[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] SecuRemote 4174 using PPPoE and NT Domain Login
I recently had a similiar problem. The firewall I was working with had been an upgrade from FW-1 4.0. A small bug exists in the upgrade code. Check your Objects.C to verify userc_NAT and userc_IKE_NAT are both true.. If everything works when dialed up directly to the internet and assuming you've taken care of any PPPoE adapter problems (Read: EnterNet) , then this is most likely the first problem.. Next.. Lower the MTU on the servers (I'm open to a better solution 'that works') to something like 1200 bytes.. Reason being is that UDP encapsulated IKE breaks MTU discovery, thus packets are transmitted ok, but are too big to fit down the PPPoE pipe; the ICMP can't-fragment packet hits the firewall and drops away; the server never finds out it made a packet that the couldn't get there, and the connection appears to hang from there. Hope that helps.. Gary -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Tuesday, March 13, 2001 6:16 PM To: [email protected] Subject: [FW1] SecuRemote 4174 using PPPoE and NT Domain Login To all: I have a question for the group. I have a DSL connection using PPPoE with DHCP and NAT. The DSL modem is connection into a SonicWall Tele running the latest firmware rev. 5.1.1. The SonicWall is also running DHCP and NAT. The PC is configured to get its IP (192.168.x.x) from the SonicWall and then the SonicWall with NAT that address to its WAN address (so stuff can get out to the Internet). The PC sitting on the private side of the SonicWall is running NT workstation 4.0 SP6a. I have installed SecuRemote Bld 4174 on it. On our corporate lan we have two Nokia IP650s running in an HA mode (I am not using the GateWay Cluster stuff for VPNs, yet....) The primary FW object has an Encryption domain defined on it (as "Other" with only (currently) the two WINS servers that we have on our network as well as the PDC and BDC machines for the NT domain that we are trying to connect (join) from the DSL PC. IKE is currently the only Encryption scheme defined. IKE is defined as supporting all three key exchange types (DES,CAST, and 3DES). It is configured to support both MD5 and SHA1 data integrity methods. Currently I only have Pre-shared secrets turned on (eventually will want to enable Hybrid mode but this issue is not part of this discussion for now). "Supports aggressive mode" and "key exchange for subnets" are checked. All of the appropriate authentication schemes are checked (i.e. FW-1 Password, SecurID, RADIUS, etc.) I have a test user set up (which is also the same user that I have defined on the DSL PC and the same user that will be logging into the NT Domain). Currently the Authentication scheme that is defined for the user is FW-1 password. IKE is defined for the user (FWZ is not defined, checked). I have an IKE password set, public key is not checked. Encryption is set to the defaults; ESP, SHA1, 3DES. The user has been added to the group "SecuRemote_Users" The rule that I have on our FW is as follows: SecuRemote_Users@Any -> ENC_DOMAIN, Service of Any (for now), Client Encrypt, Install on: Primary FW. (as opposed to Gateways). I see in the FW logs the authcrypt entry and then the key install messages which I am assuming are the IKE key exchanges for both Phase I and II. Everything "looks" right but I am still not able to do the NT Domain Login. Eventually on the DSL PC I get the message that the PC could not find (or talk) to the Domain, . and eventually the Winlogin process times out. I know this is long and I do apologize but I am hoping that the more detail given might give someone some ideas. I have been working on this for about a month now and I need to get this up and running soon or tell my bosses that we need to abandon the project as it doesn't work yet. Am I missing something. I have looked at as many knowledge base articles as I can find on the subject from all the majors (Nokia, CheckPoint, Phoneboy, SonicWall) but am still stumped. Is it something on the FW side, client side, or SonicWall side or all the above. Any comments would be GREATLY appreciated. TIA. ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|