[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] SR problem
To all: I am trying to get an IKE VPN setup for NT Domain Login. The setup is as follows: We have a DSL circuit install (for testing) using PPPoE w/ NAT. I have a SonicWall Tele running firmware v5.1.1 connected directly to the DSL modem (Westell WireSpeed). I have a PC running NT4.0SP6a with SecuRemote Bld. 4176 installed. I have authenticated properly in SR and have successfully downloaded the topology. I have then enabled SDL. We have two Nokia IP650s running IPSO 3.3 with FW-1 4.1SP2 in HA mode (Monitored Circuit). I have not configured these boxes for gateway cluster yet. I have not configured any type of encryption, etc. on the secondary FW. I have configured the primary FW with an encryption domain and made it exportable to SR. I have only defined one encryption scheme - IKE, the rest are unchecked. All three key exchange types are checked (DES, CAST, and 3DES). MD5 and SHA1 are checked. Pre-shared secret is checked. Supports aggressive mode and support key exchanges for subnets is checked. I have read and following Phoneboy's article labled SecuRemote Client and NAT (because I think that this may be a NATting issue on the SonicWall. I have made the modification on the management station's objects.C file as layed out and repushed the policy (I have even performed an fwstop, modify objects.C file, and fwstart, then push). I have made the recommended modification to the $SR_INSTALL_DIR/database/userc.C file on the SR client PC, under the options section (force_udp_encapsulation (true). I am still not able to perform an NT domain login. I see in the FW logs the authcrypt and both the key install messages (for Phase I and II) key exchanges. The SR client PC, after authenticating with SR just sits there and eventually the login process times out and I get the message that the domain was not found. I have also started logging the SR connection via creating the fwenc.log file in the C:\ directory and I noticed something a little odd. About 20-30 lines down I see a line like the following: InvokeIsakmpServer: Binded to port: 500 . . . fwuserc_set_IKE_port_to_table: entered IKE port 500 to userc_ike_local_port table My question is this: If I made the appropriate changes to the objects.C (and I have verified that they are still there) and the changes to the userc.C file on the SR client why then do I still see the SR client binding to port 500 and not the "new" UDP encapsulation port of 2746? The rule on the FW reads SR_Users@Any -> ENC_DOMAIN, Any, Client Encrypt It looks like the VPN is being established but that is as far as it gets (All of the VPN initialization stuff is being logged against Rule 0). It never seems to get to the Rulebase. Anyone have any ideas? P.S. Thanx to all whom responded to my earlier post. ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|