Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] SR problem

To: [email protected] (Firewall-1 Mailinglist)
Subject: [FW1] SR problem
From: [email protected]
Date: Thu, 15 Mar 2001 09:45:04 -0600
Sender: [email protected]



To all:

     I am trying to get an IKE VPN setup for NT Domain Login. The setup is as
follows:

     We have a DSL circuit install (for testing) using PPPoE w/ NAT. I have a
SonicWall Tele running firmware v5.1.1 connected directly to the DSL modem
(Westell WireSpeed). I have a PC running NT4.0SP6a with SecuRemote Bld. 4176
installed. I have authenticated properly in SR and have successfully downloaded
the topology. I have then enabled SDL.

     We have two Nokia IP650s running IPSO 3.3 with FW-1 4.1SP2 in HA mode
(Monitored Circuit). I have not configured these boxes for gateway cluster yet.
I have not configured any type of encryption, etc. on the secondary FW. I have
configured the primary FW with an encryption domain and made it exportable to
SR. I have only defined one encryption scheme - IKE, the rest are unchecked. All
three key exchange types are checked (DES, CAST, and 3DES). MD5 and SHA1 are
checked. Pre-shared secret is checked. Supports aggressive mode and support key
exchanges for subnets is checked.

     I have read and following Phoneboy's article labled SecuRemote Client and
NAT (because I think that this may be a NATting issue on the SonicWall. I have
made the modification on the management station's objects.C file as layed out
and repushed the policy (I have even performed an fwstop, modify objects.C file,
and fwstart, then push).

     I have made the recommended modification to the
$SR_INSTALL_DIR/database/userc.C file on the SR client PC, under the options
section (force_udp_encapsulation (true).

     I am still not able to perform an NT domain login. I see in the FW logs the
authcrypt and both the key install messages (for Phase I and II) key exchanges.
The SR client PC, after authenticating with SR just sits there and eventually
the login process times out and I get the message that the domain was not found.

     I have also started logging the SR connection via creating the fwenc.log
file in the C:\ directory and I noticed something a little odd. About 20-30
lines down I see a line like the following:

          InvokeIsakmpServer: Binded to port: 500
          .
          .
          .
          fwuserc_set_IKE_port_to_table: entered IKE port 500 to
userc_ike_local_port table

My question is this:

     If I made the appropriate changes to the objects.C (and I have verified
that they are still there) and the changes to the userc.C file on the SR client
why then do I still see the SR client binding to port 500 and not the "new" UDP
encapsulation port of 2746?

     The rule on the FW reads SR_Users@Any -> ENC_DOMAIN, Any, Client Encrypt

     It looks like the VPN is being established but that is as far as it gets
(All of the VPN initialization stuff is being logged against Rule 0). It never
seems to get to the Rulebase.

     Anyone have any ideas?

P.S. Thanx to all whom responded to my earlier post.






================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] SP3 http checks
Next by Date: [FW1] SqlNet / Net8 support
Previous by thread: [FW1] SP3 http checks
Next by thread: [FW1] FW-1 Web Page blocking
Index(es):
- Date
- Thread