| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FW1] SecuRemote 4174 using PPPoE and NT Domain Login
To all:
I have a question for the group.
I have a DSL connection using PPPoE with DHCP and NAT. The DSL modem is
connection into a SonicWall Tele running the latest firmware rev. 5.1.1. The
SonicWall is also running DHCP and NAT. The PC is configured to get its IP
(192.168.x.x) from the SonicWall and then the SonicWall with NAT that address to
its WAN address (so stuff can get out to the Internet).
The PC sitting on the private side of the SonicWall is running NT
workstation 4.0 SP6a. I have installed SecuRemote Bld 4174 on it.
On our corporate lan we have two Nokia IP650s running in an HA mode (I am
not using the GateWay Cluster stuff for VPNs, yet....)
The primary FW object has an Encryption domain defined on it (as "Other"
with only (currently) the two WINS servers that we have on our network as well
as the PDC and BDC machines for the NT domain that we are trying to connect
(join) from the DSL PC. IKE is currently the only Encryption scheme defined. IKE
is defined as supporting all three key exchange types (DES,CAST, and 3DES). It
is configured to support both MD5 and SHA1 data integrity methods. Currently I
only have Pre-shared secrets turned on (eventually will want to enable Hybrid
mode but this issue is not part of this discussion for now). "Supports
aggressive mode" and "key exchange for subnets" are checked. All of the
appropriate authentication schemes are checked (i.e. FW-1 Password, SecurID,
RADIUS, etc.)
I have a test user set up (which is also the same user that I have defined
on the DSL PC and the same user that will be logging into the NT Domain).
Currently the Authentication scheme that is defined for the user is FW-1
password. IKE is defined for the user (FWZ is not defined, checked). I have an
IKE password set, public key is not checked. Encryption is set to the defaults;
ESP, SHA1, 3DES. The user has been added to the group "SecuRemote_Users"
The rule that I have on our FW is as follows:
SecuRemote_Users@Any -> ENC_DOMAIN, Service of Any (for now), Client
Encrypt, Install on: Primary FW. (as opposed to Gateways).
I see in the FW logs the authcrypt entry and then the key install messages
which I am assuming are the IKE key exchanges for both Phase I and II.
Everything "looks" right but I am still not able to do the NT Domain Login.
Eventually on the DSL PC I get the message that the PC could not find (or talk)
to the Domain, . and eventually the Winlogin process times out.
I know this is long and I do apologize but I am hoping that the more detail
given might give someone some ideas. I have been working on this for about a
month now and I need to get this up and running soon or tell my bosses that we
need to abandon the project as it doesn't work yet.
Am I missing something. I have looked at as many knowledge base articles as
I can find on the subject from all the majors (Nokia, CheckPoint, Phoneboy,
SonicWall) but am still stumped.
Is it something on the FW side, client side, or SonicWall side or all the
above. Any comments would be GREATLY appreciated. TIA.
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
|
|
