

My first inclination is to think that your NAT device isn't properly passing the IPSEC packets(protocol 50).  What I would do is do a sniff on the firewall to see if it is sending the Protocol 50 traffic to the client.  If it is then most likely your NAT device is not properly passing along the IPSEC traffic.  If you use a properly configured 4.1 SP2 FW  the client will send all traffic through UDP encapsulation(UDP port 2746).   That may be why it works in the other situation. 

-----Original Message-----
From: Steven Zimmerman [mailto:szimmerman@ir-ns.com]
Sent: Friday, March 09, 2001 10:08 AM
To: 'Gibson, Brian'; Fw1 Mailing List (E-mail)
Subject: RE: [FW1] Secure Remote and NAT issues

UDP 500 packets are returning from the secure remote firewall I am trying to reach.

 

I am able to connect as long as I do not NAT the SecuRemote users.

 

NATing on the Client Side.  This same client works on another Firewall system but they are using 4.1 SP2 on Nokia.

 

Thanks

 

Steven

 

 

-----Original Message-----
From: Gibson, Brian [mailto:GibsonB@gruntal.com]
Sent: Friday, March 09, 2001 9:25 AM
To: 'Steven Zimmerman'; Fw1 Mailing List (E-mail)
Subject: RE: [FW1] Secure Remote and NAT issues

 

When you say you see the IKE packet return are you talking about the UDP 500 ISAKMP packet or protocol 50 packets?

Do you have other users that can successfully use this FW for VPN? 

When you say you are NATing traffic where exactly is the NAT occuring?  On the clien side or FW side?

 

-----Original Message-----
From: Steven Zimmerman [mailto:szimmerman@ir-ns.com]
Sent: Thursday, March 08, 2001 8:14 PM
To: Fw1 Mailing List (E-mail)
Subject: [FW1] Secure Remote and NAT issues

 

I have a client that is using 2 Nokia IP440 with ipso 3.2.1 and FW-1 4.0SP5

I can not get Secure Remote to work via NAT.  I did all the changes
(objects.C, my firewall rules, etc) but this one client will not work.
Using IKE I see my request sent out and I receive back an IKE packet from
the firewall but I always get Error: Communication with the site x.x.x.x has
failed.

Any thoughts?? 

BTW> I can get into other sites via the same secure remote client and
network.

Thanks in advance!

Steven Zimmerman
CIO
IR Network Solutions
x224
fax

 

================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================