Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] SecuRemote 4174 using PPPoE and NT Domain Login

To: "'[email protected]'" <[email protected]>, [email protected]
Subject: RE: [FW1] SecuRemote 4174 using PPPoE and NT Domain Login
From: "Fowler, Gary" <[email protected]>
Date: Wed, 14 Mar 2001 02:05:19 -0500
Sender: [email protected]

I recently had a similiar problem.

The firewall I was working with had been an upgrade from FW-1 4.0.  A small
bug exists in the upgrade code.  Check your Objects.C to verify userc_NAT
and userc_IKE_NAT are both true..  If everything works when dialed up
directly to the internet and assuming you've taken care of any PPPoE adapter
problems (Read: EnterNet) , then this is most likely the first problem..

Next..

Lower the MTU on the servers (I'm open to a better solution 'that works') to
something like 1200 bytes..  Reason being is that UDP encapsulated IKE
breaks MTU discovery, thus packets are transmitted ok, but are too big to
fit down the PPPoE pipe; the ICMP can't-fragment packet hits the firewall
and drops away; the server never finds out it made a packet that the
couldn't get there, and the connection appears to hang from there.

Hope that helps..


Gary 


-----Original Message-----
From: [email protected] [mailto:[email protected]]
Sent: Tuesday, March 13, 2001 6:16 PM
To: [email protected]
Subject: [FW1] SecuRemote 4174 using PPPoE and NT Domain Login





To all:

     I have a question for the group.

     I have a DSL connection using PPPoE with DHCP and NAT. The DSL modem is
connection into a SonicWall Tele running the latest firmware rev. 5.1.1. The
SonicWall is also running DHCP and NAT. The PC is configured to get its IP
(192.168.x.x) from the SonicWall and then the SonicWall with NAT that
address to
its WAN address (so stuff can get out to the Internet).

     The PC sitting on the private side of the SonicWall is running NT
workstation 4.0 SP6a. I have installed SecuRemote Bld 4174 on it.

     On our corporate lan we have two Nokia IP650s running in an HA mode (I
am
not using the GateWay Cluster stuff for VPNs, yet....)

     The primary FW object has an Encryption domain defined on it (as
"Other"
with only (currently) the two WINS servers that we have on our network as
well
as the PDC and BDC machines for the NT domain that we are trying to connect
(join) from the DSL PC. IKE is currently the only Encryption scheme defined.
IKE
is defined as supporting all three key exchange types (DES,CAST, and 3DES).
It
is configured to support both MD5 and SHA1 data integrity methods. Currently
I
only have Pre-shared secrets turned on (eventually will want to enable
Hybrid
mode but this issue is not part of this discussion for now). "Supports
aggressive mode" and "key exchange for subnets" are checked. All of the
appropriate authentication schemes are checked (i.e. FW-1 Password, SecurID,
RADIUS, etc.)

     I have a test user set up (which is also the same user that I have
defined
on the DSL PC and the same user that will be logging into the NT Domain).
Currently the Authentication scheme that is defined for the user is FW-1
password. IKE is defined for the user (FWZ is not defined, checked). I have
an
IKE password set, public key is not checked. Encryption is set to the
defaults;
ESP, SHA1, 3DES. The user has been added to the group "SecuRemote_Users"

     The rule that I have on our FW is as follows:

     SecuRemote_Users@Any -> ENC_DOMAIN, Service of Any (for now), Client
Encrypt, Install on: Primary FW. (as opposed to Gateways).

     I see in the FW logs the authcrypt entry and then the key install
messages
which I am assuming are the IKE key exchanges for both Phase I and II.
Everything "looks" right but I am still not able to do the NT Domain Login.
Eventually on the DSL PC I get the message that the PC could not find (or
talk)
to the Domain, . and eventually the Winlogin process times out.

     I know this is long and I do apologize but I am hoping that the more
detail
given might give someone some ideas. I have been working on this for about a
month now and I need to get this up and running soon or tell my bosses that
we
need to abandon the project as it doesn't work yet.

     Am I missing something. I have looked at as many knowledge base
articles as
I can find on the subject from all the majors (Nokia, CheckPoint, Phoneboy,
SonicWall) but am still stumped.

     Is it something on the FW side, client side, or SonicWall side or all
the
above. Any comments would be GREATLY appreciated. TIA.




============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] Firewall doing spam relay ?
Next by Date: [FW1] Is CP V4.1 = CP2000 ?
Previous by thread: [FW1] Checkpoint Firewall-1 access behind Linux Nat/Masq
Next by thread: [FW1] Proxy ARP on NT4 / local.arp
Index(es):
- Date
- Thread